[pve-devel] [PATCH manager] fix #871: netstat: include veth devices

Stefan Priebe - Profihost AG s.priebe at profihost.ag
Mon Jan 25 09:24:18 CET 2016 

Am 25.01.2016 um 09:20 schrieb Wolfgang Bumiller:
>> On January 25, 2016 at 8:50 AM Stefan Priebe - Profihost AG <s.priebe at profihost.ag> wrote:
>>
>>
>> Am 22.01.2016 um 10:37 schrieb Dietmar Maurer:
>>>> Am 20.01.2016 um 10:26 schrieb Wolfgang Bumiller:
>>>>> Just a quick follow-up question: Is this not supposed to include
>>>>> data blocked by the firewall?
>>>>
>>>> Yes but that's the way it works. If you rent a server somewhere you
>>>> still have to pay traffic which is blocked by YOUR iptables / Firewall
>>>> rules. The data was / is already transfered. Same for me and our
>>>> upstream carriers.
>>>
>>> The patches from Wolfgang do not count blocked 
>>> incoming traffic (blocked by the pve firewall)!
>>>
>>> @Stefan: Is this the behaviour you want?
>>
>> I just looked at the code regarding #871 which just adds veth devices.
>> Which patch do you mean?
> 
> I think my question and your last answer have been a bit confusing as to
> which firewall and traffic was meant, so I'll be explicit now and talk
> about the 'PVE-firewall' since the VM's guest-firewall can be mostly
> ignored, iow. when I say outgoing traffic (WAN => VM) I implicitly mean
> it already passed the VM's guest firewall, whereas when I say incoming
> traffic (VM => WAN) I don't care what the VM's guest firwall does with it.
> 
> Basically this current code (not just my patch) counts incoming traffic
> only if it passes through the PVE-firewall, while it counts all outgoing
> traffic even if it's dropped by the PVE-firewall. We're wondering if this
> behavior is the desired one for *both* directions. (I suppose this is
> partially a question of whether the client has access to the PVE firwall
> or only the one inside the VM.)

Yes - i think it can be correct and it can be wrong ;-) and depends on
who has control over the Guest FW / PVE FW.

At least the current code works fine and shows exactly the values i
need. To me it should include the traffic to the guest FW WAN => VM but
should NOT include the traffic GUEST => WAN.

The logic behind this is the customer has controler over the guest FW.
So if the traffic stays local he has not to pay (VM => FW => WAN). But
he has to pay if the traffic is sent to him for example DDOS (WAN => FW
=> VM)

Stefan

More information about the pve-devel mailing list