[pve-devel] pve-firewall : iptables V2

[Alexandre DERUMIER]

>>another way, we can list of all the tap,group,bridge with firewall enabled,

I think it can be done fast, listing /sys/class/net/vmbrX/brif/tapX

so we can find in iptables-save if stale tap chains exist

----- Mail original ----- 

De: "Alexandre DERUMIER" <aderumier at odiso.com> 
À: "Dietmar Maurer" <dietmar at proxmox.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Vendredi 14 Février 2014 07:55:17 
Objet: Re: [pve-devel] pve-firewall : iptables V2 

>>Wait. Maybe we can optimize/fix your way. 
>> 
>>(I guess it would be great if we can update FW rules for single VM, or single security groups.) 

Ok :) 

>>My idea is to do a 'iptables-save' first, and parse that output to see what chains exist. 
good idea 

>>Maybe we can compute MD5sum to see if something changed? 
Yes, I think it should work. 

another way, we can list of all the tap,group,bridge with firewall enabled, 
parse iptables-save, make a diff and delete stale chains 






----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Vendredi 14 Février 2014 07:15:04 
Objet: RE: [pve-devel] pve-firewall : iptables V2 

> >>I would not rely on that. We need a way to correctly update rules without 
> relying on previous state. 
> 
> Ok, I'll send a patch to generale the whole firewall rules. 
> I don't think it'll be slow anyway. (and no more iptables_exist, so it can be 
> more reliable too) 

Wait. Maybe we can optimize/fix your way. 

(I guess it would be great if we can update FW rules for single VM, or single security groups.) 

My idea is to do a 'iptables-save' first, and parse that output to see what chains exist. 
Maybe we can compute MD5sum to see if something changed? 
_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel