optimize : accept from physical interfaces on bridges
They are a lot of chance that a packet is coming/going from/to external network.
Currently, we need to check all tap chains before accept the packet from eth|bond interface.
This can have a big performance impact (mainly for drop|reject, as we don't have an established connection).
So It could be a problem in case of a ddos attack for example.
without optimize
----------------
-A vmbr1-FW -m physdev --physdev-is-in -j vmbr1-OUT
-A vmbr1-OUT -m physdev --physdev-in tapxxxi0 -j tapxxxi0-OUT
-A vmbr1-OUT -m physdev --physdev-in tapxxxi0 -j tapxxxi0-OUT
-A vmbr1-OUT -m physdev --physdev-in tapxxxi0 -j tapxxxi0-OUT
-A vmbr1-OUT -m physdev --physdev-in tapxxxi0 -j tapxxxi0-OUT
-A vmbr1-OUT -m physdev --physdev-in tapxxxi0 -j tapxxxi0-OUT
-A vmbr1-OUT -m physdev --physdev-in tapxxxi0 -j tapxxxi0-OUT
-A vmbr1-FW -m physdev --physdev-is-out -j vmbr1-IN
-A vmbr1-IN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j tapxxxi0-IN
-A vmbr1-IN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j tapxxxi0-IN
-A vmbr1-IN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j tapxxxi0-IN
-A vmbr1-IN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j tapxxxi0-IN
-A vmbr1-IN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j tapxxxi0-IN
-A vmbr1-IN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j tapxxxi0-IN
-A vmbr1-FW -m mark --mark 0x1 -j ACCEPT
-A vmbr1-FW -m physdev --physdev-is-out -j ACCEPT
with optimize
------------
-A vmbr1-FW -m physdev --physdev-is-in -j vmbr1-OUT
-A vmbr1-OUT -m physdev --physdev-in ethX --physdev-is-bridged -g PVEFW-SET-ACCEPT-MARK
-A vmbr1-OUT -m physdev --physdev-in tapxxxi0 -j tapxxxi0-OUT
-A vmbr1-OUT -m physdev --physdev-in tapxxxi0 -j tapxxxi0-OUT
-A vmbr1-OUT -m physdev --physdev-in tapxxxi0 -j tapxxxi0-OUT
-A vmbr1-OUT -m physdev --physdev-in tapxxxi0 -j tapxxxi0-OUT
-A vmbr1-OUT -m physdev --physdev-in tapxxxi0 -j tapxxxi0-OUT
-A vmbr1-OUT -m physdev --physdev-in tapxxxi0 -j tapxxxi0-OUT
-A vmbr1-FW -m physdev --physdev-is-out -j vmbr1-IN
-A vmbr1-IN -m physdev --physdev-out ethX --physdev-is-bridged -j ACCEPT
-A vmbr1-IN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j tapxxxi0-IN
-A vmbr1-IN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j tapxxxi0-IN
-A vmbr1-IN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j tapxxxi0-IN
-A vmbr1-IN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j tapxxxi0-IN
-A vmbr1-IN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j tapxxxi0-IN
-A vmbr1-IN -m physdev --physdev-out tapxxxi0 --physdev-is-bridged -j tapxxxi0-IN
-A vmbr1-FW -m mark --mark 0x1 -j ACCEPT
-A vmbr1-FW -m physdev --physdev-is-out -j ACCEPT
add tunnable nf_conntrack_tcp_timeout_established value
default nf_conntrack_tcp_timeout_established value is 5 days.
This is really huge, in case of a ddos attack for example
from:
https://dev.openwrt.org/ticket/12976
minimum value should be
"7875 seconds (= tcp_keepalive_time + tcp_keepalive_probes * tcp_keepalive_intvl = 7200 + 9 * 75 by default) to give the endpoints sufficient time to send keep-alive probes"
vmid.fw
-------
IN SSH(ACCEPT) net0 192.168.2.192 # only allow SSH from 192.168.2.192
IN SSH(ACCEPT) net0 10.0.0.1-10.0.0.10 #accept SSH for ip in range 10.0.0.1 to 10.0.0.10
IN SSH(ACCEPT) net0 10.0.0.1,10.0.0.2,10.0.0.3 #accept ssh for 10.0.0.1 or 10.0.0.2 or 10.0.0.3
IN SSH(ACCEPT) net0 +mynetgroup #accept ssh for netgroup mynetgroup
cluster.fw
----------
IN ACCEPT 10.0.0.1
IN ACCEPT 10.0.0.1-10.0.0.10
IN ACCEPT 10.0.0.1,10.0.0.2,10.0.0.3
IN ACCEPT +mynetgroup
This add ips (like suricata) support through nfqueues.
The main idea is to replace -j ACCEPT with -J NFQUEUE , to pass packets to ips
it's using --queue-bypass (only available in 3.10 kernel), so it's suricata daemon is down,
packets are not dropped.
tap-out chain,
-------------
we goto PVEFW-SET-ACCEPT-MARK is always use when connection is already established
-m conntrack --ctstate RELATED,ESTABLISHED -g PVEFW-SET-ACCEPT-MARK
tap-in chain
---------------
I replace -j ACCEPT by -j NFQUEUE when ips is enabled
and
-m conntrack --ctstate RELATED,ESTABLISHED -j NFQUEUE
group-in rules now use also mark
---------------------------------
-A tap110i0-IN -j GROUP-group1-IN
-A GROUP-group1-IN -j MARK --set-xmark 0x0/0xffffffff
-A GROUP-group1-IN -p icmp -g PVEFW-SET-ACCEPT-MARK
-A tap110i0-IN -m mark --mark 0x1 -j ACCEPT|NFQUEUE
vmid.fw
-------
ips: 1
ips_queues: 0:3
1 or more queues can be defined (if we want cpu loadbalancing, or dedicated queue for a specific vm).
If not defined, default queue 0 is used.