[pve-devel] pve-firewall : nftables ?

Alexandre DERUMIER aderumier at odiso.com
Wed Nov 28 12:03:23 CET 2018


>>I mean, it does "work™" if we keep the firewall bridges around, as we 
>>can match on `fwbr404i0` etc... 

>>But it would be nice if we could get rid of those... 

AFAIK, we also have added fwbr because we wanted the packet going twice in netfilter,
once for vm1 output
once for vm2 input

don't remember if it was for simplicity of rules matching, 
like vm1 accept out tcp/80, vm2 reject in tcp/80, both vms on same bridge.

Need to look in my archives, but first patches was without fwbr.



>>But it would be nice if we could get rid of those... 
>>I currently only see hacky workarounds for that, though... One way 
>>would be to create indexed chains for each set of guest/interface pairs, 
>>and use the netdev table's ingress hook to mark packets for them... 


>>We'd be using up more space in the 'mark' though (currently we only use 
>>1 bit of it). But it would get rid of the extra firewall-bridges... 

oh, didn't known about netdev table

>>(And no, we can't simply mark the packets with the VMID itself because 
>>that already eats up 30 of the 32 bits and there wouldn't be enough 
>>space left for the interface number...) 

:/



>>I'd really like to just get the damn info... it's not like it's not 
>>available for iptables already anyway -_- a `log` rule even prints all 
>>of it ... 

which info ?


----- Mail original -----
De: "Wolfgang Bumiller" <w.bumiller at proxmox.com>
À: "aderumier" <aderumier at odiso.com>
Cc: "pve-devel" <pve-devel at pve.proxmox.com>
Envoyé: Mercredi 28 Novembre 2018 10:54:28
Objet: Re: [pve-devel] pve-firewall : nftables ?

On Wed, Nov 28, 2018 at 09:21:53AM +0100, Alexandre DERUMIER wrote: 
> >>sysctl net.bridge.bridge-nf-call-iptables=1 
> >>(don't have tested more than this, but i'm seeing vm connections in conntrack) 
> 
> Damned, don't work because all is going to ip filter, and tap interface are physin/physout in this case 
> (and physdev is not supported by nftables) 

I mean, it does "work™" if we keep the firewall bridges around, as we 
can match on `fwbr404i0` etc... 

But it would be nice if we could get rid of those... 
I currently only see hacky workarounds for that, though... One way 
would be to create indexed chains for each set of guest/interface pairs, 
and use the netdev table's ingress hook to mark packets for them... 
(And no, we can't simply mark the packets with the VMID itself because 
that already eats up 30 of the 32 bits and there wouldn't be enough 
space left for the interface number...) 

We'd be using up more space in the 'mark' though (currently we only use 
1 bit of it). But it would get rid of the extra firewall-bridges... 

Like so: 

table netdev PVE { 
chain veth404i0 { 
type filter hook ingress device veth404i0 priority 0; policy accept; 
mark set 1 
} 
} 

table inet filter pve { 
chain Forward { 
type filter hook forward priority 0; 
ct state invalid drop 
ct state {established, related} return 
mark vmap { 
1: jump Guest404i0, 
2: jump Guest404i1, 
... 
} 
} 

chain Guest404i0 { 
#put rules for vmid 404 interface 0 here... 
} 
chain Guest404i1 { 
#put rules for vmid 404 interface 1 here... 
} 
} 

I'd really like to just get the damn info... it's not like it's not 
available for iptables already anyway -_- a `log` rule even prints all 
of it ... 




More information about the pve-devel mailing list