[pve-devel] pve-firewall : basic bridge iptables implementation
Alexandre DERUMIER
aderumier at odiso.com
Fri Jan 31 15:48:03 CET 2014
Currently I'm running iptables command,
but I found this perl class:
http://search.cpan.org/~hawk/IPTables-libiptc-0.52/lib/IPTables/libiptc.pm
"
Iptables kernel to userspace design
The reasoning behind making this module comes from how iptables/libiptc communicate with the kernel. Iptables/libiptc transfers the entire ruleset from kernel to userspace, and back again after making some changes to the ruleset.
This is a fairly large operation if only changing a single rule. That is actually the behavior of the iptables command.
Thus, with this knowledge it make sense to make several changes before commit'ing the changes (entire ruleset) back to the kernel. This is the behavior/purpose of this perl module.
This is also what makes it so very fast to many rule changes. And gives the property of several rule changes being committed atomically.
"
Maybe it's better to handle atomically chain and rules creation ?
(and avoid need to rollback if 1 iptables command fail )
----- Mail original -----
De: "Alexandre Derumier" <aderumier at odiso.com>
À: pve-devel at pve.proxmox.com
Envoyé: Vendredi 31 Janvier 2014 14:57:03
Objet: [pve-devel] pve-firewall : basic bridge iptables implementation
This is a first draft for iptables bridge firewall.
- tap->host, host->tap is not yet implemented.
- group rules is not yet implemented
detail in commit.
Comments are welcome :)
_______________________________________________
pve-devel mailing list
pve-devel at pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
More information about the pve-devel
mailing list