[pve-devel] [PATCH] use linko+ name for ovs fwbrint interfaces

Alexandre DERUMIER aderumier at odiso.com
Tue May 13 19:57:31 CEST 2014


>>But I guess that does not work due to physdev match limitation :-/ 

oh, ok.

maybe, to bypass firewall, can we simply move first rules from PVE-FORWARD to PVEFW-FWBR-IN|OUT,PVEFW-VENET-IN|OUT ?



-A FORWARD -j PVEFW-FORWARD

-A PVEFW-FORWARD -i venet0 -m set --match-set PVEFW-venet0 src -j PVEFW-VENET-OUT   >>ipset to match only firewall vnet0
    -A PVEFW-VENET-OUT -m conntrack --ctstate INVALID -j DROP
    -A PVEFW-VENET-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j PVEFW-FWBR-IN
    -A PVEFW-FWBR-IN -m conntrack --ctstate INVALID -j DROP
    -A PVEFW-FWBR-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A PVEFW-FWBR-IN -m set --match-set PVEFW-blacklist src -j DROP

-A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged -j PVEFW-FWBR-OUT
    -A PVEFW-FWBR-OUT -m conntrack --ctstate INVALID -j DROP
    -A PVEFW-FWBR-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A PVEFW-FORWARD -o venet0  -m set --match-set PVEFW-venet0 dst -j PVEFW-VENET-IN
    -A PVEFW-VENET-IN -m conntrack --ctstate INVALID -j DROP
    -A PVEFW-VENET-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A PVEFW-FORWARD -m set --match-set PVEFW-blacklist src -j DROP



so,only 4 lookup for non firewalled interfaces.



----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Dietmar Maurer" <dietmar at proxmox.com>, "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Mardi 13 Mai 2014 19:15:02 
Objet: RE: [pve-devel] [PATCH] use linko+ name for ovs fwbrint interfaces 

> > so, yes, bad idea ;) 
> 
> So what packages do you want to block exactly? 
> 
> -A PVEFW-FORWARD -o vmbr+ -m physdev --physdev-is-bridged -j RETURN 

But I guess that does not work due to physdev match limitation :-/ 



More information about the pve-devel mailing list