[pve-devel] [PATCH] add ips feature v5

Alexandre DERUMIER aderumier at odiso.com
Wed Mar 19 17:19:53 CET 2014


>>Why do we still need ' PVEFW-Accept' instead of -j NFQUEUE? 

in this case:

tap1-out : ACCEPT (ips off)   -----> tap2-in : ACCEPT (ips on)


We don't want always NFQUEUE  in tap1-out, because ips is off, but we want NFQUEUE if the destination have ips on.


>> group-in rules always replace ACCEPT by PVEFW-Accept 
>
>maybe we can use the set mark hack here? 

I don't known how to implemented this, as a GROUP can do ACCEPT or NFQUEUE, if the group is used by a tap without/with ips.



Maybe doing some checks at the begin of PVE-FORWARD, to see if tap-in have ips enabled, and add a specific mark ?

Help is welcome ;)




----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre Derumier" <aderumier at odiso.com>, pve-devel at pve.proxmox.com 
Envoyé: Mercredi 19 Mars 2014 17:07:00 
Objet: RE: [pve-devel] [PATCH] add ips feature v5 

> for tap-out rules, 
> PVEFW-Accept is always use when connection is already established 
> -m conntrack --ctstate RELATED,ESTABLISHED -j PVEFW-Accept 

Why do we still need ' PVEFW-Accept' instead of -j NFQUEUE? 

> in tap-in chain, 
> I replace -j ACCEPT by -j NFQUEUE when ips is enabled 
> and 
> -m conntrack --ctstate RELATED,ESTABLISHED -j NFQUEUE 

that is what I want. 

> group-in rules always replace ACCEPT by PVEFW-Accept 

maybe we can use the set mark hack here? 



More information about the pve-devel mailing list