Re: [pve-devel] venet firewall broken?

2014-05-12 Thread Alexandre DERUMIER
I think so. Maybe it is best to revert the last 10 commits ... So, fwbr bridges are pretty useless in this case ? (I really like the new model with only 1 direction to check, vnet0-vnet0 seem to be the only tricky exception, because the traffic is routed). I wonder if we couldn't use some

Re: [pve-devel] venet firewall broken?

2014-05-12 Thread Alexandre DERUMIER
I'll work all the day on it, I'm pretty sure it can be solved without revert all the work. I'll keep you in touch. - Mail original - De: Alexandre DERUMIER aderum...@odiso.com À: Dietmar Maurer diet...@proxmox.com Cc: pve-devel@pve.proxmox.com Envoyé: Lundi 12 Mai 2014 08:12:36

Re: [pve-devel] venet firewall broken?

2014-05-12 Thread Dietmar Maurer
I'll work all the day on it, I'm pretty sure it can be solved without revert all the work. I am currently working on a rebase, just to find out what we really need. I will also send the result to the list. ___ pve-devel mailing list

Re: [pve-devel] venet firewall broken?

2014-05-12 Thread Dietmar Maurer
container to container ? venet0-venet0 ? Damn, I don't have tested this case. Seems it also breaks container to host. ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] venet firewall broken?

2014-05-12 Thread Alexandre DERUMIER
I am currently working on a rebase, just to find out what we really need. I will also send the result to the list. Ok, on my side, I was thinking about something like -A FORWARD -j PVEFW-FORWARD -A PVEFW-FORWARD -i fwbr+ -j PVEFW-FORWARD-FW -A PVEFW-FORWARD -j MARK

Re: [pve-devel] venet firewall broken?

2014-05-12 Thread Alexandre DERUMIER
Seems it also breaks container to host. could this help ? venet0-host - -A PVEFW-INPUT -i venet0 -m set --match-set PVEFW-venet0 src-j MARK --set-mark 1 -A PVEFW-INPUT -j PVEFW-HOST-IN -A PVEFW-HOST-IN -p tcp -m tcp --dport 22 -g PVEFW-ACCEPT-VENET-IN -A

Re: [pve-devel] venet firewall broken?

2014-05-12 Thread Dietmar Maurer
Seems it also breaks container to host. could this help ? Sorry, but I lost the focus. We had a working firewall, so why exactly do you want to change it? The commit message from your patch is: We can now do ACCEPT everywhere, and no need to use marks Which is obviously wrong. So why do

Re: [pve-devel] venet firewall broken?

2014-05-12 Thread Alexandre DERUMIER
Which is obviously wrong. So why do you want to keep that patch? Yes,I think you are right, we can revert that patch. - Mail original - De: Dietmar Maurer diet...@proxmox.com À: Alexandre DERUMIER aderum...@odiso.com Cc: pve-devel@pve.proxmox.com Envoyé: Lundi 12 Mai 2014 09:58:40

[pve-devel] [mew model rework 5/7] remove dead code

2014-05-12 Thread Dietmar Maurer
Signed-off-by: Dietmar Maurer diet...@proxmox.com --- src/PVE/Firewall.pm | 18 -- 1 file changed, 18 deletions(-) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 5cb17c7..c95bedd 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -2186,22 +2186,6 @@

[pve-devel] [mew model rework 3/7] remove bridge chains

2014-05-12 Thread Dietmar Maurer
-A PVEFW-FORWARD ! -i fwbr+ -j ACCEPT -A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP -A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-in link+ -j PVEFW-FWBR-IN -A PVEFW-FWBR-IN -m physdev --physdev-out

[pve-devel] [mew model rework 6/7] move nosmurfs, tcpflags and conntrack established outside tap chains

2014-05-12 Thread Dietmar Maurer
These should be done fast, conntrack established can be done in PVE-FORWARD now smurf and tcpflags can be done in PVEFW-FWBR-IN and PVEFW-VENET-IN (don't make sense to test them in OUT direction) -A PVEFW-FORWARD ! -i fwbr+ -j ACCEPT -A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP -A

[pve-devel] [mew model rework 7/7] use PVEFW-VENET-IN/OUT inside PVEFW-INPUT/OUTPUT chains

2014-05-12 Thread Dietmar Maurer
Signed-off-by: Dietmar Maurer diet...@proxmox.com --- src/PVE/Firewall.pm | 15 ++- 1 file changed, 2 insertions(+), 13 deletions(-) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 8d0e187..f217d40 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -1577,27

[pve-devel] [mew model rework 2/7] use hex digest to avoid url encoding problems

2014-05-12 Thread Dietmar Maurer
Signed-off-by: Dietmar Maurer diet...@proxmox.com --- src/PVE/Firewall.pm |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 7e33a1e..e8a7295 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -814,7 +814,7 @@ sub

[pve-devel] [mew model rework 1/7] avoid error about undefined array

2014-05-12 Thread Dietmar Maurer
Signed-off-by: Dietmar Maurer diet...@proxmox.com --- src/PVE/Firewall.pm |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 398a015..7e33a1e 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -2357,7 +2357,7 @@ sub

[pve-devel] [mew model rework 4/7] add PVEFW-VENET-IN PVEFW-VENET-OUT chains

2014-05-12 Thread Dietmar Maurer
Base on patch from Alredandre + cleanups (s/vnet/venet/) Signed-off-by: Dietmar Maurer diet...@proxmox.com --- src/PVE/Firewall.pm | 10 -- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 835b26a..5cb17c7 100644 ---

Re: [pve-devel] venet firewall broken?

2014-05-12 Thread Dietmar Maurer
Which is obviously wrong. So why do you want to keep that patch? Yes,I think you are right, we can revert that patch. I sent a rework to the list. Those patches apply on top of: commit 81a1a25884420d50fc3cc0cd68e01befeb547e7e Author: Dietmar Maurer diet...@proxmox.com Date: Tue May 6

Re: [pve-devel] venet firewall broken?

2014-05-12 Thread Dietmar Maurer
Which is obviously wrong. So why do you want to keep that patch? Yes,I think you are right, we can revert that patch. I think we need PVEFW-SET-ACCEPT-MARK for groups, but could simple use RETURN inside tapXXXiY-OUT? Although I am not sure if we gain much speedup from that.

Re: [pve-devel] venet firewall broken?

2014-05-12 Thread Alexandre DERUMIER
Ok thanks ! Please can you review them? If you think we can go that way, please add add 'Signed-off-by' line and cleanup the commit messages (remove 'based on patch from Alexandre' note) This is my first review ;) I'll try to do it cleanly - Mail original - De: Dietmar Maurer

Re: [pve-devel] does /etc/pve support flock?

2014-05-12 Thread Dietmar Maurer
timeout (automatic unlock after 120 seconds). I need something between 6-10min. Again, you can't do that, so you need to find some workaround. Usually it is not necessary to lock things for such a long time. One workaround is to define an 'owner' node. We use that for VM configs. That

Re: [pve-devel] does /etc/pve support flock?

2014-05-12 Thread Dietmar Maurer
One workaround is to define an 'owner' node. We use that for VM configs. That way you only need to hold the global lock when you create or move VMs. For other operations it is good enough to acquire a local lock. Only the 'owner' can move a VM. I guess you could also use rgmanager to keep a

Re: [pve-devel] venet firewall broken?

2014-05-12 Thread Alexandre DERUMIER
Ok, seem to works fine, tap-tap tap-host host-tap tap-vnet0 vnet0-tap except vnet0-host host-vnet0 I have blocked traffic at vnet0 level, even if I have an accept rule in vnet0... this is strange. (I need to do more tests) does it work for you ? also, I think in we can do ACCEPT in

Re: [pve-devel] venet firewall broken?

2014-05-12 Thread Alexandre DERUMIER
host-venet0 currently - -A OUTPUT -j PVEFW-OUTPUT -A PVEFW-OUTPUT -o venet0 -j PVEFW-VENET-IN we do accept here, so bypass host rule -A PVEFW-OUTPUT -j PVEFW-HOST-OUT -A PVEFW-HOST-OUT -p tcp -m tcp --dport

Re: [pve-devel] venet firewall broken?

2014-05-12 Thread Dietmar Maurer
except vnet0-host host-vnet0 I have blocked traffic at vnet0 level, even if I have an accept rule in vnet0... this is strange. (I need to do more tests) does it work for you ? Yes, work here. You also need to have an accept rule for the host side. Does it help if you stop/start

Re: [pve-devel] venet firewall broken?

2014-05-12 Thread Dietmar Maurer
sigh - sorry. I forgot to commit that change! diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index f217d40..4cefc41 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -2569,7 +2569,6 @@ sub compile { ruleset_create_chain($ruleset, PVEFW-FWBR-OUT);

Re: [pve-devel] venet firewall broken?

2014-05-12 Thread Dietmar Maurer
sent an updated version (only patch 7/7 changed): [mew model rework v2 7/7] use PVEFW-VENET-IN/OUT inside PVEFW-INPUT/OUTPUT chains -Original Message- From: Alexandre DERUMIER [mailto:aderum...@odiso.com] Sent: Montag, 12. Mai 2014 11:54 To: Dietmar Maurer Cc:

Re: [pve-devel] venet firewall broken?

2014-05-12 Thread Dietmar Maurer
sent an updated version (only patch 7/7 changed): [mew model rework v2 7/7] use PVEFW-VENET-IN/OUT inside PVEFW- INPUT/OUTPUT chains s/mew/new/ (sorry) ___ pve-devel mailing list pve-devel@pve.proxmox.com

Re: [pve-devel] venet firewall broken?

2014-05-12 Thread Alexandre DERUMIER
Ok, thanks, I'll test it this afternoon - Mail original - De: Dietmar Maurer diet...@proxmox.com À: Alexandre DERUMIER aderum...@odiso.com Cc: pve-devel@pve.proxmox.com Envoyé: Lundi 12 Mai 2014 12:02:43 Objet: RE: [pve-devel] venet firewall broken? sent an updated version (only

[pve-devel] [mew model rework v2 1/7] avoid error about undefined array

2014-05-12 Thread Dietmar Maurer
Signed-off-by: Dietmar Maurer diet...@proxmox.com --- src/PVE/Firewall.pm |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 398a015..7e33a1e 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -2357,7 +2357,7 @@ sub

[pve-devel] [mew model rework v2 5/7] remove dead code

2014-05-12 Thread Dietmar Maurer
Signed-off-by: Dietmar Maurer diet...@proxmox.com --- src/PVE/Firewall.pm | 18 -- 1 file changed, 18 deletions(-) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 5cb17c7..c95bedd 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -2186,22 +2186,6 @@

[pve-devel] [mew model rework v2 2/7] use hex digest to avoid url encoding problems

2014-05-12 Thread Dietmar Maurer
Signed-off-by: Dietmar Maurer diet...@proxmox.com --- src/PVE/Firewall.pm |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 7e33a1e..e8a7295 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -814,7 +814,7 @@ sub

[pve-devel] [mew model rework v2 4/7] add PVEFW-VENET-IN PVEFW-VENET-OUT chains

2014-05-12 Thread Dietmar Maurer
Base on patch from Alredandre + cleanups (s/vnet/venet/) Signed-off-by: Dietmar Maurer diet...@proxmox.com --- src/PVE/Firewall.pm | 10 -- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 835b26a..5cb17c7 100644 ---

[pve-devel] [mew model rework v2 7/7] use PVEFW-VENET-IN/OUT inside PVEFW-INPUT/OUTPUT chains

2014-05-12 Thread Dietmar Maurer
Signed-off-by: Dietmar Maurer diet...@proxmox.com --- src/PVE/Firewall.pm | 16 +++- 1 file changed, 3 insertions(+), 13 deletions(-) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 8d0e187..4cefc41 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@

[pve-devel] [mew model rework v2 6/7] move nosmurfs, tcpflags and conntrack established outside tap chains

2014-05-12 Thread Dietmar Maurer
These should be done fast, conntrack established can be done in PVE-FORWARD now smurf and tcpflags can be done in PVEFW-FWBR-IN and PVEFW-VENET-IN (don't make sense to test them in OUT direction) -A PVEFW-FORWARD ! -i fwbr+ -j ACCEPT -A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP -A

[pve-devel] [PATCH 6/7] move nosmurfs, tcpflags and conntrack established outside tap chains

2014-05-12 Thread Alexandre Derumier
From: Dietmar Maurer diet...@proxmox.com These should be done fast, conntrack established can be done in PVE-FORWARD now smurf and tcpflags can be done in PVEFW-FWBR-IN and PVEFW-VENET-IN (don't make sense to test them in OUT direction) -A PVEFW-FORWARD ! -i fwbr+ -j ACCEPT -A PVEFW-FORWARD -m

[pve-devel] [PATCH 5/7] remove dead code

2014-05-12 Thread Alexandre Derumier
From: Dietmar Maurer diet...@proxmox.com Signed-off-by: Dietmar Maurer diet...@proxmox.com Signed-off-by: Alexandre Derumier aderum...@odiso.com --- src/PVE/Firewall.pm | 18 -- 1 file changed, 18 deletions(-) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index

[pve-devel] [PATCH 7/7] use PVEFW-VENET-IN/OUT inside PVEFW-INPUT/OUTPUT chains

2014-05-12 Thread Alexandre Derumier
From: Dietmar Maurer diet...@proxmox.com Signed-off-by: Dietmar Maurer diet...@proxmox.com Signed-off-by: Alexandre Derumier aderum...@odiso.com --- src/PVE/Firewall.pm | 16 +++- 1 file changed, 3 insertions(+), 13 deletions(-) diff --git a/src/PVE/Firewall.pm

[pve-devel] review of dietmar patches

2014-05-12 Thread Alexandre Derumier
Ok, all seem to works fine now. tap-tap tap-host host-tap tap-vnet0 vnet0-tap vnet0-host host-vnet0 optimisation could be done in tap-out and veth-out chains, we can do ACCEPT instead return for theses chains (to avoid to scan all tapxxx-OUT chains in PVEFW-FWBR-OUT) before -- -A

[pve-devel] [PATCH 1/7] avoid error about undefined array

2014-05-12 Thread Alexandre Derumier
From: Dietmar Maurer diet...@proxmox.com Signed-off-by: Dietmar Maurer diet...@proxmox.com Signed-off-by: Alexandre Derumier aderum...@odiso.com --- src/PVE/Firewall.pm |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index

[pve-devel] pve-firewall : insert PVEFW-IPS after vm rules generation

2014-05-12 Thread Alexandre Derumier
currently broken with code rebase, we need to insert it after rules generation, or it never match ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH] insert PVEFW-IPS after vm rules generation

2014-05-12 Thread Alexandre Derumier
or it never match it Signed-off-by: Alexandre Derumier aderum...@odiso.com --- src/PVE/Firewall.pm |7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 4cefc41..47a0f93 100644 --- a/src/PVE/Firewall.pm +++

[pve-devel] pve-firewall : insert PVEFW-IPS after vm rules generation v2

2014-05-12 Thread Alexandre Derumier
changelog: only go to PVEFW-IPS for established connections ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH] insert PVEFW-IPS after vm rules generation v2

2014-05-12 Thread Alexandre Derumier
or it never match it Signed-off-by: Alexandre Derumier aderum...@odiso.com --- src/PVE/Firewall.pm |7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 4cefc41..41494c6 100644 --- a/src/PVE/Firewall.pm +++

Re: [pve-devel] review of dietmar patches

2014-05-12 Thread Daniel Hunsaker
Ok, all seem to works fine now. tap-tap tap-host host-tap tap-vnet0 vnet0-tap vnet0-host host-vnet0 Maybe it's just me, but shouldn't there also have been a vnet0-vnet0 test? You tested tap-tap, and I suspect host-host won't be an issue, but after the discussion over vnet0-vnet0

Re: [pve-devel] review of dietmar patches

2014-05-12 Thread Alexandre DERUMIER
yes yes of course, it's working too for vnet0-vnet0 - Mail original - De: Daniel Hunsaker danhunsa...@gmail.com À: Alexandre DERUMIER aderum...@odiso.com Cc: pve-devel@pve.proxmox.com Envoyé: Lundi 12 Mai 2014 19:13:20 Objet: Re: [pve-devel] review of dietmar patches Ok, all

Re: [pve-devel] kvm command: discovered bug

2014-05-12 Thread Michael Rasmussen
On Mon, 12 May 2014 03:47:39 + Dietmar Maurer diet...@proxmox.com wrote: It will not brake anything for current setups since current setups must already be configured to use ALL for host and target groups since this is the only way the current setup will work. Yes, looks

[pve-devel] [PATCH 1/1] add initiator-name to iscsi drives if configured

2014-05-12 Thread mir
From: Michael Rasmussen m...@datanom.net Signed-off-by: Michael Rasmussen m...@datanom.net --- PVE/QemuServer.pm | 27 +-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/PVE/QemuServer.pm b/PVE/QemuServer.pm index 2cb2d95..c4ec8fa 100644 ---

Re: [pve-devel] review of dietmar patches

2014-05-12 Thread Dietmar Maurer
Ok, I pushed a forced update with those patches, so please do a fresh clone. -Original Message- From: pve-devel [mailto:pve-devel-boun...@pve.proxmox.com] On Behalf Of Alexandre Derumier Sent: Montag, 12. Mai 2014 13:33 To: pve-devel@pve.proxmox.com Subject: [pve-devel] review of

Re: [pve-devel] [PATCH] insert PVEFW-IPS after vm rules generation v2

2014-05-12 Thread Alexandre DERUMIER
I don't understand the problem. Why does this produce different output that original code? I found 2 bugs: 1)PVEFW-IPS chain was empty, because we test it before rule generation. 2)but also, it missing an accept at the end of PVEFW-IPS chain - my $accept = ruleset_chain_exist($ruleset,

[pve-devel] [PATCH] use linko+ name for ovs fwbrint interfaces

2014-05-12 Thread Alexandre Derumier
we need to match link+ rule from iptables rules, and need to have a name different than link(\d+)i(\d+), for distinguished bridge/ovs interface unplug Signed-off-by: Alexandre Derumier aderum...@odiso.com --- data/PVE/Network.pm |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff

[pve-devel] pve-common : use linko+ name for ovs fwbrint interfaces

2014-05-12 Thread Alexandre Derumier
We need it to match iptables rules ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel