[pve-devel] pve-firewall : iptables V2
Alexandre DERUMIER
aderumier at odiso.com
Fri Feb 14 07:55:17 CET 2014
>>Wait. Maybe we can optimize/fix your way.
>>
>>(I guess it would be great if we can update FW rules for single VM, or single security groups.)
Ok :)
>>My idea is to do a 'iptables-save' first, and parse that output to see what chains exist.
good idea
>>Maybe we can compute MD5sum to see if something changed?
Yes, I think it should work.
another way, we can list of all the tap,group,bridge with firewall enabled,
parse iptables-save, make a diff and delete stale chains
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Vendredi 14 Février 2014 07:15:04
Objet: RE: [pve-devel] pve-firewall : iptables V2
> >>I would not rely on that. We need a way to correctly update rules without
> relying on previous state.
>
> Ok, I'll send a patch to generale the whole firewall rules.
> I don't think it'll be slow anyway. (and no more iptables_exist, so it can be
> more reliable too)
Wait. Maybe we can optimize/fix your way.
(I guess it would be great if we can update FW rules for single VM, or single security groups.)
My idea is to do a 'iptables-save' first, and parse that output to see what chains exist.
Maybe we can compute MD5sum to see if something changed?
More information about the pve-devel
mailing list