[pve-devel] firewall : cluster.fw [rules] section ?

Alexandre DERUMIER aderumier at odiso.com
Sun Jul 6 12:21:54 CEST 2014


Do you think they are used in 2014 ? ;)  , don't have used them since the 90's.

----- Mail original ----- 

De: "Stefan Priebe" <s.priebe at profihost.ag> 
À: "Alexandre DERUMIER" <aderumier at odiso.com>, "Dietmar Maurer" <dietmar at proxmox.com> 
Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
Envoyé: Samedi 5 Juillet 2014 21:14:31 
Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ? 

Am 05.07.2014 14:18, schrieb Alexandre DERUMIER: 
>>> Maybe simply: 
>>> protocols: ARP, IPV4, IPV6 
> No objection for me. 
> @Stefan, do you think we need other protocols inside a vm ? 

You mean we hardcode them instead of using /etc/ethertype? Mhm most 
probably 802_1Q, PPP, IPX, NetBEUI. 

> BTW, I'll also rework my ipv6 patch. 
> I thinked about extend $ruleset, to something like 
> $ruleset->{iptables}->{filter} 
> $ruleset->{iptables}->{nat} 
> $ruleset->{ip6tables}->{filter} 
> $ruleset->{ebtables}->{filter} 
> Like this, we can manage multi commands and filters. 
> What do you think about it ? 
Sound great. 

> Also, for ebtables, they are ebtables-save and ebtables-restore (same format than iptables), 
> but they are not provided by debian ebtables package.(debian remove them in their patches). 
> do you think we can provide a pve-ebtables package ? 

Strange why do they delete it in their package? I think dietmar has to 
decide whether an own ebtables package makes sense. Is the syntax not 
compatible with the atomic load of the ebtabls file? 


> ----- Mail original ----- 
> De: "Dietmar Maurer" <dietmar at proxmox.com> 
> À: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>, "Alexandre DERUMIER" <aderumier at odiso.com> 
> Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
> Envoyé: Samedi 5 Juillet 2014 05:49:22 
> Objet: RE: [pve-devel] firewall : cluster.fw [rules] section ? 
>> It would be really nice if we can also define a set of protocols allowed for this 
>> VM. 
>> For example: 
>> layer2filter_protocls: ARP,IPV4,IPV6 
> Maybe simply: 
> protocols: ARP, IPV4, IPV6 

More information about the pve-devel mailing list