SDN (EVPN) + VM Firewall

[nikordev]

Hello, i used EVPN to link a cluster VM. It's working, thanks

But it ignores the VM firewall rules(

My test case from the guide https://pve.proxmox.com/pve-docs-6/chapter-pvesdn.html

I trying drop all in/out for vm1 (c001-vm101) and vm2 (c001-vm102) but they are ignoring the rules





Firewall rules c001-vm101 are similar to c001-vm102
Nodes have rules with accept all inputs/outputs

Is this the expected behavior?
If expected, what are the tricks to get around it?

My goal is to be able to control network interaction between virtual machines on the EVPN network.

 

[nikordev]

Additional information:

Version: 7.1-10

Firewall enabled on all 3 levels (DC, Node, VM)

I have vm c001-vm100 with simple bridge interface (vmbr0) to vlan and firewall work without problem for it

sysctl -a |grep call
abi.vsyscall32 = 1
net.bridge.bridge-nf-call-arptables = 0
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1

 

[spirit]

Hi,
I'm using evpn in production with firewall, I don't have any problem.

(I don't see why it shouldn't work, as the firewalling is done at bridge level, after the evpn).

Just to be sure:

- is the firewall checkbox enable on vm nic interface ?
- is the firewall enabled at datacenter level ?

 

[nikordev]

- is the firewall checkbox enable on vm nic interface ?

Yes, it's not enabled

I'm so dumb...

Sorry for my mistake

Everything is working fine now, thanks!