I think so. Maybe it is best to revert the last 10 commits ...
So, fwbr bridges are pretty useless in this case ?
(I really like the new model with only 1 direction to check, vnet0-vnet0 seem
to be the only tricky exception, because the traffic is routed).
I wonder if we couldn't use some
I'll work all the day on it,
I'm pretty sure it can be solved without revert all the work.
I'll keep you in touch.
- Mail original -
De: Alexandre DERUMIER aderum...@odiso.com
À: Dietmar Maurer diet...@proxmox.com
Cc: pve-devel@pve.proxmox.com
Envoyé: Lundi 12 Mai 2014 08:12:36
I'll work all the day on it,
I'm pretty sure it can be solved without revert all the work.
I am currently working on a rebase, just to find out what we really need. I
will also send the result to the list.
___
pve-devel mailing list
container to container ?
venet0-venet0 ?
Damn, I don't have tested this case.
Seems it also breaks container to host.
___
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
I am currently working on a rebase, just to find out what we really need. I
will also send the result to the list.
Ok, on my side, I was thinking about something like
-A FORWARD -j PVEFW-FORWARD
-A PVEFW-FORWARD -i fwbr+ -j PVEFW-FORWARD-FW
-A PVEFW-FORWARD -j MARK
Seems it also breaks container to host.
could this help ?
venet0-host
-
-A PVEFW-INPUT -i venet0 -m set --match-set PVEFW-venet0 src-j MARK --set-mark
1
-A PVEFW-INPUT -j PVEFW-HOST-IN
-A PVEFW-HOST-IN -p tcp -m tcp --dport 22 -g PVEFW-ACCEPT-VENET-IN
-A
Seems it also breaks container to host.
could this help ?
Sorry, but I lost the focus. We had a working firewall, so why exactly do you
want to change it?
The commit message from your patch is:
We can now do ACCEPT everywhere, and no need to use marks
Which is obviously wrong. So why do
Which is obviously wrong. So why do you want to keep that patch?
Yes,I think you are right, we can revert that patch.
- Mail original -
De: Dietmar Maurer diet...@proxmox.com
À: Alexandre DERUMIER aderum...@odiso.com
Cc: pve-devel@pve.proxmox.com
Envoyé: Lundi 12 Mai 2014 09:58:40
Signed-off-by: Dietmar Maurer diet...@proxmox.com
---
src/PVE/Firewall.pm | 18 --
1 file changed, 18 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 5cb17c7..c95bedd 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2186,22 +2186,6 @@
-A PVEFW-FORWARD ! -i fwbr+ -j ACCEPT
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-in link+ -j
PVEFW-FWBR-IN
-A PVEFW-FWBR-IN -m physdev --physdev-out
These should be done fast,
conntrack established can be done in PVE-FORWARD now
smurf and tcpflags can be done in PVEFW-FWBR-IN and PVEFW-VENET-IN (don't
make sense to test them in OUT direction)
-A PVEFW-FORWARD ! -i fwbr+ -j ACCEPT
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A
Signed-off-by: Dietmar Maurer diet...@proxmox.com
---
src/PVE/Firewall.pm | 15 ++-
1 file changed, 2 insertions(+), 13 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 8d0e187..f217d40 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1577,27
Signed-off-by: Dietmar Maurer diet...@proxmox.com
---
src/PVE/Firewall.pm |4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 7e33a1e..e8a7295 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -814,7 +814,7 @@ sub
Signed-off-by: Dietmar Maurer diet...@proxmox.com
---
src/PVE/Firewall.pm |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 398a015..7e33a1e 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2357,7 +2357,7 @@ sub
Base on patch from Alredandre + cleanups (s/vnet/venet/)
Signed-off-by: Dietmar Maurer diet...@proxmox.com
---
src/PVE/Firewall.pm | 10 --
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 835b26a..5cb17c7 100644
---
Which is obviously wrong. So why do you want to keep that patch?
Yes,I think you are right, we can revert that patch.
I sent a rework to the list. Those patches apply on top of:
commit 81a1a25884420d50fc3cc0cd68e01befeb547e7e
Author: Dietmar Maurer diet...@proxmox.com
Date: Tue May 6
Which is obviously wrong. So why do you want to keep that patch?
Yes,I think you are right, we can revert that patch.
I think we need PVEFW-SET-ACCEPT-MARK for groups, but could simple use RETURN
inside tapXXXiY-OUT? Although I am not sure if we gain much speedup from that.
Ok thanks !
Please can you review them? If you think we can go that way, please add
add 'Signed-off-by' line and cleanup the commit messages (remove 'based on
patch from Alexandre' note)
This is my first review ;) I'll try to do it cleanly
- Mail original -
De: Dietmar Maurer
timeout (automatic unlock after 120 seconds).
I need something between 6-10min.
Again, you can't do that, so you need to find some workaround.
Usually it is not necessary to lock things for such a long time.
One workaround is to define an 'owner' node. We use that for VM configs.
That
One workaround is to define an 'owner' node. We use that for VM configs.
That way you only need to hold the global lock when you create or move
VMs. For other operations it is good enough to acquire a local lock. Only the
'owner' can move a VM.
I guess you could also use rgmanager to keep a
Ok, seem to works fine,
tap-tap
tap-host
host-tap
tap-vnet0
vnet0-tap
except
vnet0-host
host-vnet0
I have blocked traffic at vnet0 level, even if I have an accept rule in vnet0...
this is strange. (I need to do more tests)
does it work for you ?
also, I think in we can do ACCEPT in
host-venet0
currently
-
-A OUTPUT -j PVEFW-OUTPUT
-A PVEFW-OUTPUT -o venet0 -j PVEFW-VENET-IN
we do accept here, so bypass host
rule
-A PVEFW-OUTPUT -j PVEFW-HOST-OUT
-A PVEFW-HOST-OUT -p tcp -m tcp --dport
except
vnet0-host
host-vnet0
I have blocked traffic at vnet0 level, even if I have an accept rule in
vnet0...
this is strange. (I need to do more tests)
does it work for you ?
Yes, work here.
You also need to have an accept rule for the host side. Does it help if you
stop/start
sigh - sorry. I forgot to commit that change!
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index f217d40..4cefc41 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2569,7 +2569,6 @@ sub compile {
ruleset_create_chain($ruleset, PVEFW-FWBR-OUT);
sent an updated version (only patch 7/7 changed):
[mew model rework v2 7/7] use PVEFW-VENET-IN/OUT inside PVEFW-INPUT/OUTPUT
chains
-Original Message-
From: Alexandre DERUMIER [mailto:aderum...@odiso.com]
Sent: Montag, 12. Mai 2014 11:54
To: Dietmar Maurer
Cc:
sent an updated version (only patch 7/7 changed):
[mew model rework v2 7/7] use PVEFW-VENET-IN/OUT inside PVEFW-
INPUT/OUTPUT chains
s/mew/new/
(sorry)
___
pve-devel mailing list
pve-devel@pve.proxmox.com
Ok, thanks, I'll test it this afternoon
- Mail original -
De: Dietmar Maurer diet...@proxmox.com
À: Alexandre DERUMIER aderum...@odiso.com
Cc: pve-devel@pve.proxmox.com
Envoyé: Lundi 12 Mai 2014 12:02:43
Objet: RE: [pve-devel] venet firewall broken?
sent an updated version (only
Signed-off-by: Dietmar Maurer diet...@proxmox.com
---
src/PVE/Firewall.pm |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 398a015..7e33a1e 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2357,7 +2357,7 @@ sub
Signed-off-by: Dietmar Maurer diet...@proxmox.com
---
src/PVE/Firewall.pm | 18 --
1 file changed, 18 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 5cb17c7..c95bedd 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2186,22 +2186,6 @@
Signed-off-by: Dietmar Maurer diet...@proxmox.com
---
src/PVE/Firewall.pm |4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 7e33a1e..e8a7295 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -814,7 +814,7 @@ sub
Base on patch from Alredandre + cleanups (s/vnet/venet/)
Signed-off-by: Dietmar Maurer diet...@proxmox.com
---
src/PVE/Firewall.pm | 10 --
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 835b26a..5cb17c7 100644
---
Signed-off-by: Dietmar Maurer diet...@proxmox.com
---
src/PVE/Firewall.pm | 16 +++-
1 file changed, 3 insertions(+), 13 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 8d0e187..4cefc41 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@
These should be done fast,
conntrack established can be done in PVE-FORWARD now
smurf and tcpflags can be done in PVEFW-FWBR-IN and PVEFW-VENET-IN (don't
make sense to test them in OUT direction)
-A PVEFW-FORWARD ! -i fwbr+ -j ACCEPT
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A
From: Dietmar Maurer diet...@proxmox.com
These should be done fast,
conntrack established can be done in PVE-FORWARD now
smurf and tcpflags can be done in PVEFW-FWBR-IN and PVEFW-VENET-IN (don't
make sense to test them in OUT direction)
-A PVEFW-FORWARD ! -i fwbr+ -j ACCEPT
-A PVEFW-FORWARD -m
From: Dietmar Maurer diet...@proxmox.com
Signed-off-by: Dietmar Maurer diet...@proxmox.com
Signed-off-by: Alexandre Derumier aderum...@odiso.com
---
src/PVE/Firewall.pm | 18 --
1 file changed, 18 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index
From: Dietmar Maurer diet...@proxmox.com
Signed-off-by: Dietmar Maurer diet...@proxmox.com
Signed-off-by: Alexandre Derumier aderum...@odiso.com
---
src/PVE/Firewall.pm | 16 +++-
1 file changed, 3 insertions(+), 13 deletions(-)
diff --git a/src/PVE/Firewall.pm
Ok, all seem to works fine now.
tap-tap
tap-host
host-tap
tap-vnet0
vnet0-tap
vnet0-host
host-vnet0
optimisation could be done in tap-out and veth-out chains,
we can do ACCEPT instead return for theses chains
(to avoid to scan all tapxxx-OUT chains in PVEFW-FWBR-OUT)
before
--
-A
From: Dietmar Maurer diet...@proxmox.com
Signed-off-by: Dietmar Maurer diet...@proxmox.com
Signed-off-by: Alexandre Derumier aderum...@odiso.com
---
src/PVE/Firewall.pm |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index
currently broken with code rebase,
we need to insert it after rules generation, or it never match
___
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
or it never match it
Signed-off-by: Alexandre Derumier aderum...@odiso.com
---
src/PVE/Firewall.pm |7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 4cefc41..47a0f93 100644
--- a/src/PVE/Firewall.pm
+++
changelog:
only go to PVEFW-IPS for established connections
___
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
or it never match it
Signed-off-by: Alexandre Derumier aderum...@odiso.com
---
src/PVE/Firewall.pm |7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 4cefc41..41494c6 100644
--- a/src/PVE/Firewall.pm
+++
Ok, all seem to works fine now.
tap-tap
tap-host
host-tap
tap-vnet0
vnet0-tap
vnet0-host
host-vnet0
Maybe it's just me, but shouldn't there also have been a vnet0-vnet0
test? You tested tap-tap, and I suspect host-host won't be an issue, but
after the discussion over vnet0-vnet0
yes yes of course, it's working too for vnet0-vnet0
- Mail original -
De: Daniel Hunsaker danhunsa...@gmail.com
À: Alexandre DERUMIER aderum...@odiso.com
Cc: pve-devel@pve.proxmox.com
Envoyé: Lundi 12 Mai 2014 19:13:20
Objet: Re: [pve-devel] review of dietmar patches
Ok, all
On Mon, 12 May 2014 03:47:39 +
Dietmar Maurer diet...@proxmox.com wrote:
It will not brake anything for current setups since current setups must
already be configured to use ALL for host and target groups since this is
the
only way the current setup will work.
Yes, looks
From: Michael Rasmussen m...@datanom.net
Signed-off-by: Michael Rasmussen m...@datanom.net
---
PVE/QemuServer.pm | 27 +--
1 file changed, 25 insertions(+), 2 deletions(-)
diff --git a/PVE/QemuServer.pm b/PVE/QemuServer.pm
index 2cb2d95..c4ec8fa 100644
---
Ok, I pushed a forced update with those patches, so please do a fresh clone.
-Original Message-
From: pve-devel [mailto:pve-devel-boun...@pve.proxmox.com] On Behalf
Of Alexandre Derumier
Sent: Montag, 12. Mai 2014 13:33
To: pve-devel@pve.proxmox.com
Subject: [pve-devel] review of
I don't understand the problem. Why does this produce different output that
original code?
I found 2 bugs:
1)PVEFW-IPS chain was empty, because we test it before rule generation.
2)but also, it missing an accept at the end of PVEFW-IPS chain
- my $accept = ruleset_chain_exist($ruleset,
we need to match link+ rule from iptables rules,
and need to have a name different than link(\d+)i(\d+),
for distinguished bridge/ovs interface unplug
Signed-off-by: Alexandre Derumier aderum...@odiso.com
---
data/PVE/Network.pm |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff
We need it to match iptables rules
___
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
50 matches
Mail list logo