[pve-devel] firewall : cluster.fw [rules] section ?

[Alexandre DERUMIER]

>>Sure, but especially in this case i wouldn't go with nftables. Nobody 
>>knows how many bugs there arre. How many crashes in kernel or userspace 
>>somebody has to expect. And even nobody knows when it will be declared 
>>stable. 

I should have a full ebtables + ip6tables patch for next week I think.

nftable seem really to not be ready soon. (I have add other commands segfault and found missing features in current redhat kernel too)


----- Mail original ----- 

De: "Stefan Priebe" <s.priebe at profihost.ag> 
À: "Dietmar Maurer" <dietmar at proxmox.com>, "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
Envoyé: Lundi 7 Juillet 2014 21:01:15 
Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ? 


Am 07.07.2014 15:48, schrieb Dietmar Maurer: 
>> I really would love to see the mac filter for layer2 in the first release. At least to 
>> me it's a pretty important thing. Otherwise the current mac filter is pretty 
>> "useless". 
> 
> Maybe it is useles for hosters, but it is very useful for small enterprises. 

Sorry useless was a bit harsh - that's why i put it into ticks. I thing 
it's simply not complete. Somebody checking mac filter might expect 
something different not only on layer 3 basis. 

I'm not thinking about hosters. I don't care about me ;-) i can just add 
it to the code using ebtables myself. 

I was caring about pve users expecting something which it isn't. 

> I want to release that 
> asap, and don't really want to add new features right now. 

OK. 

> We also need to carefully utilize our resources, so anything that saves work is good. 
> doing things twice is only possible if someone pay for that. 

Sure, but especially in this case i wouldn't go with nftables. Nobody 
knows how many bugs there arre. How many crashes in kernel or userspace 
somebody has to expect. And even nobody knows when it will be declared 
stable. 

Greets, 
Stefan