[pve-devel] [PATCH 1/4] bypass firewall for non firewall bridges

Alexandre DERUMIER aderumier at odiso.com
Fri May 9 19:31:40 CEST 2014


> -A FORWARD -i fwbr+ -j PVEFW-FORWARD
> -A FORWARD -i vnet0 -m set --match-set PVEFW-vnet0ipset src -j PVEFW-
> FORWARD
> -A FORWARD -o vnet0 -m set --match-set PVEFW-vnet0ipset dst -j PVEFW-
> FORWARD

>>Most CTs only have one IP, so it is not worth to start using ipsets now (I want to
>>release something ASAP, so please keep things simple for now). 

Theses rules is to send to PVEFW-FORWARD, only firewalled vms.
ipset is really usefull, to avoid have 1 line by vm. (multiple containers with 1 ip)
(I have send a patch for demo)




----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Vendredi 9 Mai 2014 17:59:33 
Objet: RE: [pve-devel] [PATCH 1/4] bypass firewall for non firewall bridges 

> -A FORWARD -i fwbr+ -j PVEFW-FORWARD 
> -A FORWARD -i vnet0 -m set --match-set PVEFW-vnet0ipset src -j PVEFW- 
> FORWARD 
> -A FORWARD -o vnet0 -m set --match-set PVEFW-vnet0ipset dst -j PVEFW- 
> FORWARD 

Most CTs only have one IP, so it is not worth to start using ipsets now (I want to 
release something ASAP, so please keep things simple for now). 

> -A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP 
> -A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
> -A PVEFW-FORWARD -m physdev --physdev-in link+ -j PVEFW-FWBR-IN 
> -A PVEFW-FORWARD -o vnet0 -j PVEFW-FWBR-IN 
> -A PVEFW-FWBR-IN -p tcp -j PVEFW-tcpflags 
> -A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW- 
> smurfs 
> -A PVEFW-FWBR-IN -m physdev --physdev-out tap123i0 --physdev-is- 
> bridged -j tap123i0-IN 
> -A PVEFW-FWBR-IN -m physdev --physdev-out veth0.0 --physdev-is- 
> bridged -j veth0.0-IN 
> -A PVEFW-FWBR-IN -o venet0 -d 192.168.3.104 -j venet0-104-OUT 
> 
> -A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-out link+ - 
> j PVEFW-FWBR-OUT 
> -A PVEFW-FORWARD -i vnet0 -j PVEFW-FWBR-OUT 
> -A PVEFW-FWBR-OUT -m physdev --physdev-in tap123i0 -j tap123i0-OUT 
> -A PVEFW-FWBR-OUT -m physdev --physdev-in veth0.0 -j veth0.0-OUT 
> -A PVEFW-FWBR-OUT -i venet0 -s 192.168.3.104 -j venet0-104-OUT 
> 
> 
> what do you think about it ? 

looks clumsy to me - I want to use something similar as PVEFW-FWBR-IN/PVEFW-FWBR-OUT 



More information about the pve-devel mailing list