[pve-devel] pve-firewall : iptables V2
Stefan Priebe
s.priebe at profihost.ag
Thu Feb 13 20:44:40 CET 2014
Am 13.02.2014 17:49, schrieb Alexandre DERUMIER:
> Seem to be fixed this year (so,I don't think is already backported in debian wheezy)
>
> ip[6]tables: Add locking to prevent concurrent instances
> http://git.netfilter.org/iptables/commit/?id=93587a04d0f2511e108bbc4d87a8b9d28a5c5dd8
ah great seems to be fixed for jessy...
>
> I'll dig for iptables-restore
>
>
> ----- Mail original -----
>
> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
> À: "Alexandre DERUMIER" <aderumier at odiso.com>, pve-devel at pve.proxmox.com
> Envoyé: Jeudi 13 Février 2014 11:33:59
> Objet: Re: [pve-devel] pve-firewall : iptables V2
>
> Hi Alexandre,
>
> i see the following Problem regarding the basic IP Tables
> implementation. The iptables binary is not "thread" safe / can't be run
> in parallel. It then exits with exit code 4 and you see a kernel message
> Ressource temporarly unavailable.
>
> This means you have to check each iptables command for exit code 4 and
> have to reexecute it in that case.
>
> Examples / Bug Reports:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=712691
>
> http://lists.netfilter.org/pipermail/netfilter-devel/2006-June/024640.html
>
> http://www.redhat.com/archives/libvir-list/2012-March/msg00746.html
>
> and many more...
>
> Stefan
> Am 13.02.2014 05:57, schrieb Alexandre DERUMIER:
>> any comments for theses patches ?
>>
>>
>> ----- Mail original -----
>>
>> De: "Alexandre Derumier" <aderumier at odiso.com>
>> À: pve-devel at pve.proxmox.com
>> Envoyé: Vendredi 7 Février 2014 16:22:26
>> Objet: [pve-devel] pve-firewall : iptables V2
>>
>> changelog:
>>
>> add support for host firewall and group rules.
>> It's use iptables-restore now, so rules are applied atomicaly
>>
>> Also, I don't use anymore return in inbound rule, but directly jump in outbound rules, so less rules lookup
>>
>> FORWARD chains lists are
>>
>> FORWARD--->proxmoxfw-FORWARD
>> ----> BRIDGEFW-OUT
>> --->VMBRX-OUT
>> ------->TAPXX-OUT
>> --->ACCEPT(==JUMP VMBRX-IN)
>> --->GROUP-xxx-OUT
>> --->ACCEPT(==JUMP BRIDGEFW-IN)
>> ---->BRIDGEFW-IN
>> ---->VMBRX-IN
>> ------->TAPXX-IN
>> ---->ACCEPT
>> ---->GROUP-xxx-IN
>> ----->ACCEPT
>>
>>
>> Please test :)
>> (config files sample for host,group,vm firewall are in commits)
>>
>> _______________________________________________
>> pve-devel mailing list
>> pve-devel at pve.proxmox.com
>> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>> _______________________________________________
>> pve-devel mailing list
>> pve-devel at pve.proxmox.com
>> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>>
More information about the pve-devel
mailing list