[pve-devel] firewall : cluster.fw [rules] section ?

Alexandre DERUMIER aderumier at odiso.com
Sun Jul 6 11:35:25 CEST 2014


>>Would be nice but it got included upstream in linux 3.13 kernel. I think it's something for RHEL8. 

Seem that's is already available in rhel7

http://www.slideee.com/slide/the-next-generation-firewall-for-red-hat-enterprise-linux-7-rc

>>Who knows how many bugs there are. 

But, yes, I'm also a bit worried to already use it, not sure it's stable and don't have security hole inside.

----- Mail original ----- 

De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
À: "Dietmar Maurer" <dietmar at proxmox.com> 
Cc: "Alexandre DERUMIER" <aderumier at odiso.com>, "pve-devel" <pve-devel at pve.proxmox.com> 
Envoyé: Dimanche 6 Juillet 2014 07:17:21 
Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ? 


Am 06.07.2014 um 05:32 schrieb Dietmar Maurer <dietmar at proxmox.com>: 

>> BTW, I'll also rework my ipv6 patch. 
>> 
>> I thinked about extend $ruleset, to something like 
>> 
>> $ruleset->{iptables}->{filter} 
>> $ruleset->{iptables}->{nat} 
>> $ruleset->{ip6tables}->{filter} 
>> $ruleset->{ebtables}->{filter} 
>> 
>> Like this, we can manage multi commands and filters. 
>> 
>> What do you think about it ? 
> 
> Looks good, but I think we should evaluate nftables now (instead of using all those different binaries). 
> I have no idea if it is already usable? 

Would be nice but it got included upstream in linux 3.13 kernel. I think it's something for RHEL8. And nearly nobody has used it so far. Who knows how many bugs there are. 

Stefan 


More information about the pve-devel mailing list