[pve-devel] pve-firewall : iptables V2

Dietmar Maurer dietmar at proxmox.com
Thu Feb 13 11:49:52 CET 2014


> any comments for theses patches ?

OK, I have now committed your patches, and removed shorewall specific code.

I do not really like the use of a global variable @ruleset to store rules.

Also, It is a bit unclear to me how you plan to do updates. There is code like:

    if(!iptables_rule_exist($rule)){
	iptables_addrule("-I $rule");
    }

but how do you remove rules for removed VMs (or removed network interfaces) then?

Also, the order of rules inside a ruleset is important, so how do you track ordering changes?
IMHO this is really impossible using code like   "if(!iptables_rule_exist($rule))"

Wouldn't it be easier to always restore the full ruleset?




More information about the pve-devel mailing list