[pve-devel] venet firewall broken?

Alexandre DERUMIER aderumier at odiso.com
Mon May 12 12:04:20 CEST 2014 

Ok, thanks, I'll test it this afternoon

----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Lundi 12 Mai 2014 12:02:43 
Objet: RE: [pve-devel] venet firewall broken? 

sent an updated version (only patch 7/7 changed): 

[mew model rework v2 7/7] use PVEFW-VENET-IN/OUT inside PVEFW-INPUT/OUTPUT chains 


> -----Original Message----- 
> From: Alexandre DERUMIER [mailto:aderumier at odiso.com] 
> Sent: Montag, 12. Mai 2014 11:54 
> To: Dietmar Maurer 
> Cc: pve-devel at pve.proxmox.com 
> Subject: Re: [pve-devel] venet firewall broken? 
> 
> host->venet0 
> ------------ 
> 
> currently 
> --------- 
> -A OUTPUT -j PVEFW-OUTPUT 
> -A PVEFW-OUTPUT -o venet0 -j PVEFW-VENET-IN 
> ---->we do accept here, so bypass host rule -A PVEFW- 
> OUTPUT -j PVEFW-HOST-OUT 
> .... 
> -A PVEFW-HOST-OUT -p tcp -m tcp --dport 22 -j RETURN 
> -A PVEFW-HOST-OUT -j RETURN 
> 
> 
> it should be 
> ------------ 
> -A OUTPUT -j PVEFW-OUTPUT 
> -A PVEFW-OUTPUT -j PVEFW-HOST-OUT 
> -A PVEFW-HOST-OUT -p tcp -m tcp --dport 22 -j RETURN 
> -A PVEFW-HOST-OUT -j RETURN 
> 
> -A PVEFW-OUTPUT -o venet0 -j PVEFW-VENET-IN 
> 
> 
> 
> 
> 
> venet0->host 
> ------------ 
> 
> currently 
> --------- 
> -A PVEFW-INPUT -i venet0 -j PVEFW-VENET-OUT 
> --->we set a mark here and return -A PVEFW-INPUT -j PVEFW- 
> HOST-IN 
> -A PVEFW-HOST-IN -p tcp -m tcp --dport 22 -j RETURN >> it should be 
> accept 
> 
> 
> it should be 
> ------------- 
> -A PVEFW-INPUT -i venet0 -j PVEFW-VENET-OUT 
> --->we set a mark here and return -A PVEFW-INPUT -j PVEFW- 
> HOST-IN 
> -A PVEFW-HOST-IN -p tcp -m tcp --dport 22 -j ACCEPT 
> 
> 
> 
> I'll do more tests 
> 
> ----- Mail original ----- 
> 
> De: "Alexandre DERUMIER" <aderumier at odiso.com> 
> À: "Dietmar Maurer" <dietmar at proxmox.com> 
> Cc: pve-devel at pve.proxmox.com 
> Envoyé: Lundi 12 Mai 2014 11:29:25 
> Objet: Re: [pve-devel] venet firewall broken? 
> 
> Ok, seem to works fine, 
> 
> tap->tap 
> tap->host 
> host->tap 
> tap->vnet0 
> vnet0->tap 
> 
> 
> except 
> 
> vnet0->host 
> host->vnet0 
> 
> I have blocked traffic at vnet0 level, even if I have an accept rule in vnet0... 
> this is strange. (I need to do more tests) 
> 
> does it work for you ? 
> 
> 
> 
> 
> 
> also, I think in we can do ACCEPT in tap-out and veth-out chains 
> 
> 
> before 
> ------ 
> -A tap123i0-OUT -j MARK --set-xmark 0x0/0xffffffff 
> -A tap123i0-OUT -p icmp -m icmp --icmp-type 8 -g PVEFW-SET-ACCEPT-MARK 
> -A tap123i0-OUT -j GROUP-group1-OUT 
> -A tap123i0-OUT -m mark --mark 0x1 -j RETURN 
> 
> after 
> ----- 
> -A tap123i0-OUT -j MARK --set-xmark 0x0/0xffffffff 
> -A tap123i0-OUT -p icmp -m icmp --icmp-type 8 -j ACCEPT 
> -A tap123i0-OUT -j GROUP-group1-OUT 
> -A tap123i0-OUT -m mark --mark 0x1 -j ACCEPT 
> 
> 
> (if not, we'll parse all tap-out rules, extra overhead for nothing) 
> 
> 
> ----- Mail original ----- 
> 
> De: "Alexandre DERUMIER" <aderumier at odiso.com> 
> À: "Dietmar Maurer" <dietmar at proxmox.com> 
> Cc: pve-devel at pve.proxmox.com 
> Envoyé: Lundi 12 Mai 2014 10:30:41 
> Objet: Re: [pve-devel] venet firewall broken? 
> 
> Ok thanks ! 
> 
> 
> >>Please can you review them? If you think we can go that way, please add 
> >>add 'Signed-off-by' line and cleanup the commit messages (remove 'based 
> on 
> >>patch from Alexandre' note) 
> 
> This is my first review ;) I'll try to do it cleanly 
> 
> ----- Mail original ----- 
> 
> De: "Dietmar Maurer" <dietmar at proxmox.com> 
> À: "Alexandre DERUMIER" <aderumier at odiso.com> 
> Cc: pve-devel at pve.proxmox.com 
> Envoyé: Lundi 12 Mai 2014 10:21:51 
> Objet: RE: venet firewall broken? 
> 
> > >>Which is obviously wrong. So why do you want to keep that patch? 
> > 
> > Yes,I think you are right, we can revert that patch. 
> 
> I sent a rework to the list. Those patches apply on top of: 
> 
> commit 81a1a25884420d50fc3cc0cd68e01befeb547e7e 
> Author: Dietmar Maurer <dietmar at proxmox.com> 
> Date: Tue May 6 11:18:25 2014 +0200 
> 
> set RELEASE to 3.2 
> 
> Please can you review them? If you think we can go that way, please add 
> add 'Signed-off-by' line and cleanup the commit messages (remove 'based 
> on 
> patch from Alexandre' note) 
> _______________________________________________ 
> pve-devel mailing list 
> pve-devel at pve.proxmox.com 
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
> _______________________________________________ 
> pve-devel mailing list 
> pve-devel at pve.proxmox.com 
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

More information about the pve-devel mailing list