[pve-devel] venet firewall broken?

Alexandre DERUMIER aderumier at odiso.com
Mon May 12 07:55:02 CEST 2014 

>>-A PVEFW-FORWARD -i venet0 -j RETURN 
>>So that rule is just to accept traffic to non-firewalled containers. 

Ok, so I think if we use RETURN (only for venet0-OUT, don't make sense for tap/veth), 

it should work also with this model

But I don't known for group rules (do we need to add mark again everwhere ???)



    -A FORWARD -j PVEFW-FORWARD
       -A PVEFW-FORWARD -i fwbr+ -j PVEFW-FORWARD-FW
       -A PVEFW-FORWARD -o venet0 -m set --match-set PVEFW-venet0 dst -j PVEFW-FORWARD-VENET
       -A PVEFW-FORWARD -i venet0 -m set --match-set PVEFW-venet0 src -j PVEFW-FORWARD-VENET
    
           -A PVEFW-FORWARD-FW -m conntrack --ctstate INVALID -j DROP
           -A PVEFW-FORWARD-FW -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
           -A PVEFW-FORWARD-FW -m physdev --physdev-out link+ --physdev-is-bridged -j PVEFW-FWBR-OUT
           -A PVEFW-FORWARD-FW -m physdev --physdev-in link+ -j PVEFW-FWBR-IN
           -A PVEFW-FORWARD-FW -j ACCEPT

           -A PVEFW-FORWARD-VENET -m conntrack --ctstate INVALID -j DROP
           -A PVEFW-FORWARD-VENET -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
           -A PVEFW-FORWARD-VENET -i venet0 -m set --match-set PVEFW-venet0 src -j PVEFW-VENET-OUT  
           -A PVEFW-FORWARD-VENET -o venet0 -m set --match-set PVEFW-venet0 dst -j PVEFW-VENET-IN
           -A PVEFW-FORWARD-VENET -j ACCEPT

----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Lundi 12 Mai 2014 07:08:41 
Objet: RE: venet firewall broken? 

> >>Yes, we also want to filter container to container traffic. 
> 
> Previously, we had a rule 
> 
> - # always allow traffic from containers? 
> - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i venet0 -j RETURN"); 
> 
> so, it wasn't work at all before ? 

Here is what we produced previously: 

PVEFW-FORWARD (JRo5BSic0aO5zPRf9m6h7QUC+BM) 
-A PVEFW-FORWARD -i venet0 -s 192.168.3.104 -j venet0-104-OUT 
-A PVEFW-FORWARD -o vmbr0 -m physdev --physdev-is-out -j vmbr0-FW 
-A PVEFW-FORWARD -i vmbr0 -m physdev --physdev-is-in -j vmbr0-FW 
-A PVEFW-FORWARD -o venet0 -d 192.168.3.104 -j venet0-104-IN 
-A PVEFW-FORWARD -i venet0 -j RETURN 

So that rule is just to accept traffic to non-firewalled containers.

More information about the pve-devel mailing list