[pve-devel] firewall : cluster.fw [rules] section ?

Alexandre DERUMIER aderumier at odiso.com
Mon Jul 7 10:24:13 CEST 2014


>>I really would love to see the mac filter for layer2 in the first
>>release. At least to me it's a pretty important thing. Otherwise the
>>current mac filter is pretty "useless".
>>
>>Stefan

I'll check if we couldn't mix iptables and nftables (for the layer2), to not do twice the job.



----- Mail original ----- 

De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
À: "Alexandre DERUMIER" <aderumier at odiso.com>, "Dietmar Maurer" <dietmar at proxmox.com> 
Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
Envoyé: Lundi 7 Juillet 2014 09:17:42 
Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ? 

Hi, 

Am 07.07.2014 07:46, schrieb Alexandre DERUMIER: 
>>> My feeling is that we should use nft, else we will do all work twice. 
>>> 
> yes. 
> 
>>> But the current iptables implementation is a good start for the first release. 
> 
> I'll try to build a nftables rules sample manually to see what's missing. 
> maybe can we release current iptables code for ipv4+ipset and later nftables for ipv4+ipv6+etables ? 

I really would love to see the mac filter for layer2 in the first 
release. At least to me it's a pretty important thing. Otherwise the 
current mac filter is pretty "useless". 

Stefan 

> I think nft it's almost ready, 0.3 release note said that some parts are not yet ready 
> (masquerading, unicast/multicast/broacast rules). 
> So it should be ready in some months I think. 
> 
> 
> " 
> Ongoing works 
> ============= 
> 
> There are several open fronts in terms of development: 
> 
> * Full logging support for all the supported families (ip, ip6, arp, 
> bridge and inet). 
> 
> * Masquerading support. 
> 
> * Better reject support, which allows you to indicate the explicit reject 
> reason. 
> 
> * JSON/XML import. 
> 
> * reverse set lookups, eg. 
> 
> ip saddr != { 192.168.0.1, 192.168.0.10, 192.168.0.11 } 
> ^^ 
> 
> * more new meta selectors, packet type (unicast, multicast and broadcast), 
> cpu, physical interface, realm, etc. 
> 
> * support for concatenations - multidimensional exact matches in O(1) types 
> 
> * set selection - automatic selection of the optimal set 
> implementation. 
> " 
> 
> 
> 
> 
> 
> 
> 
> 
> ----- Mail original ----- 
> 
> De: "Dietmar Maurer" <dietmar at proxmox.com> 
> À: "Alexandre DERUMIER" <aderumier at odiso.com> 
> Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
> Envoyé: Lundi 7 Juillet 2014 06:02:08 
> Objet: RE: [pve-devel] firewall : cluster.fw [rules] section ? 
> 
>> another interesting feature since nftables 0.2, is to be able to manage ipv4 and 
>> ipv6 
>> in the same filter table 
> 
> My feeling is that we should use nft, else we will do all work twice. 
> 
> But the current iptables implementation is a good start for the first release. 
> _______________________________________________ 
> pve-devel mailing list 
> pve-devel at pve.proxmox.com 
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
> 


More information about the pve-devel mailing list