Ok, thanks, I'll test it this afternoon ----- Mail original -----
De: "Dietmar Maurer" <diet...@proxmox.com> À: "Alexandre DERUMIER" <aderum...@odiso.com> Cc: pve-devel@pve.proxmox.com Envoyé: Lundi 12 Mai 2014 12:02:43 Objet: RE: [pve-devel] venet firewall broken? sent an updated version (only patch 7/7 changed): [mew model rework v2 7/7] use PVEFW-VENET-IN/OUT inside PVEFW-INPUT/OUTPUT chains > -----Original Message----- > From: Alexandre DERUMIER [mailto:aderum...@odiso.com] > Sent: Montag, 12. Mai 2014 11:54 > To: Dietmar Maurer > Cc: pve-devel@pve.proxmox.com > Subject: Re: [pve-devel] venet firewall broken? > > host->venet0 > ------------ > > currently > --------- > -A OUTPUT -j PVEFW-OUTPUT > -A PVEFW-OUTPUT -o venet0 -j PVEFW-VENET-IN > ---->we do accept here, so bypass host rule -A PVEFW- > OUTPUT -j PVEFW-HOST-OUT > .... > -A PVEFW-HOST-OUT -p tcp -m tcp --dport 22 -j RETURN > -A PVEFW-HOST-OUT -j RETURN > > > it should be > ------------ > -A OUTPUT -j PVEFW-OUTPUT > -A PVEFW-OUTPUT -j PVEFW-HOST-OUT > -A PVEFW-HOST-OUT -p tcp -m tcp --dport 22 -j RETURN > -A PVEFW-HOST-OUT -j RETURN > > -A PVEFW-OUTPUT -o venet0 -j PVEFW-VENET-IN > > > > > > venet0->host > ------------ > > currently > --------- > -A PVEFW-INPUT -i venet0 -j PVEFW-VENET-OUT > --->we set a mark here and return -A PVEFW-INPUT -j PVEFW- > HOST-IN > -A PVEFW-HOST-IN -p tcp -m tcp --dport 22 -j RETURN >> it should be > accept > > > it should be > ------------- > -A PVEFW-INPUT -i venet0 -j PVEFW-VENET-OUT > --->we set a mark here and return -A PVEFW-INPUT -j PVEFW- > HOST-IN > -A PVEFW-HOST-IN -p tcp -m tcp --dport 22 -j ACCEPT > > > > I'll do more tests > > ----- Mail original ----- > > De: "Alexandre DERUMIER" <aderum...@odiso.com> > À: "Dietmar Maurer" <diet...@proxmox.com> > Cc: pve-devel@pve.proxmox.com > Envoyé: Lundi 12 Mai 2014 11:29:25 > Objet: Re: [pve-devel] venet firewall broken? > > Ok, seem to works fine, > > tap->tap > tap->host > host->tap > tap->vnet0 > vnet0->tap > > > except > > vnet0->host > host->vnet0 > > I have blocked traffic at vnet0 level, even if I have an accept rule in > vnet0... > this is strange. (I need to do more tests) > > does it work for you ? > > > > > > also, I think in we can do ACCEPT in tap-out and veth-out chains > > > before > ------ > -A tap123i0-OUT -j MARK --set-xmark 0x0/0xffffffff > -A tap123i0-OUT -p icmp -m icmp --icmp-type 8 -g PVEFW-SET-ACCEPT-MARK > -A tap123i0-OUT -j GROUP-group1-OUT > -A tap123i0-OUT -m mark --mark 0x1 -j RETURN > > after > ----- > -A tap123i0-OUT -j MARK --set-xmark 0x0/0xffffffff > -A tap123i0-OUT -p icmp -m icmp --icmp-type 8 -j ACCEPT > -A tap123i0-OUT -j GROUP-group1-OUT > -A tap123i0-OUT -m mark --mark 0x1 -j ACCEPT > > > (if not, we'll parse all tap-out rules, extra overhead for nothing) > > > ----- Mail original ----- > > De: "Alexandre DERUMIER" <aderum...@odiso.com> > À: "Dietmar Maurer" <diet...@proxmox.com> > Cc: pve-devel@pve.proxmox.com > Envoyé: Lundi 12 Mai 2014 10:30:41 > Objet: Re: [pve-devel] venet firewall broken? > > Ok thanks ! > > > >>Please can you review them? If you think we can go that way, please add > >>add 'Signed-off-by' line and cleanup the commit messages (remove 'based > on > >>patch from Alexandre' note) > > This is my first review ;) I'll try to do it cleanly > > ----- Mail original ----- > > De: "Dietmar Maurer" <diet...@proxmox.com> > À: "Alexandre DERUMIER" <aderum...@odiso.com> > Cc: pve-devel@pve.proxmox.com > Envoyé: Lundi 12 Mai 2014 10:21:51 > Objet: RE: venet firewall broken? > > > >>Which is obviously wrong. So why do you want to keep that patch? > > > > Yes,I think you are right, we can revert that patch. > > I sent a rework to the list. Those patches apply on top of: > > commit 81a1a25884420d50fc3cc0cd68e01befeb547e7e > Author: Dietmar Maurer <diet...@proxmox.com> > Date: Tue May 6 11:18:25 2014 +0200 > > set RELEASE to 3.2 > > Please can you review them? If you think we can go that way, please add > add 'Signed-off-by' line and cleanup the commit messages (remove 'based > on > patch from Alexandre' note) > _______________________________________________ > pve-devel mailing list > pve-devel@pve.proxmox.com > http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel > _______________________________________________ > pve-devel mailing list > pve-devel@pve.proxmox.com > http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
