[SOLVED] OVS virtual interface with vlantag enable firewall can't work!

L

lynn_yudi

Active Member
Nov 27, 2011
86
0
26
hi,all

follow this links setup network
https://pve.proxmox.com/wiki/Open_vSwitch

# cat /etc/network/interfaces
HTML: 
# network interface settings
auto lo
iface lo inet loopback

# Bond eth0,eth1 together
allow-vmbr0 bond0
iface bond0 inet manual
        ovs_bridge vmbr0
        ovs_type OVSBond
        ovs_bonds eth0 eth1
        ovs_options bond_mode=balance-tcp lacp=active other_config:lacp-time=fast

# Bridge for our bond and vlan virtual interfaces (our VMs will
# also attach to this bridge)
auto vmbr0
allow-ovs vmbr0
iface vmbr0 inet manual
        ovs_type OVSBridge
        ovs_ports bond0 v10 v20

# pve cluster communication vlan
allow-vmbr0 v10
iface v10 inet static
        ovs_type OVSIntPort
        ovs_bridge vmbr0
        ovs_options tag=10
        ovs_extra set interface ${IFACE} external-ids:iface-id=$(hostname -s)-${IFACE}-vif
        address  10.0.0.1
        netmask  255.0.0.0
        gateway  10.0.0.254

# Ceph cluster communication vlan (jumbo frames)
allow-vmbr0 v20
iface v20 inet static
        ovs_type OVSIntPort
        ovs_bridge vmbr0
        ovs_options tag=20
        ovs_extra set interface ${IFACE} external-ids:iface-id=$(hostname -s)-${IFACE}-vif
        address 192.168.0.1
        netmask 255.255.0.0

one vm virtual interface(net1) attach to bridge vmbr0, and associated with the VLAN 20, and enabled firewall

# cat 254.conf
HTML: 
balloon: 512
bootdisk: virtio0
cores: 2
cpuunits: 100000
hotplug: 1
memory: 1024
name: t.verycloud.cn
net0: virtio=86:C9:E5:08:CF:47,bridge=vmbr0,tag=10
net1: virtio=F6:C0:97:A3:4F:2B,bridge=vmbr0,tag=20,firewall=1
onboot: 1
ostype: l26
smbios1: uuid=a7ea9d11-a55e-47e7-82d9-992cfe117a8a
sockets: 1
virtio0: local:254/vm-254-disk-1.qcow2,format=qcow2,size=16G

now, net0 is work.
net1 can't work: can't ping from/to other host/vm :(
disable firewall on net1 can rework!

somebody can help me? thanks very much!

PVE+OVS+FireWall, It's so very nice! thanks a lot!
 
Last edited:
Re: OVS virtual interface with valntag enable firewall can't work!

thanks you reply!

# cat /etc/pve/firewall/254.fw
HTML: 
[OPTIONS]

enable: 1

[RULES]

IN ACCEPT -source +whitelist


# cat /etc/pve/firewall/cluster.fw
HTML: 
[OPTIONS]

enable: 1

[IPSET whitelist]

10.0.0.0/8
192.168.0.0/16

[RULES]

IN ACCEPT -source +whitelist

# pve-firewall status
Status: enabled/running

# pve-firewall compile
HTML: 
exists PVEFW-0-management (poMnq+eAvH1VrQDao97ARq5U3cw)
        create PVEFW-0-management hash:net family inet hashsize 64 maxelem 64
        add PVEFW-0-management 127.0.0.0/8
exists PVEFW-0-venet0 (7SXvANyzpQ05GhFSH8HkN51VmBw)
        create PVEFW-0-venet0 hash:net family inet hashsize 64 maxelem 64
exists PVEFW-0-whitelist (ezs2PqvK9MXBGdkiZO1jDpe7XFw)
        create PVEFW-0-whitelist hash:net family inet hashsize 64 maxelem 64
        add PVEFW-0-whitelist 192.168.0.0/16
exists PVEFW-Drop (zfGV4KTPaxGVOCwRUVqqqbR0IhM)
        -A PVEFW-Drop -p tcp --dport 43 -j PVEFW-reject
        -A PVEFW-Drop -j PVEFW-DropBroadcast
        -A PVEFW-Drop -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT
        -A PVEFW-Drop -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
        -A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
        -A PVEFW-Drop -p udp --match multiport --dports 135,445 -j DROP
        -A PVEFW-Drop -p udp --dport 137:139 -j DROP
        -A PVEFW-Drop -p udp --dport 1024:65535 --sport 137 -j DROP
        -A PVEFW-Drop -p tcp --match multiport --dports 135,139,445 -j DROP
        -A PVEFW-Drop -p udp --dport 1900 -j DROP
        -A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
        -A PVEFW-Drop -p udp --sport 53 -j DROP
exists PVEFW-DropBroadcast (NyjHNAtFbkH7WGLamPpdVnxHy4w)
        -A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
        -A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
        -A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
        -A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
exists PVEFW-FORWARD (EqTnWXObv/2sm0UCQAKlplAl6+Y)
        -A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
        -A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
        -A PVEFW-FORWARD -i venet0 -m set --match-set PVEFW-0-venet0 src -j PVEFW-VENET-OUT
        -A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-in fwln+ -j PVEFW-FWBR-IN
        -A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-out fwln+ -j PVEFW-FWBR-OUT
        -A PVEFW-FORWARD -o venet0 -m set --match-set PVEFW-0-venet0 dst -j PVEFW-VENET-IN
exists PVEFW-FWBR-IN (tOuP6D11ApnSH6oC3P8vr+SWZGM)
        -A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
        -A PVEFW-FWBR-IN -p tcp -j PVEFW-tcpflags
        -A PVEFW-FWBR-IN -m physdev --physdev-is-bridged --physdev-out tap254i1 -j tap254i1-IN
exists PVEFW-FWBR-OUT (OH9tVxAQm40ORNcpGk7v0OZ0ZxA)
        -A PVEFW-FWBR-OUT -m physdev --physdev-is-bridged --physdev-in tap254i1 -j tap254i1-OUT
exists PVEFW-INPUT (n2IVHj1ar7iL10I1/J3Z9ISRhUE)
        -A PVEFW-INPUT -i venet0 -m set --match-set PVEFW-0-venet0 src -j PVEFW-VENET-OUT
exists PVEFW-OUTPUT (5HX3k1Nak/ib4k+npJ1czCJoq5k)
        -A PVEFW-OUTPUT -o venet0 -m set --match-set PVEFW-0-venet0 dst -j PVEFW-VENET-IN
exists PVEFW-Reject (3gYHaSHlZx5luiKyM0oCsTVaXi4)
        -A PVEFW-Reject -p tcp --dport 43 -j PVEFW-reject
        -A PVEFW-Reject -j PVEFW-DropBroadcast
        -A PVEFW-Reject -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT
        -A PVEFW-Reject -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
        -A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
        -A PVEFW-Reject -p udp --match multiport --dports 135,445 -j PVEFW-reject
        -A PVEFW-Reject -p udp --dport 137:139 -j PVEFW-reject
        -A PVEFW-Reject -p udp --dport 1024:65535 --sport 137 -j PVEFW-reject
        -A PVEFW-Reject -p tcp --match multiport --dports 135,139,445 -j PVEFW-reject
        -A PVEFW-Reject -p udp --dport 1900 -j DROP
        -A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
        -A PVEFW-Reject -p udp --sport 53 -j DROP
exists PVEFW-SET-ACCEPT-MARK (+w0L1XZmxcTeIy7fBeEAzPUQMiY)
        -A PVEFW-SET-ACCEPT-MARK -j MARK --set-mark 1
exists PVEFW-VENET-IN (GFBN4C7s42EA8MzpKIvJzALK5Sg)
        -A PVEFW-VENET-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
        -A PVEFW-VENET-IN -p tcp -j PVEFW-tcpflags
exists PVEFW-VENET-OUT (2jmj7l5rSw0yVb/vlWAYkK/YBwk)
exists PVEFW-logflags (M6AZ5liyPd5yBMzJkVe2pC3g4C8)
        -A PVEFW-logflags -j NFLOG --nflog-prefix ":0:7:PVEFW-logflags: DROP: "
        -A PVEFW-logflags -j DROP
exists PVEFW-reject (KM/fOv4KvGn8XvMqxoiRCdvlji8)
        -A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
        -A PVEFW-reject -s 224.0.0.0/4 -j DROP
        -A PVEFW-reject -p icmp -j DROP
        -A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
        -A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
        -A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
        -A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited
exists PVEFW-smurflog (d9YbmH6rFEMMIfhSj79mnIalVtg)
        -A PVEFW-smurflog -j NFLOG --nflog-prefix ":0:7:PVEFW-smurflog: DROP: "
        -A PVEFW-smurflog -j DROP
exists PVEFW-smurfs (HssVe5QCBXd5mc9kC88749+7fag)
        -A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
        -A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
        -A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
exists PVEFW-tcpflags (CMFojwNPqllyqD67NeI5m+bP5mo)
        -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
        -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
        -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
        -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
        -A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
exists tap254i1-IN (skbozrVoB4MeDvZatV258/fd2xo)
        -A tap254i1-IN -p udp --dport 68 --sport 67 -j ACCEPT
        -A tap254i1-IN -m set --match-set PVEFW-0-whitelist src -j ACCEPT
        -A tap254i1-IN -j PVEFW-Drop
        -A tap254i1-IN -j DROP
exists tap254i1-OUT (PywYNY5G3b5tuH7mlmGQGH/YkLc)
        -A tap254i1-OUT -p udp --dport 67 --sport 68 -g PVEFW-SET-ACCEPT-MARK
        -A tap254i1-OUT -m mac ! --mac-source F6:C0:97:A3:4F:2B -j DROP
        -A tap254i1-OUT -j MARK --set-mark 0
        -A tap254i1-OUT -g PVEFW-SET-ACCEPT-MARK
no changes


# pveversion -v
HTML: 
proxmox-ve-2.6.32: 3.3-139 (running kernel: 3.10.0-5-pve)
pve-manager: 3.3-6 (running version: 3.3-6/a77e8a2d)
pve-kernel-3.10.0-5-pve: 3.10.0-19
pve-kernel-2.6.32-33-pve: 2.6.32-138
pve-kernel-2.6.32-34-pve: 2.6.32-139
lvm2: 2.02.98-pve4
clvm: 2.02.98-pve4
corosync-pve: 1.4.7-1
openais-pve: 1.1.4-3
libqb0: 0.11.1-2
redhat-cluster-pve: 3.2.0-2
resource-agents-pve: 3.9.2-4
fence-agents-pve: 4.0.10-1
pve-cluster: 3.0-15
qemu-server: 3.3-4
pve-firmware: 1.1-3
libpve-common-perl: 3.0-19
libpve-access-control: 3.0-15
libpve-storage-perl: 3.0-26
pve-libspice-server1: 0.12.4-3
vncterm: 1.1-8
vzctl: 4.0-1pve6
vzprocps: 2.0.11-2
vzquota: 3.1-2
pve-qemu-kvm: 2.1-10
ksm-control-daemon: 1.1-1
glusterfs-client: 3.5.2-1
 
Last edited:
Re: OVS virtual interface with valntag enable firewall can't work!

yes,

# ovs-vsctl show
HTML: 
6e92728c-e57a-4886-85a5-e050bbb4d50f
    Bridge "vmbr0"
        Port "v20"
            tag: 20
            Interface "v20"
                type: internal
        Port "vmbr0"
            Interface "vmbr0"
                type: internal
        Port "tap254i0"
            tag: 10
            Interface "tap254i0"
        Port "fwln254o1"
            tag: 20
            Interface "fwln254o1"
                type: internal
        Port "v10"
            tag: 10
            Interface "v10"
                type: internal
        Port "bond0"
            Interface "eth0"
            Interface "eth1"
    ovs_version: "2.3.0"
# brctl show
HTML: 
bridge name     bridge id               STP enabled     interfaces
fwbr254i1               8000.f262aba4c3ab       no              fwln254o1
                                                        tap254i1

sorry,just garbled! :(
 
Last edited:
Re: OVS virtual interface with valntag enable firewall can't work!

also,enable host firewall,can't apply rules:

# cat /etc/pve/nodes/t1/host.fw
HTML: 
[OPTIONS]

log_level_in: debug
enable: 1
tcp_flags_log_level: debug
log_level_out: debug
tcpflags: 1
smurf_log_level: debug

[RULES]

IN ACCEPT -source +whitelist

# pve-firewall status
Status: enabled/running (pending changes)

always pending changes of status :(

# pve-firewall compile
HTML: 
exists PVEFW-0-management (poMnq+eAvH1VrQDao97ARq5U3cw)
        create PVEFW-0-management hash:net family inet hashsize 64 maxelem 64
        add PVEFW-0-management 127.0.0.0/8
exists PVEFW-0-venet0 (7SXvANyzpQ05GhFSH8HkN51VmBw)
        create PVEFW-0-venet0 hash:net family inet hashsize 64 maxelem 64
exists PVEFW-0-whitelist (SNwDrPb7Tf7jcA9JznY6oUrbLfw)
        create PVEFW-0-whitelist hash:net family inet hashsize 64 maxelem 64
        add PVEFW-0-whitelist 10.0.0.0/8
        add PVEFW-0-whitelist 192.168.0.0/16
exists PVEFW-Drop (zfGV4KTPaxGVOCwRUVqqqbR0IhM)
        -A PVEFW-Drop -p tcp --dport 43 -j PVEFW-reject
        -A PVEFW-Drop -j PVEFW-DropBroadcast
        -A PVEFW-Drop -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT
        -A PVEFW-Drop -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
        -A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
        -A PVEFW-Drop -p udp --match multiport --dports 135,445 -j DROP
        -A PVEFW-Drop -p udp --dport 137:139 -j DROP
        -A PVEFW-Drop -p udp --dport 1024:65535 --sport 137 -j DROP
        -A PVEFW-Drop -p tcp --match multiport --dports 135,139,445 -j DROP
        -A PVEFW-Drop -p udp --dport 1900 -j DROP
        -A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
        -A PVEFW-Drop -p udp --sport 53 -j DROP
exists PVEFW-DropBroadcast (NyjHNAtFbkH7WGLamPpdVnxHy4w)
        -A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
        -A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
        -A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
        -A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
exists PVEFW-FORWARD (EqTnWXObv/2sm0UCQAKlplAl6+Y)
        -A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
        -A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
        -A PVEFW-FORWARD -i venet0 -m set --match-set PVEFW-0-venet0 src -j PVEFW-VENET-OUT
        -A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-in fwln+ -j PVEFW-FWBR-IN
        -A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-out fwln+ -j PVEFW-FWBR-OUT
        -A PVEFW-FORWARD -o venet0 -m set --match-set PVEFW-0-venet0 dst -j PVEFW-VENET-IN
exists PVEFW-FWBR-IN (tOuP6D11ApnSH6oC3P8vr+SWZGM)
        -A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
        -A PVEFW-FWBR-IN -p tcp -j PVEFW-tcpflags
        -A PVEFW-FWBR-IN -m physdev --physdev-is-bridged --physdev-out tap254i1 -j tap254i1-IN
exists PVEFW-FWBR-OUT (OH9tVxAQm40ORNcpGk7v0OZ0ZxA)
        -A PVEFW-FWBR-OUT -m physdev --physdev-is-bridged --physdev-in tap254i1 -j tap254i1-OUT
update PVEFW-HOST-IN (NHIsb3kSxhAFvCEyUs0QVl75tew)
        -A PVEFW-HOST-IN -i lo -j ACCEPT
        -A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
        -A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
        -A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
        -A PVEFW-HOST-IN -p tcp -j PVEFW-tcpflags
        -A PVEFW-HOST-IN -p igmp -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-whitelist src -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-whitelist src -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management src -p tcp --dport 8006 -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management src -p tcp --dport 5900:5999 -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management src -p tcp --dport 3128 -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management src -p tcp --dport 22 -j RETURN
        -A PVEFW-HOST-IN -j PVEFW-Drop
        -A PVEFW-HOST-IN -j NFLOG --nflog-prefix ":0:7:PVEFW-HOST-IN: policy DROP: "
        -A PVEFW-HOST-IN -j DROP
exists PVEFW-HOST-OUT (mvWnVSg4LVpOargCkmlyZynb8OY)
        -A PVEFW-HOST-OUT -o lo -j ACCEPT
        -A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
        -A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
        -A PVEFW-HOST-OUT -p igmp -j RETURN
        -A PVEFW-HOST-OUT -j RETURN
exists PVEFW-INPUT (BzyYmT9DMHVl0mK5gEk9RnLGABY)
        -A PVEFW-INPUT -i venet0 -m set --match-set PVEFW-0-venet0 src -j PVEFW-VENET-OUT
        -A PVEFW-INPUT -j PVEFW-HOST-IN
exists PVEFW-OUTPUT (XDfaZCom19bXI72jfvIdmv5V9DM)
        -A PVEFW-OUTPUT -j PVEFW-HOST-OUT
        -A PVEFW-OUTPUT -o venet0 -m set --match-set PVEFW-0-venet0 dst -j PVEFW-VENET-IN
exists PVEFW-Reject (3gYHaSHlZx5luiKyM0oCsTVaXi4)
        -A PVEFW-Reject -p tcp --dport 43 -j PVEFW-reject
        -A PVEFW-Reject -j PVEFW-DropBroadcast
        -A PVEFW-Reject -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT
        -A PVEFW-Reject -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
        -A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
        -A PVEFW-Reject -p udp --match multiport --dports 135,445 -j PVEFW-reject
        -A PVEFW-Reject -p udp --dport 137:139 -j PVEFW-reject
        -A PVEFW-Reject -p udp --dport 1024:65535 --sport 137 -j PVEFW-reject
        -A PVEFW-Reject -p tcp --match multiport --dports 135,139,445 -j PVEFW-reject
        -A PVEFW-Reject -p udp --dport 1900 -j DROP
        -A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
        -A PVEFW-Reject -p udp --sport 53 -j DROP
exists PVEFW-SET-ACCEPT-MARK (+w0L1XZmxcTeIy7fBeEAzPUQMiY)
        -A PVEFW-SET-ACCEPT-MARK -j MARK --set-mark 1
exists PVEFW-VENET-IN (GFBN4C7s42EA8MzpKIvJzALK5Sg)
        -A PVEFW-VENET-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
        -A PVEFW-VENET-IN -p tcp -j PVEFW-tcpflags
exists PVEFW-VENET-OUT (2jmj7l5rSw0yVb/vlWAYkK/YBwk)
exists PVEFW-logflags (M6AZ5liyPd5yBMzJkVe2pC3g4C8)
        -A PVEFW-logflags -j NFLOG --nflog-prefix ":0:7:PVEFW-logflags: DROP: "
        -A PVEFW-logflags -j DROP
exists PVEFW-reject (KM/fOv4KvGn8XvMqxoiRCdvlji8)
        -A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
        -A PVEFW-reject -s 224.0.0.0/4 -j DROP
        -A PVEFW-reject -p icmp -j DROP
        -A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
        -A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
        -A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
        -A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited
exists PVEFW-smurflog (d9YbmH6rFEMMIfhSj79mnIalVtg)
        -A PVEFW-smurflog -j NFLOG --nflog-prefix ":0:7:PVEFW-smurflog: DROP: "
        -A PVEFW-smurflog -j DROP
exists PVEFW-smurfs (HssVe5QCBXd5mc9kC88749+7fag)
        -A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
        -A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
        -A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
exists PVEFW-tcpflags (CMFojwNPqllyqD67NeI5m+bP5mo)
        -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
        -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
        -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
        -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
        -A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
exists tap254i1-IN (EYxkFm675nKh5dHHXleDzN86e5g)
        -A tap254i1-IN -p udp --dport 68 --sport 67 -j ACCEPT
        -A tap254i1-IN -m set --match-set PVEFW-0-whitelist src -j ACCEPT
        -A tap254i1-IN -j PVEFW-Drop
        -A tap254i1-IN -j NFLOG --nflog-prefix ":254:7:tap254i1-IN: policy DROP: "
        -A tap254i1-IN -j DROP
exists tap254i1-OUT (PywYNY5G3b5tuH7mlmGQGH/YkLc)
        -A tap254i1-OUT -p udp --dport 67 --sport 68 -g PVEFW-SET-ACCEPT-MARK
        -A tap254i1-OUT -m mac ! --mac-source F6:C0:97:A3:4F:2B -j DROP
        -A tap254i1-OUT -j MARK --set-mark 0
        -A tap254i1-OUT -g PVEFW-SET-ACCEPT-MARK
detected changes
 
Last edited:
Re: OVS virtual interface with valntag enable firewall can't work!

no log for enabled firewall vm(ip:192.168.0.200)

in host,use tcpdump on v20, got this:
HTML: 
17:26:47.624478 ARP, Request who-has 192.168.0.200 tell 192.168.0.1, length 28

in vm, use tcpdump on eth0 got this:
HTML: 
17:30:39.997437 ARP, Request who-has 192.168.0.1 tell 192.168.0.200, length 28
 
Re: OVS virtual interface with valntag enable firewall can't work!

lynn_yudi said:
no log for enabled firewall vm(ip:192.168.0.200)

in host,use tcpdump on v20, got this:
HTML: 
17:26:47.624478 ARP, Request who-has 192.168.0.200 tell 192.168.0.1, length 28

in vm, use tcpdump on eth0 got this:
HTML: 
17:30:39.997437 ARP, Request who-has 192.168.0.1 tell 192.168.0.200, length 28
Click to expand...

So this is the arp requests and you only see them from the source.
I don't think it's related to the firewall itself, because currently we don't filter layer2 and arp.

The only thing which change is that when firewall is enabled, with ovs, a new linux bridge is create between ovs and the vm interface.
(that's show in brctl show and ovsctl show).

vmbr0(ovs)<---fwln254o1(ovsint)----fwbr254i1(linuxbridge)---->tap254i1

Do you have the problem only between the vm and the host ?
or also between 2vms on same vlan ?



(Also, do you use kernel 2.6.32 or 3.10 ?)
 
Re: OVS virtual interface with valntag enable firewall can't work!

@spirit: Seems the rules are not corerctly applied (pending changes in PVEFW-HOST-IN)?
 
Re: OVS virtual interface with valntag enable firewall can't work!

spirit said:
So this is the arp requests and you only see them from the source.
I don't think it's related to the firewall itself, because currently we don't filter layer2 and arp.
Click to expand...

yes, Just verify the network can't work, can't ping each other.

The only thing which change is that when firewall is enabled, with ovs, a new linux bridge is create between ovs and the vm interface.
(that's show in brctl show and ovsctl show).

vmbr0(ovs)<---fwln254o1(ovsint)----fwbr254i1(linuxbridge)---->tap254i1

Do you have the problem only between the vm and the host ?
Click to expand...
no problem, disable vm firewall(disable firewall of the vnic from pve gui) can ping each other.

or also between 2vms on same vlan ?
Click to expand...
on same vlan

(Also, do you use kernel 2.6.32 or 3.10 ?)
Click to expand...
# pveversion
pve-manager/3.3-6/a77e8a2d (running kernel: 3.10.0-5-pve)
 
Re: OVS virtual interface with valntag enable firewall can't work!

dietmar said:
@spirit: Seems the rules are not corerctly applied (pending changes in PVEFW-HOST-IN)?
Click to expand...
enable host firewall,can't apply rules
......

this is the Second problems!
 
Re: OVS virtual interface with valntag enable firewall can't work!

hi,

I have tested for kernel 2.6.32-34-pve and 3.10.0-5-pve, this result is same!

from pve 3.3, I haven't tested successfully any times. :mad:

I'm sure, this is a bug! :(

thanks...
 
Last edited:
Re: OVS virtual interface with valntag enable firewall can't work!

Hi,

I'll try to reproduce your setup in my lab.

just to be sure it's not firewall related,

can you do

/etc/init.d/pve-firewall stop

(to flush iptables rules)


and keep the firewall enabled on vm interface. (to have the fwbr linux bridge)


and check if it's working or not.
 
Re: OVS virtual interface with valntag enable firewall can't work!

Hi,

I'll try to reproduce your setup in my lab.

just to be sure it's not firewall related,

can you do

/etc/init.d/pve-firewall stop

(to flush iptables rules)
Click to expand...
HTML: 
# pve-firewall status
Status: enabled/stopped

# iptables -vnL       
Chain INPUT (policy ACCEPT 42421 packets, 8027K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 43383 packets, 17M bytes)
 pkts bytes target     prot opt in     out     source               destination


and keep the firewall enabled on vm interface. (to have the fwbr linux bridge)
Click to expand...

yes,
HTML: 
# ovs-vsctl show
f46702a2-f373-42d2-86e4-a861664d4a66
    Bridge "vmbr0"
        Port "vmbr0"
            Interface "vmbr0"
                type: internal
        Port "bond0"
            Interface "eth0"
            Interface "eth1"
        Port "v10"
            tag: 10
            Interface "v10"
                type: internal
        Port "v20"
            tag: 20
            Interface "v20"
                type: internal
        Port "tap254i0"
            tag: 10
            Interface "tap254i0"
        Port "fwln254o1"
            tag: 20
            Interface "fwln254o1"
                type: internal
    ovs_version: "2.3.0"

and check if it's working or not.
Click to expand...
the same issue above: it's not working.
 
Re: OVS virtual interface with valntag enable firewall can't work!

spirit said:
Hi,

I'll try to reproduce your setup in my lab.

just to be sure it's not firewall related,
Click to expand...

hi,spirit
Are you try to reproduce and tested?

thanks you very much!
 
Re: OVS virtual interface with valntag enable firewall can't work!

lynn_yudi said:
hi,spirit
Are you try to reproduce and tested?

thanks you very much!
Click to expand...

Hi,sorry for the delay.

I'm able to reproduce your problem.

In my case, this is the fwln254o1 interface which is not up.
(maybe this is a regression from last openvswitch).

can you try:
#ethtool fwln254o1

to see the status (link detected: yes/no)
and

#ip link set fwln254o1 up

to enable it.
 
Re: OVS virtual interface with valntag enable firewall can't work!

spirit said:
Hi,sorry for the delay.

I'm able to reproduce your problem.

In my case, this is the fwln254o1 interface which is not up.
(maybe this is a regression from last openvswitch).

can you try:
#ethtool fwln254o1

to see the status (link detected: yes/no)
and

#ip link set fwln254o1 up

to enable it.
Click to expand...

yes, got it! everything is work!

thanks all pve dever!
 
Last edited:
Re: OVS virtual interface with valntag enable firewall can't work!

spirit said:
Great :)

Thanks for the bug report!

I have sent a patch here:
http://pve.proxmox.com/pipermail/pve-devel/2014-December/013638.html

you can apply it on /usr/share/perl5/PVE/Network.pm
Click to expand...

yes, I have use it! thanks you a lot again!

but another issue:see #6

enable host firewall,can't apply rules

# pve-firewall status
Status: enabled/running (pending changes)

always pending changes of status

......

what do you think the problem is?

 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back