[pve-devel] RFC : iptables implementation

Dietmar Maurer dietmar at proxmox.com
Tue Jan 21 06:55:43 CET 2014


> - you can defined rules (chain names up to 28characters), and reuse them for
> differents vms
> -you can apply rules on vms or group
> - if you need to change a chain/security group, you can simply flush the chain
> (iptables -F chain) before reapply rules,
>   without need to regenerate/"compile" all rules
> -they are not relation with bridge, only tap interfaces, so you can move a
> interface from a bridge to another bridge without breaking rules.
> -it's possible to do security groups with mac address of vms, and allow ports
> opening from a group to another group.
> -it's possible enable/disable firewall log for each vm separatly
> -No need to maintain shorewall config files,compile rules,...
>   we can simply generate chains in live by security group are created/modified,
> or edit tap chain when group are apply/remove to a tap interface.
> 
> what do you think about it ?

That sounds reasonable so far.

How would you present that to the user (how would you design a GUI for that)?
What configuration files do we need for that (syntax)?

And can we easily implement that with OVS (stateless)?




More information about the pve-devel mailing list