> any comments for theses patches ?
sorry, I am busy with pve-firewall now (trying to setup regression tests)
___
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
any comments for theses patches ?
(2 patches for vzctl and 1 for pve-manager, my older openvz patches are not
needed anymore)
(this not include yet the bridge_cleanup)
- Mail original -
De: "Alexandre Derumier"
À: pve-devel@pve.proxmox.com
Envoyé: Dimanche 11 Mai 2014 08:00:15
Ob
Works fine here,
I'll redo tests today.
- Mail original -
De: "Dietmar Maurer"
À: "Alexandre Derumier" , pve-devel@pve.proxmox.com
Envoyé: Mardi 13 Mai 2014 07:26:52
Objet: RE: [pve-devel] review of dietmar patches
Ok, I pushed a forced update with those patches, so please do a fr
We need it to match iptables rules
___
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
we need to match link+ rule from iptables rules,
and need to have a name different than link(\d+)i(\d+),
for distinguished bridge/ovs interface unplug
Signed-off-by: Alexandre Derumier
---
data/PVE/Network.pm |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/data/PVE/Network
>>I don't understand the problem. Why does this produce different output that
>>original code?
I found 2 bugs:
1)PVEFW-IPS chain was empty, because we test it before rule generation.
2)but also, it missing an accept at the end of PVEFW-IPS chain
> - my $accept = ruleset_chain_exist($ruleset
Ok, I pushed a forced update with those patches, so please do a fresh clone.
> -Original Message-
> From: pve-devel [mailto:pve-devel-boun...@pve.proxmox.com] On Behalf
> Of Alexandre Derumier
> Sent: Montag, 12. Mai 2014 13:33
> To: pve-devel@pve.proxmox.com
> Subject: [pve-devel] review
I don't understand the problem. Why does this produce different output that
original code?
> -Original Message-
> From: pve-devel [mailto:pve-devel-boun...@pve.proxmox.com] On Behalf
> Of Alexandre Derumier
> Sent: Montag, 12. Mai 2014 15:19
> To: pve-devel@pve.proxmox.com
> Subject: [pve
From: Michael Rasmussen
Signed-off-by: Michael Rasmussen
---
PVE/QemuServer.pm | 27 +--
1 file changed, 25 insertions(+), 2 deletions(-)
diff --git a/PVE/QemuServer.pm b/PVE/QemuServer.pm
index 2cb2d95..c4ec8fa 100644
--- a/PVE/QemuServer.pm
+++ b/PVE/QemuServer.pm
@@
On Mon, 12 May 2014 03:47:39 +
Dietmar Maurer wrote:
> > It will not brake anything for current setups since current setups must
> > already be configured to use ALL for host and target groups since this is
> > the
> > only way the current setup will work.
>
> Yes, looks reasonable to me -
yes yes of course, it's working too for vnet0->vnet0
- Mail original -
De: "Daniel Hunsaker"
À: "Alexandre DERUMIER"
Cc: pve-devel@pve.proxmox.com
Envoyé: Lundi 12 Mai 2014 19:13:20
Objet: Re: [pve-devel] review of dietmar patches
> Ok, all seem to works fine now.
>
> tap->ta
> Ok, all seem to works fine now.
>
> tap->tap
> tap->host
> host->tap
> tap->vnet0
> vnet0->tap
> vnet0->host
> host->vnet0
>
Maybe it's just me, but shouldn't there also have been a vnet0->vnet0
test? You tested tap->tap, and I suspect host->host won't be an issue, but
after the discussion over
changelog:
only go to PVEFW-IPS for established connections
___
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
or it never match it
Signed-off-by: Alexandre Derumier
---
src/PVE/Firewall.pm |7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 4cefc41..41494c6 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2550,8 +255
currently broken with code rebase,
we need to insert it after rules generation, or it never match
___
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
or it never match it
Signed-off-by: Alexandre Derumier
---
src/PVE/Firewall.pm |7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 4cefc41..47a0f93 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2550,8 +255
From: Dietmar Maurer
Signed-off-by: Dietmar Maurer
Signed-off-by: Alexandre Derumier
---
src/PVE/Firewall.pm |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 398a015..7e33a1e 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Fi
From: Dietmar Maurer
Signed-off-by: Dietmar Maurer
Signed-off-by: Alexandre Derumier
---
src/PVE/Firewall.pm | 16 +++-
1 file changed, 3 insertions(+), 13 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 8d0e187..4cefc41 100644
--- a/src/PVE/Firewall.pm
From: Dietmar Maurer
-A PVEFW-FORWARD ! -i fwbr+ -j ACCEPT
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-in link+ -j
PVEFW-FWBR-IN
-A PVEFW-FWBR-IN -m
Ok, all seem to works fine now.
tap->tap
tap->host
host->tap
tap->vnet0
vnet0->tap
vnet0->host
host->vnet0
optimisation could be done in tap-out and veth-out chains,
we can do ACCEPT instead return for theses chains
(to avoid to scan all tapxxx-OUT chains in PVEFW-FWBR-OUT)
before
--
-A t
From: Dietmar Maurer
Signed-off-by: Dietmar Maurer
Signed-off-by: Alexandre Derumier
---
src/PVE/Firewall.pm | 18 --
1 file changed, 18 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 5cb17c7..c95bedd 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/
From: Dietmar Maurer
Signed-off-by: Dietmar Maurer
Signed-off-by: Alexandre Derumier
---
src/PVE/Firewall.pm |4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 7e33a1e..e8a7295 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PV
From: Dietmar Maurer
Signed-off-by: Dietmar Maurer
Signed-off-by: Alexandre Derumier
---
src/PVE/Firewall.pm | 10 --
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 835b26a..5cb17c7 100644
--- a/src/PVE/Firewall.pm
+++ b/
From: Dietmar Maurer
These should be done fast,
conntrack established can be done in PVE-FORWARD now
smurf and tcpflags can be done in PVEFW-FWBR-IN and PVEFW-VENET-IN (don't
make sense to test them in OUT direction)
-A PVEFW-FORWARD ! -i fwbr+ -j ACCEPT
-A PVEFW-FORWARD -m conntrack --ctstate
These should be done fast,
conntrack established can be done in PVE-FORWARD now
smurf and tcpflags can be done in PVEFW-FWBR-IN and PVEFW-VENET-IN (don't
make sense to test them in OUT direction)
-A PVEFW-FORWARD ! -i fwbr+ -j ACCEPT
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVE
Base on patch from Alredandre + cleanups (s/vnet/venet/)
Signed-off-by: Dietmar Maurer
---
src/PVE/Firewall.pm | 10 --
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 835b26a..5cb17c7 100644
--- a/src/PVE/Firewall.pm
+++ b/
Signed-off-by: Dietmar Maurer
---
src/PVE/Firewall.pm | 18 --
1 file changed, 18 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 5cb17c7..c95bedd 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2186,22 +2186,6 @@ sub read_local_vm_conf
Signed-off-by: Dietmar Maurer
---
src/PVE/Firewall.pm |4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 7e33a1e..e8a7295 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -814,7 +814,7 @@ sub copy_opject_with_di
-A PVEFW-FORWARD ! -i fwbr+ -j ACCEPT
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-in link+ -j
PVEFW-FWBR-IN
-A PVEFW-FWBR-IN -m physdev --physdev-out t
Signed-off-by: Dietmar Maurer
---
src/PVE/Firewall.pm | 16 +++-
1 file changed, 3 insertions(+), 13 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 8d0e187..4cefc41 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1577,27 +1577,16 @@ sub ge
Signed-off-by: Dietmar Maurer
---
src/PVE/Firewall.pm |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 398a015..7e33a1e 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2357,7 +2357,7 @@ sub save_vmfw_conf {
Ok, thanks, I'll test it this afternoon
- Mail original -
De: "Dietmar Maurer"
À: "Alexandre DERUMIER"
Cc: pve-devel@pve.proxmox.com
Envoyé: Lundi 12 Mai 2014 12:02:43
Objet: RE: [pve-devel] venet firewall broken?
sent an updated version (only patch 7/7 changed):
[mew model rew
> sent an updated version (only patch 7/7 changed):
>
> [mew model rework v2 7/7] use PVEFW-VENET-IN/OUT inside PVEFW-
> INPUT/OUTPUT chains
>
s/mew/new/
(sorry)
___
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mail
sent an updated version (only patch 7/7 changed):
[mew model rework v2 7/7] use PVEFW-VENET-IN/OUT inside PVEFW-INPUT/OUTPUT
chains
> -Original Message-
> From: Alexandre DERUMIER [mailto:aderum...@odiso.com]
> Sent: Montag, 12. Mai 2014 11:54
> To: Dietmar Maurer
> Cc: pve-devel@pve.pr
sigh - sorry. I forgot to commit that change!
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index f217d40..4cefc41 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2569,7 +2569,6 @@ sub compile {
ruleset_create_chain($ruleset, "PVEFW-FWBR-OUT");
ruleset_addrule($
>
> except
>
> vnet0->host
> host->vnet0
>
> I have blocked traffic at vnet0 level, even if I have an accept rule in
> vnet0...
> this is strange. (I need to do more tests)
>
> does it work for you ?
Yes, work here.
You also need to have an accept rule for the host side. Does it help if you
host->venet0
currently
-
-A OUTPUT -j PVEFW-OUTPUT
-A PVEFW-OUTPUT -o venet0 -j PVEFW-VENET-IN
>we do accept here, so bypass host
rule
-A PVEFW-OUTPUT -j PVEFW-HOST-OUT
-A PVEFW-HOST-OUT -p tcp -m tcp --dport
Ok, seem to works fine,
tap->tap
tap->host
host->tap
tap->vnet0
vnet0->tap
except
vnet0->host
host->vnet0
I have blocked traffic at vnet0 level, even if I have an accept rule in vnet0...
this is strange. (I need to do more tests)
does it work for you ?
also, I think in we can do ACCEPT i
> One workaround is to define an 'owner' node. We use that for VM configs.
> That way you only need to hold the global lock when you create or move
> VMs. For other operations it is good enough to acquire a local lock. Only the
> 'owner' can move a VM.
I guess you could also use rgmanager to keep
> timeout (automatic unlock after 120 seconds).
>
> > I need something between 6-10min.
>
> Again, you can't do that, so you need to find some workaround.
>
> Usually it is not necessary to lock things for such a long time.
One workaround is to define an 'owner' node. We use that for VM configs
Ok thanks !
>>Please can you review them? If you think we can go that way, please add
>>add 'Signed-off-by' line and cleanup the commit messages (remove 'based on
>>patch from Alexandre' note)
This is my first review ;) I'll try to do it cleanly
- Mail original -
De: "Dietmar Maure
> >>Which is obviously wrong. So why do you want to keep that patch?
>
> Yes,I think you are right, we can revert that patch.
I think we need PVEFW-SET-ACCEPT-MARK for groups, but could simple use RETURN
inside tapXXXiY-OUT? Although I am not sure if we gain much speedup from that.
_
> >>Which is obviously wrong. So why do you want to keep that patch?
>
> Yes,I think you are right, we can revert that patch.
I sent a rework to the list. Those patches apply on top of:
commit 81a1a25884420d50fc3cc0cd68e01befeb547e7e
Author: Dietmar Maurer
Date: Tue May 6 11:18:25 2014 +0200
Base on patch from Alredandre + cleanups (s/vnet/venet/)
Signed-off-by: Dietmar Maurer
---
src/PVE/Firewall.pm | 10 --
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 835b26a..5cb17c7 100644
--- a/src/PVE/Firewall.pm
+++ b/
Signed-off-by: Dietmar Maurer
---
src/PVE/Firewall.pm |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 398a015..7e33a1e 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2357,7 +2357,7 @@ sub save_vmfw_conf {
These should be done fast,
conntrack established can be done in PVE-FORWARD now
smurf and tcpflags can be done in PVEFW-FWBR-IN and PVEFW-VENET-IN (don't
make sense to test them in OUT direction)
-A PVEFW-FORWARD ! -i fwbr+ -j ACCEPT
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVE
Signed-off-by: Dietmar Maurer
---
src/PVE/Firewall.pm | 15 ++-
1 file changed, 2 insertions(+), 13 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 8d0e187..f217d40 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1577,27 +1577,16 @@ sub gen
Signed-off-by: Dietmar Maurer
---
src/PVE/Firewall.pm |4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 7e33a1e..e8a7295 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -814,7 +814,7 @@ sub copy_opject_with_di
-A PVEFW-FORWARD ! -i fwbr+ -j ACCEPT
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-in link+ -j
PVEFW-FWBR-IN
-A PVEFW-FWBR-IN -m physdev --physdev-out t
Signed-off-by: Dietmar Maurer
---
src/PVE/Firewall.pm | 18 --
1 file changed, 18 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 5cb17c7..c95bedd 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2186,22 +2186,6 @@ sub read_local_vm_conf
>>Which is obviously wrong. So why do you want to keep that patch?
Yes,I think you are right, we can revert that patch.
- Mail original -
De: "Dietmar Maurer"
À: "Alexandre DERUMIER"
Cc: pve-devel@pve.proxmox.com
Envoyé: Lundi 12 Mai 2014 09:58:40
Objet: RE: venet firewall broke
> >>Seems it also breaks container to host.
>
> could this help ?
Sorry, but I lost the focus. We had a working firewall, so why exactly do you
want to change it?
The commit message from your patch is:
> We can now do ACCEPT everywhere, and no need to use marks
Which is obviously wrong. So wh
>>Seems it also breaks container to host.
could this help ?
venet0->host
-
-A PVEFW-INPUT -i venet0 -m set --match-set PVEFW-venet0 src-j MARK --set-mark
1
-A PVEFW-INPUT -j PVEFW-HOST-IN
-A PVEFW-HOST-IN -p tcp -m tcp --dport 22 -g PVEFW-ACCEPT-VENET-IN
-A PVEFW-ACCEPT-VEN
>>I am currently working on a rebase, just to find out what we really need. I
>>will also send the result to the list.
Ok, on my side, I was thinking about something like
-A FORWARD -j PVEFW-FORWARD
-A PVEFW-FORWARD -i fwbr+ -j PVEFW-FORWARD-FW
-A PVEFW-FORWARD -j MARK --set-
54 matches
Mail list logo
