>>When in add: >> >> -A FORWARD -j PVEFW-FORWARD >> -A PVEFW-FORWARD -o vmbr+ -m physdev --physdev-is-bridged --physdev-out >> fwpr+ -j RETURN >> >># ./fwtester.pl -d test-basic1/tests vm2vm >>IPT statistics: invocation = 3, checks = 30
>>So I guess we do not gain much here? Not too much gain indeed, an unfirewalled traffic will do -A FORWARD -j PVEFW-FORWARD -A PVEFW-FORWARD -i venet0 -j PVEFW-VENET-OUT -A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j PVEFW-FWBR-IN -A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged -j PVEFW-FWBR-OUT -A PVEFW-FORWARD -o venet0 -j PVEFW-VENET-IN -A ACCEPT so 4 rules for unfirewalled veth|tap traffic. for unfirewalled venet0 traffic, we enter PVEFW-VENET-OUT|IN, so I would like to find a way to bypass it also, I don't known if we want to keep -A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT for non firewalled vms ? (do we want to conntrack non firewalled vms ? can improve performance, but in case of firewall attack (synflood for example), if conntrack if full, this will impact non firewalled vms) >>> maybe, to bypass firewall, can we simply move first rules from PVE- >>> FORWARD to PVEFW-FWBR-IN|OUT,PVEFW-VENET-IN|OUT ? >>> >>> >>> >>> -A FORWARD -j PVEFW-FORWARD > >> >>> -A PVEFW-FORWARD -i venet0 -m set --match-set PVEFW-venet0 src -j >>> PVEFW-VENET-OUT >>ipset to match only firewall vnet0 >>> -A PVEFW-VENET-OUT -m conntrack --ctstate INVALID -j DROP >>> -A PVEFW-VENET-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j >>> ACCEPT > >>> -A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j > PVEFW-FWBR-IN >>> -A PVEFW-FWBR-IN -m conntrack --ctstate INVALID -j DROP >>> -A PVEFW-FWBR-IN -m conntrack --ctstate RELATED,ESTABLISHED -j >>> ACCEPT >>> -A PVEFW-FWBR-IN -m set --match-set PVEFW-blacklist src -j DROP >>> >>> -A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged >>> -j PVEFW-FWBR-OUT >>> -A PVEFW-FWBR-OUT -m conntrack --ctstate INVALID -j DROP >>> -A PVEFW-FWBR-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j >>> ACCEPT >>We just moved them the opposite direction? What do you mean by opposite direction ? ----- Mail original ----- De: "Dietmar Maurer" <[email protected]> À: "Alexandre DERUMIER" <[email protected]> Cc: [email protected] Envoyé: Mercredi 14 Mai 2014 14:38:31 Objet: RE: [pve-devel] [PATCH] use linko+ name for ovs fwbrint interfaces > >>But I guess that does not work due to physdev match limitation :-/ > > oh, ok. The following works for me with fwtester: # ./fwtester.pl -d test-basic1/tests vm2vm IPT statistics: invocation = 3, checks = 33 When in add: -A FORWARD -j PVEFW-FORWARD -A PVEFW-FORWARD -o vmbr+ -m physdev --physdev-is-bridged --physdev-out fwpr+ -j RETURN # ./fwtester.pl -d test-basic1/tests vm2vm IPT statistics: invocation = 3, checks = 30 So I guess we do not gain much here? > maybe, to bypass firewall, can we simply move first rules from PVE- > FORWARD to PVEFW-FWBR-IN|OUT,PVEFW-VENET-IN|OUT ? > > > > -A FORWARD -j PVEFW-FORWARD > > -A PVEFW-FORWARD -i venet0 -m set --match-set PVEFW-venet0 src -j > PVEFW-VENET-OUT >>ipset to match only firewall vnet0 > -A PVEFW-VENET-OUT -m conntrack --ctstate INVALID -j DROP > -A PVEFW-VENET-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j > ACCEPT > > -A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j > PVEFW-FWBR-IN > -A PVEFW-FWBR-IN -m conntrack --ctstate INVALID -j DROP > -A PVEFW-FWBR-IN -m conntrack --ctstate RELATED,ESTABLISHED -j > ACCEPT > -A PVEFW-FWBR-IN -m set --match-set PVEFW-blacklist src -j DROP > > -A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged > -j PVEFW-FWBR-OUT > -A PVEFW-FWBR-OUT -m conntrack --ctstate INVALID -j DROP > -A PVEFW-FWBR-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j > ACCEPT We just moved them the opposite direction? > -A PVEFW-FORWARD -o venet0 -m set --match-set PVEFW-venet0 dst -j > PVEFW-VENET-IN > -A PVEFW-VENET-IN -m conntrack --ctstate INVALID -j DROP > -A PVEFW-VENET-IN -m conntrack --ctstate RELATED,ESTABLISHED -j > ACCEPT > -A PVEFW-FORWARD -m set --match-set PVEFW-blacklist src -j DROP > already committed. _______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
