git.proxmox.com Git - pve-firewall.git/commit

author	Alexandre Derumier <aderumier@odiso.com>
	Tue, 25 Mar 2014 04:15:26 +0000 (05:15 +0100)
committer	Dietmar Maurer <dietmar@proxmox.com>
	Tue, 25 Mar 2014 05:35:05 +0000 (06:35 +0100)
commit	b47ecc889a8db369a6324feebffabbe49d5516e6
tree	fad2a65365c7bb7d9bb7151c8f3984868ee45813	tree
parent	0f168d7b2f4381e9d706ee694e08b138aa542130	commit \| diff

add ips feature v7

This add ips (like suricata) support through nfqueues.

The main idea is to replace -j ACCEPT with -J NFQUEUE , to pass packets to ips

it's using --queue-bypass (only available in 3.10 kernel), so it's suricata daemon is down,
packets are not dropped.

tap-out chain,
-------------
we goto PVEFW-SET-ACCEPT-MARK is always use when connection is already established
-m conntrack --ctstate RELATED,ESTABLISHED -g PVEFW-SET-ACCEPT-MARK

tap-in chain
---------------
I replace -j ACCEPT by -j NFQUEUE when ips is enabled
and
-m conntrack --ctstate RELATED,ESTABLISHED -j NFQUEUE

group-in rules now use also mark
---------------------------------
-A tap110i0-IN -j GROUP-group1-IN
-A GROUP-group1-IN -j MARK --set-xmark 0x0/0xffffffff
-A GROUP-group1-IN -p icmp -g PVEFW-SET-ACCEPT-MARK
-A tap110i0-IN -m mark --mark 0x1 -j ACCEPT|NFQUEUE

vmid.fw
-------
ips: 1

ips_queues: 0:3

1 or more queues can be defined (if we want cpu loadbalancing, or dedicated queue for a specific vm).
If not defined, default queue 0 is used.

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>

example/100.fw		diff \| blob \| blame \| history
src/PVE/Firewall.pm		diff \| blob \| blame \| history