[pve-devel] firewall : cluster.fw [rules] section ?

Stefan Priebe s.priebe at profihost.ag
Sat Jul 5 21:14:31 CEST 2014


Am 05.07.2014 14:18, schrieb Alexandre DERUMIER:
>>> Maybe simply:
>>>
>>> protocols: ARP, IPV4, IPV6
>
> No objection for me.
>
> @Stefan, do you think we need other protocols inside a vm ?

You mean we hardcode them instead of using /etc/ethertype? Mhm most 
probably 802_1Q, PPP, IPX, NetBEUI.

> BTW, I'll also rework my ipv6 patch.
>
> I thinked about extend $ruleset, to something like
>
> $ruleset->{iptables}->{filter}
> $ruleset->{iptables}->{nat}
> $ruleset->{ip6tables}->{filter}
> $ruleset->{ebtables}->{filter}
>
> Like this, we can manage multi commands and filters.
>
> What do you think about it ?
Sound great.

> Also, for ebtables, they are ebtables-save and ebtables-restore (same format than iptables),
> but they are not provided by debian ebtables package.(debian remove them in their patches).
> do you think we can provide a pve-ebtables package ?

Strange why do they delete it in their package? I think dietmar has to 
decide whether an own ebtables package makes sense. Is the syntax not 
compatible with the atomic load of the ebtabls file?

Stefan

> ----- Mail original -----
>
> De: "Dietmar Maurer" <dietmar at proxmox.com>
> À: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>, "Alexandre DERUMIER" <aderumier at odiso.com>
> Cc: "pve-devel" <pve-devel at pve.proxmox.com>
> Envoyé: Samedi 5 Juillet 2014 05:49:22
> Objet: RE: [pve-devel] firewall : cluster.fw [rules] section ?
>
>> It would be really nice if we can also define a set of protocols allowed for this
>> VM.
>>
>> For example:
>> layer2filter_protocls: ARP,IPV4,IPV6
>
> Maybe simply:
>
> protocols: ARP, IPV4, IPV6
>


More information about the pve-devel mailing list