[pve-devel] firewall : cluster.fw [rules] section ?
Alexandre DERUMIER
aderumier at odiso.com
Mon Jul 7 07:46:14 CEST 2014
>>My feeling is that we should use nft, else we will do all work twice.
>>
yes.
>>But the current iptables implementation is a good start for the first release.
I'll try to build a nftables rules sample manually to see what's missing.
maybe can we release current iptables code for ipv4+ipset and later nftables for ipv4+ipv6+etables ?
I think nft it's almost ready, 0.3 release note said that some parts are not yet ready
(masquerading, unicast/multicast/broacast rules).
So it should be ready in some months I think.
"
Ongoing works
=============
There are several open fronts in terms of development:
* Full logging support for all the supported families (ip, ip6, arp,
bridge and inet).
* Masquerading support.
* Better reject support, which allows you to indicate the explicit reject
reason.
* JSON/XML import.
* reverse set lookups, eg.
ip saddr != { 192.168.0.1, 192.168.0.10, 192.168.0.11 }
^^
* more new meta selectors, packet type (unicast, multicast and broadcast),
cpu, physical interface, realm, etc.
* support for concatenations - multidimensional exact matches in O(1) types
* set selection - automatic selection of the optimal set
implementation.
"
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: "pve-devel" <pve-devel at pve.proxmox.com>
Envoyé: Lundi 7 Juillet 2014 06:02:08
Objet: RE: [pve-devel] firewall : cluster.fw [rules] section ?
> another interesting feature since nftables 0.2, is to be able to manage ipv4 and
> ipv6
> in the same filter table
My feeling is that we should use nft, else we will do all work twice.
But the current iptables implementation is a good start for the first release.
More information about the pve-devel
mailing list