[pve-devel] pve-firewall : iptables V2
Dietmar Maurer
dietmar at proxmox.com
Fri Feb 14 18:50:03 CET 2014
> >>Oh, I do not care about crashed VM (why?).
>
> (I thinked of stale tap chain, that normally we can remove at vm_stop for
> example, and not removed if vm crash)
We can't do that anyway, because we do not know when a VM crashes.
> >>My idea was that we simply compute the whole set of chains we need.
> >>Then we compare that with the current ruleset, and only apply the diff
> >>(and remove rules which are no longer needed).
>
> when you say the whole set of chains, do you mean the full firewall config ?
Yes - but only for the VMs residing on the node.
I guess we can optimize that later to only process required parts if it turns
out to be a performance problem - but I doubt this is a problem.
> (I'll wait for your patches too see exactly ;)
OK, will work on that next week.
More information about the pve-devel
mailing list