>>Instead, I would restrict the group to be either in or out, but not both. >>Or do we need a direction at all (why)?
I have done that like this, because I had RETURN or ACCEPT in group-in/out chains But now that we are using mark, I think it can be ok ! ----- Mail original ----- De: "Dietmar Maurer" <diet...@proxmox.com> À: "Alexandre DERUMIER" <aderum...@odiso.com> Cc: pve-devel@pve.proxmox.com Envoyé: Jeudi 27 Février 2014 13:09:45 Objet: RE: pvefw security group questions > >>Note: we only jump to group if source == 1.2.3.4? > >>Do we want such functionality? > > Can be usefull to do something like this for example > > vm1.FW > GROUP-group1 net0 - - 80 - - > > > vm2.FW > GROUP-group1 net0 - - 22 - - > > > and > [GROUP1] > > ACCEPT 10.0.0.1 - - - - > ACCEPT 10.0.0.2 - - - - > ACCEPT 10.0.0.3 - - - - Ah > >>[OUT] > >> > >>GROUP-group1 net3 > >>GROUP-group2 net0 > >> > >>Note: Usage of 'net3' instead of 'net0' is a typo? Or do we want to allow > that? >> > > I would like to be able to setup different security group for each interface. > (I can have a vm with a lan interface and san/nfs interface for example, with > differents rules) > > > > >>We could avoid all those problems by introducing a [GROUPS] section: > >> > >>--100.fw- > >>[GROUPS] > >>group1 net0 > >>group2 net0 > >> > >>[IN] > >> > >>[OUT] > >> > >>----- > >> > >>what do you think? > > mmm,I don't known, because like this we can't specify group rules order vs > tap rules order. > If by example, I have a group rule with a DROP, and a tap rules with ACCEPT, > and I want the group rule tested before the tap rule. > or reverse, > I have a tap rule with DROP and a group rule with ACCEPT, and I want the tap > rule tested before the group rule Ok, I guess I finally got what you want ;-) The confusing part for me is that a single group can have IN and OUT sections: ---groups.fw--- [IN:group1] ACCEPT - - tcp 22 - [OUT:group1] ACCEPT - - tcp 80 - ACCEPT - - icmp - - --------- Instead, I would restrict the group to be either in or out, but not both. Or do we need a direction at all (why)? ---groups.fw--- [group1] ACCEPT - - tcp 22 - [group2] ACCEPT - - tcp 80 - ACCEPT - - icmp - - --------- _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
