>>The problem is that all routed traffic from HOST to VM is allowed. So a good >>test >>would be trying to block something.
yes, but return packet (tap-->input) is blocked, so you can't established a connection iptables -A INPUT -m physdev --physdev-in tap115i0 -j DROP or iptables -A INPUT -m mac --mac-source 32:36:8A:E1:B5:65 -j DROP host : 10.3.94.31 guest : 10.3.94.201 #ping 10.3.94.201 host---->tap : allowed Jan 24 06:49:18 kvmtest1 kernel: [318034.190051] ALLTRAFFICOUTPUT: IN= OUT=vmbr1 SRC=10.3.94.31 DST=10.3.94.201 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=7239 SEQ=21 tap-->host : dropped Jan 24 06:49:18 kvmtest1 kernel: [318034.190194] ALLTRAFFICINPUT: IN=vmbr1 OUT= PHYSIN=tap115i0 MAC=00:1a:a0:3c:98:c5:32:36:8a:e1:b5:65:08:00 SRC=10.3.94.201 DST=10.3.94.31 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=32747 PROTO=ICMP TYPE=0 CODE=0 ID=7239 SEQ=21 another way should be to block guest ip in OUTPUT, but we need to known the ip address of the guest. ----- Mail original ----- De: "Dietmar Maurer" <diet...@proxmox.com> À: "Alexandre DERUMIER" <aderum...@odiso.com> Cc: "pve-devel" <pve-devel@pve.proxmox.com> Envoyé: Jeudi 23 Janvier 2014 10:55:50 Objet: RE: [pve-devel] RFC : iptables implementation > >>Maybe no big problem unless the user assigns IP addresses to multiple > bridges. > > I'll do test today. Because I known openstack can use dhcpd from host The problem is that all routed traffic from HOST to VM is allowed. So a good test would be trying to block something. _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
