Re: OVS virtual interface with valntag enable firewall can't work!
Works fine here for me.
can you send result of
#ipset save
#iptables-save
Works fine here for me.
can you send result of
#ipset save
#iptables-save
[SOLVED] OVS virtual interface with vlantag enable firewall can't work!
- Thread starter lynn_yudi
- Start date
Re: OVS virtual interface with valntag enable firewall can't work!
# ipset list
HTML:
create PVEFW-0-management hash:net family inet hashsize 64 maxelem 64
add PVEFW-0-management 127.0.0.0/8
create PVEFW-0-venet0 hash:net family inet hashsize 64 maxelem 64
create PVEFW-0-whitelist hash:net family inet hashsize 64 maxelem 64
add PVEFW-0-whitelist 10.0.0.0/8
add PVEFW-0-whitelist 192.168.0.0/16# ipset list
HTML:
# ipset list
Name: PVEFW-0-management
Type: hash:net
Header: family inet hashsize 64 maxelem 64
Size in memory: 1456
References: 4
Members:
127.0.0.0/8
Name: PVEFW-0-venet0
Type: hash:net
Header: family inet hashsize 64 maxelem 64
Size in memory: 1424
References: 4
Members:
Name: PVEFW-0-whitelist
Type: hash:net
Header: family inet hashsize 64 maxelem 64
Size in memory: 1488
References: 3
Members:
10.0.0.0/8
192.168.0.0/16
HTML:
# Generated by iptables-save v1.4.14 on Thu Dec 11 14:29:36 2014
*filter
:INPUT ACCEPT [9484:2024379]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [9525:1845554]
:PVEFW-Drop - [0:0]
:PVEFW-DropBroadcast - [0:0]
:PVEFW-FORWARD - [0:0]
:PVEFW-FWBR-IN - [0:0]
:PVEFW-FWBR-OUT - [0:0]
:PVEFW-HOST-IN - [0:0]
:PVEFW-HOST-OUT - [0:0]
:PVEFW-INPUT - [0:0]
:PVEFW-OUTPUT - [0:0]
:PVEFW-Reject - [0:0]
:PVEFW-SET-ACCEPT-MARK - [0:0]
:PVEFW-VENET-IN - [0:0]
:PVEFW-VENET-OUT - [0:0]
:PVEFW-logflags - [0:0]
:PVEFW-reject - [0:0]
:PVEFW-smurflog - [0:0]
:PVEFW-smurfs - [0:0]
:PVEFW-tcpflags - [0:0]
:tap202i0-IN - [0:0]
:tap202i0-OUT - [0:0]
:tap254i1-IN - [0:0]
:tap254i1-OUT - [0:0]
-A INPUT -j PVEFW-INPUT
-A FORWARD -j PVEFW-FORWARD
-A OUTPUT -j PVEFW-OUTPUT
-A PVEFW-Drop -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Drop -p udp -m multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
-A PVEFW-Drop -p tcp -m multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp -m udp --sport 53 -j DROP
-A PVEFW-Drop -m comment --comment "PVESIG:zfGV4KTPaxGVOCwRUVqqqbR0IhM"
-A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
-A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
-A PVEFW-DropBroadcast -m comment --comment "PVESIG:NyjHNAtFbkH7WGLamPpdVnxHy4w"
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -i venet0 -m set --match-set PVEFW-0-venet0 src -j PVEFW-VENET-OUT
-A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged -j PVEFW-FWBR-OUT
-A PVEFW-FORWARD -o venet0 -m set --match-set PVEFW-0-venet0 dst -j PVEFW-VENET-IN
-A PVEFW-FORWARD -m comment --comment "PVESIG:EqTnWXObv/2sm0UCQAKlplAl6+Y"
-A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-FWBR-IN -p tcp -j PVEFW-tcpflags
-A PVEFW-FWBR-IN -m physdev --physdev-out tap202i0 --physdev-is-bridged -j tap202i0-IN
-A PVEFW-FWBR-IN -m physdev --physdev-out tap254i1 --physdev-is-bridged -j tap254i1-IN
-A PVEFW-FWBR-IN -m comment --comment "PVESIG:FIX4nOdznERIV/l0ypa+9fu/J6U"
-A PVEFW-FWBR-OUT -m physdev --physdev-in tap202i0 --physdev-is-bridged -j tap202i0-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-in tap254i1 --physdev-is-bridged -j tap254i1-OUT
-A PVEFW-FWBR-OUT -m comment --comment "PVESIG:JFyV6PNQRbTo1JIH5wlrwpQGaVY"
-A PVEFW-HOST-IN -i lo -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-HOST-IN -p tcp -j PVEFW-tcpflags
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-whitelist src -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management src -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management src -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management src -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management src -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -j PVEFW-Drop
-A PVEFW-HOST-IN -j NFLOG --nflog-prefix ":0:7:PVEFW-HOST-IN: policy DROP: "
-A PVEFW-HOST-IN -j DROP
-A PVEFW-HOST-IN -m comment --comment "PVESIG:hJXQQlGbL9ljwjQ/YCJWl4wEsjQ"
-A PVEFW-HOST-OUT -o lo -j ACCEPT
-A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-OUT -p igmp -j RETURN
-A PVEFW-HOST-OUT -j RETURN
-A PVEFW-HOST-OUT -m comment --comment "PVESIG:mvWnVSg4LVpOargCkmlyZynb8OY"
-A PVEFW-INPUT -i venet0 -m set --match-set PVEFW-0-venet0 src -j PVEFW-VENET-OUT
-A PVEFW-INPUT -j PVEFW-HOST-IN
-A PVEFW-INPUT -m comment --comment "PVESIG:BzyYmT9DMHVl0mK5gEk9RnLGABY"
-A PVEFW-OUTPUT -j PVEFW-HOST-OUT
-A PVEFW-OUTPUT -o venet0 -m set --match-set PVEFW-0-venet0 dst -j PVEFW-VENET-IN
-A PVEFW-OUTPUT -m comment --comment "PVESIG:XDfaZCom19bXI72jfvIdmv5V9DM"
-A PVEFW-Reject -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Reject -j PVEFW-DropBroadcast
-A PVEFW-Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Reject -p udp -m multiport --dports 135,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 137:139 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --sport 137 --dport 1024:65535 -j PVEFW-reject
-A PVEFW-Reject -p tcp -m multiport --dports 135,139,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Reject -p udp -m udp --sport 53 -j DROP
-A PVEFW-Reject -m comment --comment "PVESIG:3gYHaSHlZx5luiKyM0oCsTVaXi4"
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-xmark 0x1/0xffffffff
-A PVEFW-SET-ACCEPT-MARK -m comment --comment "PVESIG:+w0L1XZmxcTeIy7fBeEAzPUQMiY"
-A PVEFW-VENET-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-VENET-IN -p tcp -j PVEFW-tcpflags
-A PVEFW-VENET-IN -m comment --comment "PVESIG:GFBN4C7s42EA8MzpKIvJzALK5Sg"
-A PVEFW-VENET-OUT -m comment --comment "PVESIG:2jmj7l5rSw0yVb/vlWAYkK/YBwk"
-A PVEFW-logflags -j NFLOG --nflog-prefix ":0:7:PVEFW-logflags: DROP: "
-A PVEFW-logflags -j DROP
-A PVEFW-logflags -m comment --comment "PVESIG:M6AZ5liyPd5yBMzJkVe2pC3g4C8"
-A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-reject -s 224.0.0.0/4 -j DROP
-A PVEFW-reject -p icmp -j DROP
-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
-A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited
-A PVEFW-reject -m comment --comment "PVESIG:KM/fOv4KvGn8XvMqxoiRCdvlji8"
-A PVEFW-smurflog -j NFLOG --nflog-prefix ":0:7:PVEFW-smurflog: DROP: "
-A PVEFW-smurflog -j DROP
-A PVEFW-smurflog -m comment --comment "PVESIG:d9YbmH6rFEMMIfhSj79mnIalVtg"
-A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
-A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
-A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
-A PVEFW-smurfs -m comment --comment "PVESIG:HssVe5QCBXd5mc9kC88749+7fag"
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
-A PVEFW-tcpflags -m comment --comment "PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo"
-A tap202i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A tap202i0-IN -m set --match-set PVEFW-0-whitelist src -j ACCEPT
-A tap202i0-IN -j PVEFW-Drop
-A tap202i0-IN -j NFLOG --nflog-prefix ":202:7:tap202i0-IN: policy DROP: "
-A tap202i0-IN -j DROP
-A tap202i0-IN -m comment --comment "PVESIG:pCCb0pslxc7VFu3IxrGVll2A6oE"
-A tap202i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A tap202i0-OUT -m mac ! --mac-source 46:0A:57:87:BF:C1 -j DROP
-A tap202i0-OUT -j MARK --set-xmark 0x0/0xffffffff
-A tap202i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A tap202i0-OUT -m comment --comment "PVESIG:f9fMlSXvHi0Nkj+WvSu4OIekTss"
-A tap254i1-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A tap254i1-IN -m set --match-set PVEFW-0-whitelist src -j ACCEPT
-A tap254i1-IN -j PVEFW-Drop
-A tap254i1-IN -j NFLOG --nflog-prefix ":254:7:tap254i1-IN: policy DROP: "
-A tap254i1-IN -j DROP
-A tap254i1-IN -m comment --comment "PVESIG:EYxkFm675nKh5dHHXleDzN86e5g"
-A tap254i1-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A tap254i1-OUT -m mac ! --mac-source F6:C0:97:A3:4F:2B -j DROP
-A tap254i1-OUT -j MARK --set-xmark 0x0/0xffffffff
-A tap254i1-OUT -g PVEFW-SET-ACCEPT-MARK
-A tap254i1-OUT -m comment --comment "PVESIG:PywYNY5G3b5tuH7mlmGQGH/YkLc"
COMMIT
# Completed on Thu Dec 11 14:29:36 2014Re: OVS virtual interface with valntag enable firewall can't work!
This is strange
the host firewall is already setup:
and the update try
only different is the whitelist rule twice, I don't know why, it should be once.
do you have
IN ACCEPT -source +whitelist
in host.fw and cluster.fw config files ?
because cluster.fw rules are applied to all hosts.
Try to remove the line from the host.fw.
(It's possibly a bug in proxmox code)
This is strange
the host firewall is already setup:
-A PVEFW-HOST-IN -i lo -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-HOST-IN -p tcp -j PVEFW-tcpflags
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-whitelist src -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management src -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management src -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management src -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management src -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -j PVEFW-Drop
-A PVEFW-HOST-IN -j NFLOG --nflog-prefix ":0:7VEFW-HOST-IN: policy DROP: "
-A PVEFW-HOST-IN -j DROP
-A PVEFW-HOST-IN -m comment --comment "PVESIG:hJXQQlGbL9ljwjQ/YCJWl4wEsjQ"
and the update try
update PVEFW-HOST-IN (NHIsb3kSxhAFvCEyUs0QVl75tew)
-A PVEFW-HOST-IN -i lo -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-HOST-IN -p tcp -j PVEFW-tcpflags
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-whitelist src -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-whitelist src -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management src -p tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management src -p tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management src -p tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management src -p tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -j PVEFW-Drop
-A PVEFW-HOST-IN -j NFLOG --nflog-prefix ":0:7
-A PVEFW-HOST-IN -j DROP
only different is the whitelist rule twice, I don't know why, it should be once.
do you have
IN ACCEPT -source +whitelist
in host.fw and cluster.fw config files ?
because cluster.fw rules are applied to all hosts.
Try to remove the line from the host.fw.
(It's possibly a bug in proxmox code)
Re: OVS virtual interface with valntag enable firewall can't work!
check with #iptables-save , you should have the whitelist rule from cluster.fw in HOST-IN.
the rules in cluster.fw apply on all proxmox nodes. (like if you do in each host.fw of each proxmox server).
Yes, Seem that the problem is that the same rule is defined twice, it must be a bug in our parser.
I'll try to fix that today.
check with #iptables-save , you should have the whitelist rule from cluster.fw in HOST-IN.
the rules in cluster.fw apply on all proxmox nodes. (like if you do in each host.fw of each proxmox server).
Yes, Seem that the problem is that the same rule is defined twice, it must be a bug in our parser.
I'll try to fix that today.
Re: OVS virtual interface with valntag enable firewall can't work!
yes,
thanks you a lot work. thanks again!
yes,
thanks you a lot work. thanks again!
Re: OVS virtual interface with valntag enable firewall can't work!
Here a patch:
http://pve.proxmox.com/pipermail/pve-devel/2014-December/013646.html
The problem was that cluster ipset,security groups,aliases was not usable in host rules.
Thanks again for the bug report !
Here a patch:
http://pve.proxmox.com/pipermail/pve-devel/2014-December/013646.html
The problem was that cluster ipset,security groups,aliases was not usable in host rules.
Thanks again for the bug report !
Re: OVS virtual interface with valntag enable firewall can't work!
all it's work! thank you a lot again!
all it's work! thank you a lot again!