git.proxmox.com Git - pve-firewall.git/commit

optimize : accept from physical interfaces on bridges

They are a lot of chance that a packet is coming/going  from/to external network.

Currently, we need to check all tap chains before accept the packet from eth|bond interface.

This can have a big performance impact (mainly for drop|reject, as we don't have an established connection).
So It could be a problem in case of a ddos attack for example.

without optimize
----------------
-A vmbr1-FW -m physdev --physdev-is-in -j vmbr1-OUT

   -A vmbr1-OUT -m physdev --physdev-in tapxxxi0 -j tapxxxi0-OUT
   -A vmbr1-OUT -m physdev --physdev-in tapxxxi0 -j tapxxxi0-OUT
   -A vmbr1-OUT -m physdev --physdev-in tapxxxi0 -j tapxxxi0-OUT
   -A vmbr1-OUT -m physdev --physdev-in tapxxxi0 -j tapxxxi0-OUT
   -A vmbr1-OUT -m physdev --physdev-in tapxxxi0 -j tapxxxi0-OUT
   -A vmbr1-OUT -m physdev --physdev-in tapxxxi0 -j tapxxxi0-OUT

-A vmbr1-FW -m physdev --physdev-is-out -j vmbr1-IN

   -A vmbr1-IN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j tapxxxi0-IN
   -A vmbr1-IN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j tapxxxi0-IN
   -A vmbr1-IN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j tapxxxi0-IN
   -A vmbr1-IN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j tapxxxi0-IN
   -A vmbr1-IN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j tapxxxi0-IN
   -A vmbr1-IN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j tapxxxi0-IN

-A vmbr1-FW -m mark --mark 0x1 -j ACCEPT
-A vmbr1-FW -m physdev --physdev-is-out -j ACCEPT

with optimize
------------
-A vmbr1-FW -m physdev --physdev-is-in -j vmbr1-OUT

   -A vmbr1-OUT -m physdev --physdev-in ethX --physdev-is-bridged -g PVEFW-SET-ACCEPT-MARK
   -A vmbr1-OUT -m physdev --physdev-in tapxxxi0 -j tapxxxi0-OUT
   -A vmbr1-OUT -m physdev --physdev-in tapxxxi0 -j tapxxxi0-OUT
   -A vmbr1-OUT -m physdev --physdev-in tapxxxi0 -j tapxxxi0-OUT
   -A vmbr1-OUT -m physdev --physdev-in tapxxxi0 -j tapxxxi0-OUT
   -A vmbr1-OUT -m physdev --physdev-in tapxxxi0 -j tapxxxi0-OUT
   -A vmbr1-OUT -m physdev --physdev-in tapxxxi0 -j tapxxxi0-OUT

-A vmbr1-FW -m physdev --physdev-is-out -j vmbr1-IN
   -A vmbr1-IN -m physdev --physdev-out ethX --physdev-is-bridged -j ACCEPT
   -A vmbr1-IN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j tapxxxi0-IN
   -A vmbr1-IN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j tapxxxi0-IN
   -A vmbr1-IN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j tapxxxi0-IN
   -A vmbr1-IN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j tapxxxi0-IN
   -A vmbr1-IN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j tapxxxi0-IN
   -A vmbr1-IN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j tapxxxi0-IN

-A vmbr1-FW -m mark --mark 0x1 -j ACCEPT
-A vmbr1-FW -m physdev --physdev-is-out -j ACCEPT

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>

author	Alexandre Derumier <aderumier@odiso.com>
	Tue, 22 Apr 2014 03:57:15 +0000 (05:57 +0200)
committer	Dietmar Maurer <dietmar@proxmox.com>
	Tue, 22 Apr 2014 05:49:42 +0000 (07:49 +0200)
commit	1a301a8d78ec8e25cc5ccebd48b59b1fe1406540
tree	85572c4af4e7e6225e5d472a36602e642c396a91	tree
parent	92e1209bfb984c18735dbc73ac929fb0a9832b52	commit \| diff