[pve-devel] pve-firewall : iptables V2
Dietmar Maurer
dietmar at proxmox.com
Thu Feb 13 11:49:52 CET 2014
> any comments for theses patches ?
OK, I have now committed your patches, and removed shorewall specific code.
I do not really like the use of a global variable @ruleset to store rules.
Also, It is a bit unclear to me how you plan to do updates. There is code like:
if(!iptables_rule_exist($rule)){
iptables_addrule("-I $rule");
}
but how do you remove rules for removed VMs (or removed network interfaces) then?
Also, the order of rules inside a ruleset is important, so how do you track ordering changes?
IMHO this is really impossible using code like "if(!iptables_rule_exist($rule))"
Wouldn't it be easier to always restore the full ruleset?
More information about the pve-devel
mailing list