[pve-devel] pve-firewall : iptables V2
Alexandre DERUMIER
aderumier at odiso.com
Thu Feb 13 17:49:31 CET 2014
Seem to be fixed this year (so,I don't think is already backported in debian wheezy)
ip[6]tables: Add locking to prevent concurrent instances
http://git.netfilter.org/iptables/commit/?id=93587a04d0f2511e108bbc4d87a8b9d28a5c5dd8
I'll dig for iptables-restore
----- Mail original -----
De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
À: "Alexandre DERUMIER" <aderumier at odiso.com>, pve-devel at pve.proxmox.com
Envoyé: Jeudi 13 Février 2014 11:33:59
Objet: Re: [pve-devel] pve-firewall : iptables V2
Hi Alexandre,
i see the following Problem regarding the basic IP Tables
implementation. The iptables binary is not "thread" safe / can't be run
in parallel. It then exits with exit code 4 and you see a kernel message
Ressource temporarly unavailable.
This means you have to check each iptables command for exit code 4 and
have to reexecute it in that case.
Examples / Bug Reports:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=712691
http://lists.netfilter.org/pipermail/netfilter-devel/2006-June/024640.html
http://www.redhat.com/archives/libvir-list/2012-March/msg00746.html
and many more...
Stefan
Am 13.02.2014 05:57, schrieb Alexandre DERUMIER:
> any comments for theses patches ?
>
>
> ----- Mail original -----
>
> De: "Alexandre Derumier" <aderumier at odiso.com>
> À: pve-devel at pve.proxmox.com
> Envoyé: Vendredi 7 Février 2014 16:22:26
> Objet: [pve-devel] pve-firewall : iptables V2
>
> changelog:
>
> add support for host firewall and group rules.
> It's use iptables-restore now, so rules are applied atomicaly
>
> Also, I don't use anymore return in inbound rule, but directly jump in outbound rules, so less rules lookup
>
> FORWARD chains lists are
>
> FORWARD--->proxmoxfw-FORWARD
> ----> BRIDGEFW-OUT
> --->VMBRX-OUT
> ------->TAPXX-OUT
> --->ACCEPT(==JUMP VMBRX-IN)
> --->GROUP-xxx-OUT
> --->ACCEPT(==JUMP BRIDGEFW-IN)
> ---->BRIDGEFW-IN
> ---->VMBRX-IN
> ------->TAPXX-IN
> ---->ACCEPT
> ---->GROUP-xxx-IN
> ----->ACCEPT
>
>
> Please test :)
> (config files sample for host,group,vm firewall are in commits)
>
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
More information about the pve-devel
mailing list