[pve-devel] firewall : cluster.fw [rules] section ?

Alexandre DERUMIER aderumier at odiso.com
Mon Jul 7 07:46:14 CEST 2014


>>My feeling is that we should use nft, else we will do all work twice. 
>>
yes. 

>>But the current iptables implementation is a good start for the first release. 

I'll try to build a nftables rules sample manually to see what's missing.
maybe can we release current iptables code for ipv4+ipset   and later nftables for ipv4+ipv6+etables ?




I think nft it's almost ready, 0.3 release note said that some parts are not yet ready
(masquerading, unicast/multicast/broacast rules).
So it should be ready in some months I think.


"
Ongoing works
=============

There are several open fronts in terms of development:

* Full logging support for all the supported families (ip, ip6, arp,
  bridge and inet).

* Masquerading support.

* Better reject support, which allows you to indicate the explicit reject
  reason.

* JSON/XML import.

* reverse set lookups, eg.

ip saddr != { 192.168.0.1, 192.168.0.10, 192.168.0.11 }
         ^^

* more new meta selectors, packet type (unicast, multicast and broadcast),
  cpu, physical interface, realm, etc.

* support for concatenations - multidimensional exact matches in O(1) types

* set selection - automatic selection of the optimal set
  implementation.
"








----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
Envoyé: Lundi 7 Juillet 2014 06:02:08 
Objet: RE: [pve-devel] firewall : cluster.fw [rules] section ? 

> another interesting feature since nftables 0.2, is to be able to manage ipv4 and 
> ipv6 
> in the same filter table 

My feeling is that we should use nft, else we will do all work twice. 

But the current iptables implementation is a good start for the first release. 


More information about the pve-devel mailing list