Am 07.07.2014 13:30, schrieb Alexandre DERUMIER: >>> I'll check if we couldn't mix iptables and nftables (for the layer2), to >>> not do twice the job. > > Seem to works, I have create a simple layer2 filtering with > > nft add rule bridge filter forward iifname tap123i0 log prefix \"testdrop\" > drop > > > + iptables running in parralel, > > and it's works fine. > > > > some notes: > > ethernet protocol filtering can be manage with > > # nft add rule bridge filter forward ether type 0x0800 > > > > I have a segfault with mac filtering > -------------------------------------- > > # mac source > add rule bridge filter forward iifname tap123i0 @ll,48,48 00:15:e9:f0:10:f8 > counter > # mac dest > add rule bridge filter forward iifname tap123i0 @ll,0,48 00:1b:21:02:6f:ad > counter > # mac source and mac dest > add rule bridge filter forward iifname tap123i0 @ll,0,48 00:1b:21:02:6f:ad > @ll,48,48 00:15:e9:f0:10:f8 counter > > > > Jul 7 13:24:36 kvmtest1 kernel: [ 9213.510642] nft[24469]: segfault at 0 ip > 000000000040c647 sp 00007fffb7178620 error 4 in nft[400000+44000] > > > So, maybe it's a bug in current rhel kernel. > (I'll test with a 3.15 kernel)
segfaulting in nft looks more like a bug in nfs cmd tool. Have you tried to attach with gdb und the debug libs? Stefan > ----- Mail original ----- > > De: "Alexandre DERUMIER" <aderum...@odiso.com> > À: "Stefan Priebe - Profihost AG" <s.pri...@profihost.ag> > Cc: "pve-devel" <pve-devel@pve.proxmox.com> > Envoyé: Lundi 7 Juillet 2014 10:24:13 > Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ? > >>> I really would love to see the mac filter for layer2 in the first >>> release. At least to me it's a pretty important thing. Otherwise the >>> current mac filter is pretty "useless". >>> >>> Stefan > > I'll check if we couldn't mix iptables and nftables (for the layer2), to not > do twice the job. > > > > ----- Mail original ----- > > De: "Stefan Priebe - Profihost AG" <s.pri...@profihost.ag> > À: "Alexandre DERUMIER" <aderum...@odiso.com>, "Dietmar Maurer" > <diet...@proxmox.com> > Cc: "pve-devel" <pve-devel@pve.proxmox.com> > Envoyé: Lundi 7 Juillet 2014 09:17:42 > Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ? > > Hi, > > Am 07.07.2014 07:46, schrieb Alexandre DERUMIER: >>>> My feeling is that we should use nft, else we will do all work twice. >>>> >> yes. >> >>>> But the current iptables implementation is a good start for the first >>>> release. >> >> I'll try to build a nftables rules sample manually to see what's missing. >> maybe can we release current iptables code for ipv4+ipset and later nftables >> for ipv4+ipv6+etables ? > > I really would love to see the mac filter for layer2 in the first > release. At least to me it's a pretty important thing. Otherwise the > current mac filter is pretty "useless". > > Stefan > >> I think nft it's almost ready, 0.3 release note said that some parts are not >> yet ready >> (masquerading, unicast/multicast/broacast rules). >> So it should be ready in some months I think. >> >> >> " >> Ongoing works >> ============= >> >> There are several open fronts in terms of development: >> >> * Full logging support for all the supported families (ip, ip6, arp, >> bridge and inet). >> >> * Masquerading support. >> >> * Better reject support, which allows you to indicate the explicit reject >> reason. >> >> * JSON/XML import. >> >> * reverse set lookups, eg. >> >> ip saddr != { 192.168.0.1, 192.168.0.10, 192.168.0.11 } >> ^^ >> >> * more new meta selectors, packet type (unicast, multicast and broadcast), >> cpu, physical interface, realm, etc. >> >> * support for concatenations - multidimensional exact matches in O(1) types >> >> * set selection - automatic selection of the optimal set >> implementation. >> " >> >> >> >> >> >> >> >> >> ----- Mail original ----- >> >> De: "Dietmar Maurer" <diet...@proxmox.com> >> À: "Alexandre DERUMIER" <aderum...@odiso.com> >> Cc: "pve-devel" <pve-devel@pve.proxmox.com> >> Envoyé: Lundi 7 Juillet 2014 06:02:08 >> Objet: RE: [pve-devel] firewall : cluster.fw [rules] section ? >> >>> another interesting feature since nftables 0.2, is to be able to manage >>> ipv4 and >>> ipv6 >>> in the same filter table >> >> My feeling is that we should use nft, else we will do all work twice. >> >> But the current iptables implementation is a good start for the first >> release. >> _______________________________________________ >> pve-devel mailing list >> pve-devel@pve.proxmox.com >> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel >> > _______________________________________________ > pve-devel mailing list > pve-devel@pve.proxmox.com > http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel > _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel