On Wed, Nov 28, 2018 at 12:03:23PM +0100, Alexandre DERUMIER wrote:
> >>I mean, it does "work™" if we keep the firewall bridges around, as we
> >>can match on `fwbr404i0` etc...
>
> >>But it would be nice if we could get rid of those...
>
> AFAIK, we also have added fwbr because we wanted the
t for the interface number...)
:/
>>I'd really like to just get the damn info... it's not like it's not
>>available for iptables already anyway -_- a `log` rule even prints all
>>of it ...
which info ?
- Mail original -
De: "Wolfgang Bumiller"
À: "ade
> Just to throw in another idea:
> How about using something like shorewall (shorewall.net) to handle the
> whole firewall generation code from a higher level. I'm using it for in
> really complex setups for years and i am very happy with it. (I know
> this won't solve the nftables problem right
Am Dienstag, den 27.11.2018, 14:55 +0100 schrieb Wolfgang Bumiller:
> The pve-firewall code is very iptables-oriented though, and I'm not
> sure
> if maybe we're not better off splitting the rule-generating part out
> and write the nftables variant from scratch... The iptables part
> would
> be
On Wed, Nov 28, 2018 at 09:21:53AM +0100, Alexandre DERUMIER wrote:
> >>sysctl net.bridge.bridge-nf-call-iptables=1
> >>(don't have tested more than this, but i'm seeing vm connections in
> >>conntrack)
>
> Damned, don't work because all is going to ip filter, and tap interface are
>
s)
:/
- Mail original -
De: "aderumier"
À: "pve-devel"
Envoyé: Mercredi 28 Novembre 2018 06:57:27
Objet: Re: [pve-devel] pve-firewall : nftables ?
>>Also,
>>it seem than conntrack is not yet implemented on bridge filtering :(
>>
>>seem to be
ward priority 0 \; }
nft add rule filter forward ct state established,related counter accept
(don't have tested more than this, but i'm seeing vm connections in conntrack)
- Mail original -
De: "aderumier"
À: "pve-devel"
Envoyé: Mardi 27 Novembre 2018 16:55:50
Ob
Also,
it seem than conntrack is not yet implemented on bridge filtering :(
seem to be a blocking point for now
- Mail original -
De: "Alexandre Derumier"
À: "Wolfgang Bumiller"
Cc: "pve-devel"
Envoyé: Mardi 27 Novembre 2018 15:19:41
Objet: Re: [pve-
gang Bumiller"
À: "Alexandre Derumier"
Cc: "pve-devel"
Envoyé: Mardi 27 Novembre 2018 14:55:52
Objet: Re: [pve-devel] pve-firewall : nftables ?
On Mon, Nov 26, 2018 at 09:00:47AM +0100, Alexandre DERUMIER wrote:
> Hi,
>
> I would like to known if somebody ha
ecated by dscp
- Mail original -
De: "Josef Johansson"
À: "pve-devel"
Envoyé: Mardi 27 Novembre 2018 14:58:31
Objet: Re: [pve-devel] pve-firewall : nftables ?
On 11/27/18 2:55 PM, Wolfgang Bumiller wrote:
> On Mon, Nov 26, 2018 at 09:00:47AM +0100, Alexandre DERU
On 11/27/18 2:55 PM, Wolfgang Bumiller wrote:
On Mon, Nov 26, 2018 at 09:00:47AM +0100, Alexandre DERUMIER wrote:
Hi,
I would like to known if somebody have already made some test with nftables
recently ?
Mainly, is not possible to use physdev direction,
like:
-A PVEFW-FWBR-OUT -m physdev
On Mon, Nov 26, 2018 at 09:00:47AM +0100, Alexandre DERUMIER wrote:
> Hi,
>
> I would like to known if somebody have already made some test with nftables
> recently ?
>
> Mainly, is not possible to use physdev direction,
>
> like:
>
> -A PVEFW-FWBR-OUT -m physdev --physdev-in tap160i1
Hi,
I would like to known if somebody have already made some test with nftables
recently ?
Mainly, is not possible to use physdev direction,
like:
-A PVEFW-FWBR-OUT -m physdev --physdev-in tap160i1 --physdev-is-bridged -j
tap160i1-OUT
I wonder if a simple vmap like this could work: ?
13 matches
Mail list logo