[pve-devel] RFC : iptables implementation

[Alexandre DERUMIER]

> Also,I would like to add dynamic tap rules on vm start/stop,to reduce rules when 
> vm are offline migrated to another host. 
> what do you think about it ? 

>>Yes, we can update firewall rules whenever we start/stop a VM. 
oh, yes, seem simple.

> Currently we don't have a qemu pve-bridge stop script. 

>>we don't really need an external script, instead we can directly setup the firewall 
>>inside the API handler. We need that for hotplug anyways? 
Yes,through api handle, seem good :)


> Even with it, if the vm is 
> crashing,the script is not launched. 

>>This is only an optimization, so we can safely ignore that case? 
Yes, it's not a problem if the rules exist and tap is down


I'll have a look at pve-firewall this week.



----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
Envoyé: Mercredi 29 Janvier 2014 08:29:29 
Objet: RE: [pve-devel] RFC : iptables implementation 

> Also,I would like to add dynamic tap rules on vm start/stop,to reduce rules when 
> vm are offline migrated to another host. 
> what do you think about it ? 

Yes, we can update firewall rules whenever we start/stop a VM. 

> Currently we don't have a qemu pve-bridge stop script. 

we don't really need an external script, instead we can directly setup the firewall 
inside the API handler. We need that for hotplug anyways? 

> Even with it, if the vm is 
> crashing,the script is not launched. 

This is only an optimization, so we can safely ignore that case? 

> I don't known if it's possible to use magic udev rules to intercept tap interface 
> destroy and delete iptables rules dynamically ? 

no, I don't like to use such things.