[pve-devel] pve-firewall : iptables V2

Alexandre DERUMIER aderumier at odiso.com
Fri Feb 14 05:08:18 CET 2014


>>I would not rely on that. We need a way to correctly update rules without relying on previous state. 

Ok, I'll send a patch to generale the whole firewall rules.
I don't think it'll be slow anyway. (and no more iptables_exist, so it can be more reliable too)

But we need to sure that our parser is ok, because if one rule is wrong in 1 vm, we can't apply the rules for all vms.
(I just detected a bug, where you can setup a port range like 100-80)

I'll try to send a patch today.




----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Jeudi 13 Février 2014 19:07:59 
Objet: RE: [pve-devel] pve-firewall : iptables V2 

> and if the vm is shutdown, the tap chain is already removed on vm_stop. 

I would not rely on that. We need a way to correctly update rules without relying on previous state. 



More information about the pve-devel mailing list