[pve-devel] [PATCH] use linko+ name for ovs fwbrint interfaces

Alexandre DERUMIER aderumier at odiso.com
Tue May 13 15:42:48 CEST 2014 

>>link ==> fwln 

for ovs and bridge ?

because in Network.pm
cleanup_firewall_bridge{
    my ($fwbr, $vethfw, $vethfwpeer, $ovsintport) = &$compute_fwbr_names($vmid, $devid);

    # cleanup old port config from any openvswitch bridge
    if (-d "/sys/class/net/$ovsintport") {
        run_command("/usr/bin/ovs-vsctl del-port $ovsintport", outfunc => sub {}, errfunc => sub {});
    }
}

So, if the name is same for ovsintport and vethlink, I don't known what happen.
(maybe add an eval to be sure)



>>peer ==> fwpr 
>>fwbr <==> fwbr (keep that name) 
>>
>>what do you think? 


so

linux bridge
-------------
vmbr<--fwpr------>fwln----->fwbr

ovs bridge
----------
vmbr<------------>fwln----->fwbr

and

-A PVEFW-FORWARD -i fwbr+ -m physdev --physdev-in fwln+ --physdev-is-bridged -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -i fwbr+ -m physdev --physdev-out link+ --physdev-is-bridged -j PVEFW-FWBR-OUT



vmbr->fwpr can be exclude somewhere at begin of pve-forward with something like

-A PVEFW-FORWARD -m physdev --physdev-in fwpr+ -j ACCEPT (or RETURN)
-A PVEFW-FORWARD -m physdev --physdev-out fwpr+ -j ACCEPT (or RETURN)



----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Mardi 13 Mai 2014 14:57:46 
Objet: RE: [pve-devel] [PATCH] use linko+ name for ovs fwbrint interfaces 

> Note that we can improve rule add -i fwbr+ 
> 
> -- -A PVEFW-FORWARD -m physdev --physdev-in link+ 
> 
> ++ -A PVEFW-FORWARD -i fwbr+ -m physdev --physdev-in link+ 
> 
> 
> because we have also packets from link->vmbr and vmbr->link coming to 
> iptables (that's also why I have sent a patch to bypass firewall rules for non 
> firewalled interfaces) 

or we rename the other side of the link to "peer${vmid}i${devid}" ? 

Also, I would prefer a common prefix for all firewall related network devices, 
for example: 

link ==> fwln 
peer ==> fwpr 
fwbr <==> fwbr (keep that name) 

what do you think? 

I would prefer longer names, but kernel iface name length is restricted.

More information about the pve-devel mailing list