[pve-devel] pve-firewall : basic bridge iptables implementation
Alexandre DERUMIER
aderumier at odiso.com
Fri Jan 31 16:28:46 CET 2014
>>looks better, yes.
But they are 2 big problem, don't support ipv6 :( ,
and need to be patched for last iptables release (last patch from sept 2013, so author seem to be active)
https://rt.cpan.org/Public/Bug/Display.html?id=70639
But it could break with new iptables releases.
I found this class to manage rules cleanly
http://search.cpan.org/~mrash/IPTables-ChainMgr-1.2/lib/IPTables/ChainMgr.pm
(available in debian repo)
but it's use iptables commands.
(I'm not sure that it's a problem, as I manage rules in chains once by once)
>>Did you already check how shorewall handles that?
I really don't known, I'll try to have a look at it.
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>, pve-devel at pve.proxmox.com
Envoyé: Vendredi 31 Janvier 2014 16:13:07
Objet: RE: [pve-devel] pve-firewall : basic bridge iptables implementation
> Maybe it's better to handle atomically chain and rules creation ?
> (and avoid need to rollback if 1 iptables command fail )
looks better, yes. Did you already check how shorewall handles that?
More information about the pve-devel
mailing list