[PVE-User] ipfilter functionality
Wolfgang Bumiller
w.bumiller at proxmox.com
Fri Apr 13 11:11:53 CEST 2018
On Fri, Apr 13, 2018 at 10:13:02AM +0200, Mark Schouten wrote:
> On Fri, 2018-04-13 at 10:08 +0200, Mark Schouten wrote:
> > It's not really MAC filtering I'm looking for. But wouldn't this be
> > fixed if the connection inbound would be filtered as well as
> > outbound?
> > So add the ipfilter-rules to $interface-IN as well?
For simple connections this works, but then you also break multicast
traffic unless you add all multicast IPs to the ipfilter as well. The
real solution would be to move the conntrack rules from PVEFW-FORWARD
into tap/veth${vmid}i* to below the ipfilter.
> Like so:
> diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
> index 8f545e7..1bf0725 100644
> --- a/src/PVE/Firewall.pm
> +++ b/src/PVE/Firewall.pm
> @@ -2202,6 +2202,12 @@ sub ruleset_create_vm_chain {
> }
> ruleset_addrule($ruleset, $chain, "", "-j MARK --set-mark
> $FWACCEPTMARK_OFF"); # clear mark
> }
> + if ($direction eq 'IN') {
> + if ($ipfilter_ipset) {
> + ruleset_addrule($ruleset, $chain, "-m set ! --match-set
> $ipfilter_ipset dst", "-j DROP");
> + }
> + }
> +
>
> my $accept_action = $direction eq 'OUT' ? '-g PVEFW-SET-ACCEPT-
> MARK' : "-j $accept";
> ruleset_chain_add_ndp($ruleset, $chain, $ipversion, $options,
> $direction, $accept_action);
More information about the pve-user
mailing list