[pve-devel] firewall : cluster.fw [rules] section ?

Stefan Priebe s.priebe at profihost.ag
Sat Jul 5 21:14:31 CEST 2014

Am 05.07.2014 14:18, schrieb Alexandre DERUMIER:
>>> Maybe simply:
>>> protocols: ARP, IPV4, IPV6
> No objection for me.
> @Stefan, do you think we need other protocols inside a vm ?

You mean we hardcode them instead of using /etc/ethertype? Mhm most 
probably 802_1Q, PPP, IPX, NetBEUI.

> BTW, I'll also rework my ipv6 patch.
> I thinked about extend $ruleset, to something like
> $ruleset->{iptables}->{filter}
> $ruleset->{iptables}->{nat}
> $ruleset->{ip6tables}->{filter}
> $ruleset->{ebtables}->{filter}
> Like this, we can manage multi commands and filters.
> What do you think about it ?
Sound great.

> Also, for ebtables, they are ebtables-save and ebtables-restore (same format than iptables),
> but they are not provided by debian ebtables package.(debian remove them in their patches).
> do you think we can provide a pve-ebtables package ?

Strange why do they delete it in their package? I think dietmar has to 
decide whether an own ebtables package makes sense. Is the syntax not 
compatible with the atomic load of the ebtabls file?


> ----- Mail original -----
> De: "Dietmar Maurer" <dietmar at proxmox.com>
> À: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>, "Alexandre DERUMIER" <aderumier at odiso.com>
> Cc: "pve-devel" <pve-devel at pve.proxmox.com>
> Envoyé: Samedi 5 Juillet 2014 05:49:22
> Objet: RE: [pve-devel] firewall : cluster.fw [rules] section ?
>> It would be really nice if we can also define a set of protocols allowed for this
>> VM.
>> For example:
>> layer2filter_protocls: ARP,IPV4,IPV6
> Maybe simply:
> protocols: ARP, IPV4, IPV6

More information about the pve-devel mailing list