Re: [pve-devel] [PATCH 1/2] Added Forward chain management

I think this will introduce a new level of complexity for the administrator. (I already missed a configuration because gust firewall has to be enabled in VM>firewall and in VM>hardware>network interface) Comparing with other vendors "eg chekpoint" the firewalling is managed at "datacenter" level n

Re: [pve-devel] [PATCH 1/2] Added Forward chain management

New test this morning. in VM hardware the firewall was not enabled on the interface. I have the tap chains created on forward chain. So the solution VM by VM is working. It will be longer to configure (need to do it on each VM). 2015-05-13 0:08 GMT+02:00 Flavius Bindea : > I did tests. >

Re: [pve-devel] [PATCH 1/2] Added Forward chain management

I did tests. QEMU chains are not created. 2015-05-12 6:10 GMT+02:00 Dietmar Maurer : > >> You are rigth. FirewallSimulator was not adapted to this new chain. >> I've added this workarround: > > Thanks, but I still think adding a FORWARD chain is the wrong way, because > you can do the same thing

Re: [pve-devel] [PATCH] Added the optional ! (invert sense) of IPs/IPset/range in Firewall rules

Hello, Spaces are allowed in order to look like iptables syntax. I'll add some regression tests. Regards, Flav 2015-05-12 8:37 GMT+02:00 Dietmar Maurer : >> diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm >> index 2bdff20..a3b4ccb 100644 >> --- a/src/PVE/Firewall.pm >> +++ b/src/PVE/Fire

Re: [pve-devel] [PATCH 1/2] Added Forward chain management

Hello, You are rigth. FirewallSimulator was not adapted to this new chain. I've added this workarround: Subject: [PATCH] updated firewall simulator in order to ignore new PVEFW-HOST-FORWARD this is a workarrond in order to make regression tests working it has to be better corrected. --- src/P

Re: [pve-devel] [PATCH 0/3] Patch to add forward chain control in pve-firewall

Hello Dietmar, I'm using the a network configuration based on http://help.ovh.co.uk/Proxmox (need to use SNAT or MASQUERADING, and ip_forwarding is turned on). I'll check also the GROUP option and the regression tests. Regards, Flav 2015-05-11 6:22 GMT+02:00 Dietmar Maurer : >> How do are you

Re: [pve-devel] [PATCH 0/3] Patch to add forward chain control in pve-firewall

How do are you doing that? Creating a group didn't adds anything in FORWARD chain. And linux netfilter is forwarding all packets from one bridge to the other (I am using the host as a "router" for the bridges). 2015-05-10 17:04 GMT+02:00 Dietmar Maurer : >> *guests in vmbr1 are allowed to receive

Re: [pve-devel] [PATCH 0/3] Patch to add forward chain control in pve-firewall

Example: the host has several internal bridges: * vmbr0: x.x.x.x that contains eth0 * vmbr1: 10.1.1.0/24 : this bridge has the "front" VMs * vmbr2: 10.1.2.0/24 : this bridge has the "back" VMs vmbr1 and vmbr2 are not connected on an external switch I use kvm guests. *guests in vmbr1 are allowed

[pve-devel] [PATCH] Added the optional ! (invert sense) of IPs/IPset/range in Firewall rules

--- src/PVE/Firewall.pm | 33 +++-- 1 file changed, 23 insertions(+), 10 deletions(-) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 2bdff20..a3b4ccb 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -960,6 +960,11 @@ sub compute_ipfilter_ip

[pve-devel] [PATCH 0/1] patch on pve-firewall in order to allow negation

Negation in rules is very usefull in some cases for example in cases. For example: "everithing except my local zone" The patch works with ipsets, alias and IP. Regards, Flav ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi

[pve-devel] [PATCH] Added Firewall Forward rules and policy (needs updated Firewall API)

--- www/manager/grid/FirewallOptions.js | 17 + www/manager/grid/FirewallRules.js |4 ++-- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/www/manager/grid/FirewallOptions.js b/www/manager/grid/FirewallOptions.js index f94be6c..fcd1600 100644 --- a/www/mana

[pve-devel] [PATCH 2/2] Added GROUP-.*-FORWARD in tracked chains

--- src/PVE/Firewall.pm |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 79dac20..2bdff20 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -1523,7 +1523,7 @@ sub iptables_get_chains { return 1 if $name =~ m/

[pve-devel] [PATCH 1/2] Added Forward chain management

--- src/PVE/API2/Firewall/Cluster.pm |6 +++ src/PVE/API2/Firewall/Host.pm|2 + src/PVE/Firewall.pm | 92 +++--- 3 files changed, 93 insertions(+), 7 deletions(-) diff --git a/src/PVE/API2/Firewall/Cluster.pm b/src/PVE/API2/Firewall/Clust

[pve-devel] [PATCH 0/3] Patch to add forward chain control in pve-firewall

This patch on pve-manager and pve-firewall (on 3.4 stable branch) add the control on FORWARD chain. This is very usefull if someone wants to have gusts in different subnets (on different vlans) and add a firewall between the subnets. Regards, Flav __

[pve-devel] pve-firewall IPv6 patch

Hello, The IPv6 protocol uses a lot for ICMP and multicast in order to allow routing configuration. After different searches I've found that some more ICMPv6 types have to be enabled. After reading post like this : http://pivotallabs.com/configuring-f...6-dhcp-client/ and http://www.cert.ssi.gou