[pve-devel] pve-firewall : basic bridge iptables implementation
Alexandre DERUMIER
aderumier at odiso.com
Fri Jan 31 17:06:19 CET 2014
from netfilter doc:
http://www.netfilter.org/documentation/FAQ/netfilter-faq-4.html#ss4.5
"
4.5 Is there an C/C++ API for adding/removing rules?
The answer unfortunately is: No.
Now you might think 'but what about libiptc?'. As has been pointed out numerous times on the mailinglist(s), libiptc was _NEVER_ meant to be used as a public interface. We don't guarantee a stable interface, and it is planned to remove it in the next incarnation of linux packet filtering. libiptc is way too low-layer to be used reasonably anyway.
We are well aware that there is a fundamental lack for such an API, and we are working on improving that situation. Until then, it is recommended to either use system() or open a pipe into stdin of iptables-restore. The latter will give you a way better performance.
"
so maybe iptables-restore can do the job the apply rules chain by chain.
----- Mail original -----
De: "Alexandre DERUMIER" <aderumier at odiso.com>
À: "Dietmar Maurer" <dietmar at proxmox.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Vendredi 31 Janvier 2014 16:28:46
Objet: Re: [pve-devel] pve-firewall : basic bridge iptables implementation
>>looks better, yes.
But they are 2 big problem, don't support ipv6 :( ,
and need to be patched for last iptables release (last patch from sept 2013, so author seem to be active)
https://rt.cpan.org/Public/Bug/Display.html?id=70639
But it could break with new iptables releases.
I found this class to manage rules cleanly
http://search.cpan.org/~mrash/IPTables-ChainMgr-1.2/lib/IPTables/ChainMgr.pm
(available in debian repo)
but it's use iptables commands.
(I'm not sure that it's a problem, as I manage rules in chains once by once)
>>Did you already check how shorewall handles that?
I really don't known, I'll try to have a look at it.
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>, pve-devel at pve.proxmox.com
Envoyé: Vendredi 31 Janvier 2014 16:13:07
Objet: RE: [pve-devel] pve-firewall : basic bridge iptables implementation
> Maybe it's better to handle atomically chain and rules creation ?
> (and avoid need to rollback if 1 iptables command fail )
looks better, yes. Did you already check how shorewall handles that?
_______________________________________________
pve-devel mailing list
pve-devel at pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
More information about the pve-devel
mailing list