Ok, I found it, something is wrong in tap-IN, it should -j ACCEPT instead -g vmbrX-IN
-F tap110i0-OUT -A tap110i0-OUT -m state --state INVALID -j DROP -A tap110i0-OUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A tap110i0-OUT -m mac ! --mac-source 1E:0B:85:27:8D:65 -j DROP -A tap110i0-OUT -p tcp --dport 80 -j vmbr1-IN -A tap110i0-OUT -j GROUP-security1-OUT -A tap110i0-OUT -m mark --mark 1 -g vmbr1-IN -A tap110i0-OUT -j LOG --log-prefix "tap110i0-OUT-dropped: " --log-level 4 -A tap110i0-OUT -j DROP -A tap110i0-OUT -m comment --comment "PVESIG:HerXUzZtoVII2KYJLJFdioAB2P4" -F tap110i0-IN -A tap110i0-IN -m state --state INVALID -j DROP -A tap110i0-IN -m state --state RELATED,ESTABLISHED -j ACCEPT -A tap110i0-IN -p icmp -j ACCEPT -A tap110i0-IN -j GROUP-security1-IN -A tap110i0-IN -m mark --mark 1 -g vmbr1-IN >> should be -j ACCEPT -A tap110i0-IN -j LOG --log-prefix "tap110i0-IN-dropped: " --log-level 4 -A tap110i0-IN -j DROP -A tap110i0-IN -m comment --comment "PVESIG:4Flp02aOZO/4fHWtkorB61XcVWo" ----- Mail original ----- De: "Alexandre DERUMIER" <[email protected]> À: "Dietmar Maurer" <[email protected]> Cc: [email protected] Envoyé: Mercredi 19 Février 2014 10:34:47 Objet: Re: [pve-devel] pvefw security group question >>About your patches, iptables-restore hanging here for me: >> >>-A tap110i0-IN -m mark --mark 1 -g vmbr1-IN >> >>any idea ? (settings mark in other chains works fine) Oh, I think it's doing a loop, it should go to vmbr1-OUT -A tap110i0-IN -m mark --mark 1 -g vmbr1-OUT ----- Mail original ----- De: "Alexandre DERUMIER" <[email protected]> À: "Dietmar Maurer" <[email protected]> Cc: [email protected] Envoyé: Mercredi 19 Février 2014 10:21:18 Objet: Re: [pve-devel] pvefw security group question >>No, this is a miss-understanding. >> >>We need separate GROUP-IN and GROUP-OUT rules. Ok :) >>My question was if we should allow to apply them independently. >>Currently, a VM can only use GROUP-IN for example. >> >>got it? No, sorry :( with my patches, we could already apply GROUP-IN in TAP-IN, and GROUP-OUT in TAP-OUT only difference between out/in group was, -j PVEFW-BRIDGE-IN or -j ACCEPT. (Not that with mark, it's improved, because we can jump directly to -j VMBRX-IN) About your patches, iptables-restore hanging here for me: -A tap110i0-IN -m mark --mark 1 -g vmbr1-IN any idea ? (settings mark in other chains works fine) ----- Mail original ----- De: "Dietmar Maurer" <[email protected]> À: "Alexandre DERUMIER" <[email protected]> Cc: [email protected] Envoyé: Mercredi 19 Février 2014 09:51:15 Objet: RE: [pve-devel] pvefw security group question > (But finally, you create GROUP-IN and GROUP-OUT rules ? I thinked you > wanted common group rules) No, this is a miss-understanding. We need separate GROUP-IN and GROUP-OUT rules. My question was if we should allow to apply them independently. Currently, a VM can only use GROUP-IN for example. got it? _______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel _______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel _______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
