[pve-devel] pve-firewall : nftables ?

[Wolfgang Bumiller]

On Wed, Nov 28, 2018 at 09:21:53AM +0100, Alexandre DERUMIER wrote:
> >>sysctl net.bridge.bridge-nf-call-iptables=1 
> >>(don't have tested more than this, but i'm seeing vm connections in conntrack) 
> 
> Damned, don't work because all is going to ip filter, and tap interface are physin/physout in this case 
> (and physdev is not supported by nftables)

I mean, it does "work™" if we keep the firewall bridges around, as we
can match on `fwbr404i0` etc...

But it would be nice if we could get rid of those...
I currently only see hacky workarounds for that, though... One way
would be to create indexed chains for each set of guest/interface pairs,
and use the netdev table's ingress hook to mark packets for them...
(And no, we can't simply mark the packets with the VMID itself because
that already eats up 30 of the 32 bits and there wouldn't be enough
space left for the interface number...)

We'd be using up more space in the 'mark' though (currently we only use
1 bit of it). But it would get rid of the extra firewall-bridges...

Like so:

table netdev PVE {
    chain veth404i0 {
        type filter hook ingress device veth404i0 priority 0; policy accept;
        mark set 1
    }
}

table inet filter pve {
    chain Forward {
        type filter hook forward priority 0;
        ct state invalid drop
        ct state {established, related} return
        mark vmap {
            1: jump Guest404i0,
            2: jump Guest404i1,
            ...
        }
    }

    chain Guest404i0 {
        #put rules for vmid 404 interface 0 here...
    }
    chain Guest404i1 {
        #put rules for vmid 404 interface 1 here...
    }
}

I'd really like to just get the damn info... it's not like it's not
available for iptables already anyway -_- a `log` rule even prints all
of it ...