[pve-devel] [PATCH 1/4] bypass firewall for non firewall bridges

Alexandre DERUMIER aderumier at odiso.com
Fri May 9 16:17:38 CEST 2014


better with your PVEFW-VENET-IN|PVEFW-VENET-OU (less lookup for vnet0 interfaces if we have a lot of tap interfaces too)



-A FORWARD -i fwbr+ -j PVEFW-FORWARD 
-A FORWARD -i vnet0 -m set --match-set PVEFW-vnet0ipset src -j PVEFW-FORWARD 
-A FORWARD -o vnet0 -m set --match-set PVEFW-vnet0ipset dst -j PVEFW-FORWARD 


-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP 
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 

-A PVEFW-FORWARD -m physdev --physdev-in link+ -j PVEFW-FWBR-IN 
   -A PVEFW-FWBR-IN -p tcp -j PVEFW-tcpflags 
   -A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs 
   -A PVEFW-FWBR-IN -m physdev --physdev-out tap123i0 --physdev-is-bridged -j tap123i0-IN 
   -A PVEFW-FWBR-IN -m physdev --physdev-out veth0.0 --physdev-is-bridged -j veth0.0-IN 

-A PVEFW-FORWARD -o vnet0 -j PVEFW-VENET-IN
  -A PVEFW-VENET-IN -p tcp -j PVEFW-tcpflags 
  -A PVEFW-VENET-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs 
  -A PVEFW-VENET-IN -o venet0 -d 192.168.3.104 -j venet0-104-OUT 

-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-out link+ -j PVEFW-FWBR-OUT 
   -A PVEFW-FWBR-OUT -m physdev --physdev-in tap123i0 -j tap123i0-OUT 
   -A PVEFW-FWBR-OUT -m physdev --physdev-in veth0.0 -j veth0.0-OUT 

-A PVEFW-FORWARD -i vnet0 -j PVEFW-VENET-OUT
  -A PVEFW-VENET-OUT -i venet0 -s 192.168.3.104 -j venet0-104-OUT 


----- Mail original ----- 

De: "Alexandre DERUMIER" <aderumier at odiso.com> 
À: "Dietmar Maurer" <dietmar at proxmox.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Vendredi 9 Mai 2014 15:55:26 
Objet: Re: [pve-devel] [PATCH 1/4] bypass firewall for non firewall bridges 

I was thinking about something like 



-A FORWARD -i fwbr+ -j PVEFW-FORWARD 
-A FORWARD -i vnet0 -m set --match-set PVEFW-vnet0ipset src -j PVEFW-FORWARD 
-A FORWARD -o vnet0 -m set --match-set PVEFW-vnet0ipset dst -j PVEFW-FORWARD 


-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP 
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A PVEFW-FORWARD -m physdev --physdev-in link+ -j PVEFW-FWBR-IN 
-A PVEFW-FORWARD -o vnet0 -j PVEFW-FWBR-IN 
-A PVEFW-FWBR-IN -p tcp -j PVEFW-tcpflags 
-A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs 
-A PVEFW-FWBR-IN -m physdev --physdev-out tap123i0 --physdev-is-bridged -j tap123i0-IN 
-A PVEFW-FWBR-IN -m physdev --physdev-out veth0.0 --physdev-is-bridged -j veth0.0-IN 
-A PVEFW-FWBR-IN -o venet0 -d 192.168.3.104 -j venet0-104-OUT 

-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-out link+ -j PVEFW-FWBR-OUT 
-A PVEFW-FORWARD -i vnet0 -j PVEFW-FWBR-OUT 
-A PVEFW-FWBR-OUT -m physdev --physdev-in tap123i0 -j tap123i0-OUT 
-A PVEFW-FWBR-OUT -m physdev --physdev-in veth0.0 -j veth0.0-OUT 
-A PVEFW-FWBR-OUT -i venet0 -s 192.168.3.104 -j venet0-104-OUT 


what do you think about it ? 



----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Vendredi 9 Mai 2014 13:29:12 
Objet: RE: [pve-devel] [PATCH 1/4] bypass firewall for non firewall bridges 

> >>This does not work, because it accepts traffic from venet0! 
> 
> Ok, I'll check that. 

But seems to work perfectly without that. Maybe we should add another chains for venet related 
traffic: 

PVEFW-VENET-IN 
-A PVEFW-VENET-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs 
-A PVEFW-VENET-IN -p tcp -j PVEFW-tcpflags 
-A PVEFW-VENET-IN -i venet0 -s 192.168.3.104 -j venet0-104-OUT 

PVEFW-VENET-OUT 
... 

what do you think? 
_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 



More information about the pve-devel mailing list