Re: [pve-devel] venet firewall broken?

Mon, 12 May 2014 00:30:23 -0700 

>>I am currently working on a rebase, just to find out what we really need. I 
>>will also send the result to the list. 

Ok, on my side, I was thinking about something like


    -A FORWARD -j PVEFW-FORWARD
       -A PVEFW-FORWARD -i fwbr+ -j PVEFW-FORWARD-FW
       -A PVEFW-FORWARD -j MARK --set-mark 0
       -A PVEFW-FORWARD -i venet0 -o venet0 -m set --match-set PVEFW-venet0 
src,dst -j MARK --set-mark 1   >>set a mark from vnet0->vnet0 firewalled

       -A PVEFW-FORWARD -o venet0 -m set --match-set PVEFW-venet0 dst -j 
PVEFW-FORWARD-VENET
       -A PVEFW-FORWARD -i venet0 -m set --match-set PVEFW-venet0 src -j 
PVEFW-FORWARD-VENET
    
           -A PVEFW-FORWARD-FW -m conntrack --ctstate INVALID -j DROP
           -A PVEFW-FORWARD-FW -m conntrack --ctstate RELATED,ESTABLISHED -j 
ACCEPT
           -A PVEFW-FORWARD-FW -m physdev --physdev-out link+ 
--physdev-is-bridged -j PVEFW-FWBR-OUT
           -A PVEFW-FORWARD-FW -m physdev --physdev-in link+ -j PVEFW-FWBR-IN
           -A PVEFW-FORWARD-FW -j ACCEPT

           -A PVEFW-FORWARD-VENET -m conntrack --ctstate INVALID -j DROP
           -A PVEFW-FORWARD-VENET -m conntrack --ctstate RELATED,ESTABLISHED -j 
ACCEPT
           -A PVEFW-FORWARD-VENET -i venet0 -m set --match-set PVEFW-venet0 src 
-j PVEFW-VENET-OUT  
                  -A venet0-130-OUT -p tcp -m tcp --dport 22 -g 
PVEFW-ACCEPT-MARK

           -A PVEFW-FORWARD-VENET -o venet0 -m set --match-set PVEFW-venet0 dst 
-j PVEFW-VENET-IN
           -A PVEFW-FORWARD-VENET -j ACCEPT



and in PVEFW-ACCEPT-MARK

-A PVEFW-ACCEPT-MARK -m mark --mark 1 -j PVEFW-VENET-IN
-A PVEFW-ACCEPT-MARK -j ACCEPT


(group-in rules also go to PVEFW-ACCEPT-MARK)


 
----- Mail original ----- 

De: "Dietmar Maurer" <diet...@proxmox.com> 
À: "Alexandre DERUMIER" <aderum...@odiso.com> 
Cc: pve-devel@pve.proxmox.com 
Envoyé: Lundi 12 Mai 2014 08:46:06 
Objet: RE: [pve-devel] venet firewall broken? 

> I'll work all the day on it, 
> 
> I'm pretty sure it can be solved without revert all the work. 

I am currently working on a rebase, just to find out what we really need. I 
will also send the result to the list. 
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Reply via email to