[pve-devel] [PATCH] use linko+ name for ovs fwbrint interfaces

[Alexandre DERUMIER]

>>I ant only same prefix: 
>>
>>fwln${vmid}i${devid} 
>>fwln${vmid}o${devid} 

Ah, ok ,perfect !

> -A PVEFW-FORWARD -i fwbr+ -m physdev --physdev-in fwln+ --physdev-is- 
> bridged -j PVEFW-FWBR-IN -A PVEFW-FORWARD -i fwbr+ -m physdev -- 
> physdev-out link+ --physdev-is-bridged -j PVEFW-FWBR-OUT 

>>I don't understand above rules (why '-i fwbr+', and why '--physdev-out link+')? I though we can use: 

Sorry, I'm too tired ;)  

>>-A PVEFW-FORWARD -i fwbr+ -m physdev --physdev-in fwln+ --physdev-is-bridged -j PVEFW-FWBR-IN
>>-A PVEFW-FORWARD -i fwbr+ -m physdev --physdev-out link+ --physdev-is-bridged -j PVEFW-FWBR-OUT 

Indeed, fwln+ , no link+. and we can remove fwbr+ (as we don't have link-vmbr anymore)

so the good version
-------------------
-A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged -j PVEFW-FWBR-OUT 



>>> -A PVEFW-FORWARD -m physdev --physdev-in fwpr+ -j ACCEPT (or RETURN) 
>>> -A PVEFW-FORWARD -m physdev --physdev-out fwpr+ -j ACCEPT (or RETURN) 
>>
>>This is just an optimization? 

Yes, but an important, because each packet going out from fwbr do

first iptables lookup
----------------------
tap->fwbr->fwln

second iptables lookup
-----------------------
fwpr->vmbr->...


so, for this second lookup, we'll parse all the main chains.


(Anyway, if we find a way to only go to  PVEFW-FORWARD only for firewalled fwbr+ and venet0,it's no more a problem)



----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Mardi 13 Mai 2014 17:13:55 
Objet: RE: [pve-devel] [PATCH] use linko+ name for ovs fwbrint interfaces 



> -----Original Message----- 
> From: Alexandre DERUMIER [mailto:aderumier at odiso.com] 
> Sent: Dienstag, 13. Mai 2014 15:43 
> To: Dietmar Maurer 
> Cc: pve-devel at pve.proxmox.com 
> Subject: Re: [pve-devel] [PATCH] use linko+ name for ovs fwbrint interfaces 
> 
> >>link ==> fwln 
> 
> for ovs and bridge ? 
> 
> because in Network.pm 
> cleanup_firewall_bridge{ 
> my ($fwbr, $vethfw, $vethfwpeer, $ovsintport) = 
> &$compute_fwbr_names($vmid, $devid); 
> 
> # cleanup old port config from any openvswitch bridge 
> if (-d "/sys/class/net/$ovsintport") { 
> run_command("/usr/bin/ovs-vsctl del-port $ovsintport", outfunc => sub 
> {}, errfunc => sub {}); 
> } 
> } 
> 
> So, if the name is same for ovsintport and vethlink, I don't known what 
> happen. 
> (maybe add an eval to be sure) 

I ant only same prefix: 

fwln${vmid}i${devid} 
fwln${vmid}o${devid} 

> >>peer ==> fwpr 

fwpr${vmid}i${devid} 

> >>fwbr <==> fwbr (keep that name) 
> >> 
> >>what do you think? 
> 
> 
> so 
> 
> linux bridge 
> ------------- 
> vmbr<--fwpr------>fwln----->fwbr 
> 
> ovs bridge 
> ---------- 
> vmbr<------------>fwln----->fwbr 
> 
> and 
> 
> -A PVEFW-FORWARD -i fwbr+ -m physdev --physdev-in fwln+ --physdev-is- 
> bridged -j PVEFW-FWBR-IN -A PVEFW-FORWARD -i fwbr+ -m physdev -- 
> physdev-out link+ --physdev-is-bridged -j PVEFW-FWBR-OUT 

I don't understand above rules (why '-i fwbr+', and why '--physdev-out link+')? I though we can use: 

-A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j PVEFW-FWBR-IN 
-A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged -j PVEFW-FWBR-OUT 

> vmbr->fwpr can be exclude somewhere at begin of pve-forward with 
> vmbr->something like 
> 
> -A PVEFW-FORWARD -m physdev --physdev-in fwpr+ -j ACCEPT (or RETURN) 
> -A PVEFW-FORWARD -m physdev --physdev-out fwpr+ -j ACCEPT (or RETURN) 

This is just an optimization?