[pve-devel] pve-firewall : iptables V2

Stefan Priebe - Profihost AG s.priebe at profihost.ag
Thu Feb 13 11:33:59 CET 2014


Hi Alexandre,

i see the following Problem regarding the basic IP Tables
implementation. The iptables binary is not "thread" safe / can't be run
in parallel. It then exits with exit code 4 and you see a kernel message
Ressource temporarly unavailable.

This means you have to check each iptables command for exit code 4 and
have to reexecute it in that case.

Examples / Bug Reports:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=712691

http://lists.netfilter.org/pipermail/netfilter-devel/2006-June/024640.html

http://www.redhat.com/archives/libvir-list/2012-March/msg00746.html

and many more...

Stefan
Am 13.02.2014 05:57, schrieb Alexandre DERUMIER:
> any comments for theses patches ?
> 
> 
> ----- Mail original ----- 
> 
> De: "Alexandre Derumier" <aderumier at odiso.com> 
> À: pve-devel at pve.proxmox.com 
> Envoyé: Vendredi 7 Février 2014 16:22:26 
> Objet: [pve-devel] pve-firewall : iptables V2 
> 
> changelog: 
> 
> add support for host firewall and group rules. 
> It's use iptables-restore now, so rules are applied atomicaly 
> 
> Also, I don't use anymore return in inbound rule, but directly jump in outbound rules, so less rules lookup 
> 
> FORWARD chains lists are 
> 
> FORWARD--->proxmoxfw-FORWARD 
> ----> BRIDGEFW-OUT 
> --->VMBRX-OUT 
> ------->TAPXX-OUT 
> --->ACCEPT(==JUMP VMBRX-IN) 
> --->GROUP-xxx-OUT 
> --->ACCEPT(==JUMP BRIDGEFW-IN) 
> ---->BRIDGEFW-IN 
> ---->VMBRX-IN 
> ------->TAPXX-IN 
> ---->ACCEPT 
> ---->GROUP-xxx-IN 
> ----->ACCEPT 
> 
> 
> Please test :) 
> (config files sample for host,group,vm firewall are in commits) 
> 
> _______________________________________________ 
> pve-devel mailing list 
> pve-devel at pve.proxmox.com 
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 



More information about the pve-devel mailing list