[pve-devel] firewall : cluster.fw [rules] section ?

Alexandre DERUMIER aderumier at odiso.com
Tue Jul 8 10:43:31 CEST 2014


>>Great and thanks for your work.

I'm going to holiday on 17 July, so I'll try to send patches before.


----- Mail original ----- 

De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: "pve-devel" <pve-devel at pve.proxmox.com>, "Dietmar Maurer" <dietmar at proxmox.com> 
Envoyé: Mardi 8 Juillet 2014 10:32:51 
Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ? 

Am 08.07.2014 00:25, schrieb Alexandre DERUMIER: 
>>> Sure, but especially in this case i wouldn't go with nftables. Nobody 
>>> knows how many bugs there arre. How many crashes in kernel or userspace 
>>> somebody has to expect. And even nobody knows when it will be declared 
>>> stable. 
> 
> I should have a full ebtables + ip6tables patch for next week I think. 

Great and thanks for your work. 

Stefan 

> nftable seem really to not be ready soon. (I have add other commands segfault and found missing features in current redhat kernel too) 


> ----- Mail original ----- 
> 
> De: "Stefan Priebe" <s.priebe at profihost.ag> 
> À: "Dietmar Maurer" <dietmar at proxmox.com>, "Alexandre DERUMIER" <aderumier at odiso.com> 
> Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
> Envoyé: Lundi 7 Juillet 2014 21:01:15 
> Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ? 
> 
> 
> Am 07.07.2014 15:48, schrieb Dietmar Maurer: 
>>> I really would love to see the mac filter for layer2 in the first release. At least to 
>>> me it's a pretty important thing. Otherwise the current mac filter is pretty 
>>> "useless". 
>> 
>> Maybe it is useles for hosters, but it is very useful for small enterprises. 
> 
> Sorry useless was a bit harsh - that's why i put it into ticks. I thing 
> it's simply not complete. Somebody checking mac filter might expect 
> something different not only on layer 3 basis. 
> 
> I'm not thinking about hosters. I don't care about me ;-) i can just add 
> it to the code using ebtables myself. 
> 
> I was caring about pve users expecting something which it isn't. 
> 
>> I want to release that 
>> asap, and don't really want to add new features right now. 
> 
> OK. 
> 
>> We also need to carefully utilize our resources, so anything that saves work is good. 
>> doing things twice is only possible if someone pay for that. 
> 
> Sure, but especially in this case i wouldn't go with nftables. Nobody 
> knows how many bugs there arre. How many crashes in kernel or userspace 
> somebody has to expect. And even nobody knows when it will be declared 
> stable. 
> 
> Greets, 
> Stefan 
> 



More information about the pve-devel mailing list