[pve-devel] pve-firewall : iptables V2

Alexandre DERUMIER aderumier at odiso.com
Thu Feb 13 17:49:31 CET 2014


Seem to be fixed this year (so,I don't think is already backported in debian wheezy)

ip[6]tables: Add locking to prevent concurrent instances
http://git.netfilter.org/iptables/commit/?id=93587a04d0f2511e108bbc4d87a8b9d28a5c5dd8


I'll dig for iptables-restore


----- Mail original ----- 

De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
À: "Alexandre DERUMIER" <aderumier at odiso.com>, pve-devel at pve.proxmox.com 
Envoyé: Jeudi 13 Février 2014 11:33:59 
Objet: Re: [pve-devel] pve-firewall : iptables V2 

Hi Alexandre, 

i see the following Problem regarding the basic IP Tables 
implementation. The iptables binary is not "thread" safe / can't be run 
in parallel. It then exits with exit code 4 and you see a kernel message 
Ressource temporarly unavailable. 

This means you have to check each iptables command for exit code 4 and 
have to reexecute it in that case. 

Examples / Bug Reports: 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=712691 

http://lists.netfilter.org/pipermail/netfilter-devel/2006-June/024640.html 

http://www.redhat.com/archives/libvir-list/2012-March/msg00746.html 

and many more... 

Stefan 
Am 13.02.2014 05:57, schrieb Alexandre DERUMIER: 
> any comments for theses patches ? 
> 
> 
> ----- Mail original ----- 
> 
> De: "Alexandre Derumier" <aderumier at odiso.com> 
> À: pve-devel at pve.proxmox.com 
> Envoyé: Vendredi 7 Février 2014 16:22:26 
> Objet: [pve-devel] pve-firewall : iptables V2 
> 
> changelog: 
> 
> add support for host firewall and group rules. 
> It's use iptables-restore now, so rules are applied atomicaly 
> 
> Also, I don't use anymore return in inbound rule, but directly jump in outbound rules, so less rules lookup 
> 
> FORWARD chains lists are 
> 
> FORWARD--->proxmoxfw-FORWARD 
> ----> BRIDGEFW-OUT 
> --->VMBRX-OUT 
> ------->TAPXX-OUT 
> --->ACCEPT(==JUMP VMBRX-IN) 
> --->GROUP-xxx-OUT 
> --->ACCEPT(==JUMP BRIDGEFW-IN) 
> ---->BRIDGEFW-IN 
> ---->VMBRX-IN 
> ------->TAPXX-IN 
> ---->ACCEPT 
> ---->GROUP-xxx-IN 
> ----->ACCEPT 
> 
> 
> Please test :) 
> (config files sample for host,group,vm firewall are in commits) 
> 
> _______________________________________________ 
> pve-devel mailing list 
> pve-devel at pve.proxmox.com 
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
> _______________________________________________ 
> pve-devel mailing list 
> pve-devel at pve.proxmox.com 
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
> 



More information about the pve-devel mailing list