> >>How would you present that to the user (how would you design a GUI for > that)? > I see 2 parts: > > 1 firewall tab on the vm > in this tab, we can associate security groups for incoming rules and outgoing > rules by network interface > > [INCOMING RULES] > net0 security1 > net0 security2 > > [OUTGOING RULES] > net1 security3 > .....
OK. But maybe we can allow normal rules also? And use the existing format (pve-firewall/example/100.fw): ------------------ [GROUPS] security1 security2 [IN] SSH(ACCEPT) net0 192.168.2.192 - [OUT] DNS(ACCEPT) net0 ------------------ > maybe some special checkbox to enable anti-spoofing rule > > > 1 new tab/form to manage rules/security groups. > I would like to be able to use sames rules on differents vm, so I don't > known > where to put this form ? > In the datacenter ? yes > I think this rules should be shared inside a pool. (PVEPool permissions to > manage theses rules ?) > What do you think ? We use an extra file to store Security Grougs: /etc/pve/firewall/groups.fw ----------groups.fw-example----------- [IN:<groupname>:<pool>] SSH(ACCEPT) net0 192.168.2.192 - [OUT:<groupname>:<pool>] ... -------------------- So we can store 'global' groups (no pool specified) an pool related groups. I am sure we find a way to handle permissions for that. > in this tab, we can edit rules with > > source : ip / iprange / mac (or vmid-netX, and we translate it to macaddress > later) / other security group > destination : ip / iprange / mac (or vmid-netX, and we translate it to > macaddress > later) / other security group > source port : port, portlist(1,2,3) , port range > destination port : portnum, portlist(1,2,3) / port range / port from > /etc/services > protocol : tcp/udp/... > action : ACCEPT/DROP > > Maybe add some "macros/wizard", for procotol like dhcp : -p udp --dport > 67:68 > --sport 67:68 or icmp (-p icmp --icmp-type 0, -p icmp --icmp-type 8) I think this should be exactly the same as the firewall tab on the VM. You just edit the rules for a 'security group' instead of VM specific rules. > >>What configuration files do we need for that (syntax)? > > 1 config file by vm (we can reuse /etc/pve/firewall/VMID.fw > > [IN] > net0 security1 > net0 security2 > [OUT] > net1 security3 > > we can use inotify to regenerate interface chains on each proxmox host > > > 1 config file for security group. (or 1 file by pool? don't known) One file is enough (see above /etc/pve/firewall/groups.fw) > [SECURITY1] > src=xxx dst=xxx sport=xxx dport=xxx proto=xxx action=xxx > > [SECURITY] > src=xxx dst=xxx sport=xxx dport=xxx proto=xxx action=xxx > > > > >>And can we easily implement that with OVS (stateless)? > Really, I really don't known for the moment. But it could be possible to > implemented it later,as config files are simple. > > Another possibility, is to do like openstack with "hybrid mode". > You have a central ovs (manage vlan, netflow,...), then 1 bridge for each tap > interface plugged to ovs. > Like this it's possible to manage iptable rules on theses bridge. I am not sure if you are aware of all iptables restrictions for bridge ports (physdev match). For a short intro read: http://www.shorewall.net/bridge-Shorewall-perl.html But I have no idea if you hit that problem at all. _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
