[pve-devel] firewall : cluster.fw [rules] section ?
Alexandre DERUMIER
aderumier at odiso.com
Tue Jul 8 10:43:31 CEST 2014
>>Great and thanks for your work.
I'm going to holiday on 17 July, so I'll try to send patches before.
----- Mail original -----
De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: "pve-devel" <pve-devel at pve.proxmox.com>, "Dietmar Maurer" <dietmar at proxmox.com>
Envoyé: Mardi 8 Juillet 2014 10:32:51
Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ?
Am 08.07.2014 00:25, schrieb Alexandre DERUMIER:
>>> Sure, but especially in this case i wouldn't go with nftables. Nobody
>>> knows how many bugs there arre. How many crashes in kernel or userspace
>>> somebody has to expect. And even nobody knows when it will be declared
>>> stable.
>
> I should have a full ebtables + ip6tables patch for next week I think.
Great and thanks for your work.
Stefan
> nftable seem really to not be ready soon. (I have add other commands segfault and found missing features in current redhat kernel too)
> ----- Mail original -----
>
> De: "Stefan Priebe" <s.priebe at profihost.ag>
> À: "Dietmar Maurer" <dietmar at proxmox.com>, "Alexandre DERUMIER" <aderumier at odiso.com>
> Cc: "pve-devel" <pve-devel at pve.proxmox.com>
> Envoyé: Lundi 7 Juillet 2014 21:01:15
> Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ?
>
>
> Am 07.07.2014 15:48, schrieb Dietmar Maurer:
>>> I really would love to see the mac filter for layer2 in the first release. At least to
>>> me it's a pretty important thing. Otherwise the current mac filter is pretty
>>> "useless".
>>
>> Maybe it is useles for hosters, but it is very useful for small enterprises.
>
> Sorry useless was a bit harsh - that's why i put it into ticks. I thing
> it's simply not complete. Somebody checking mac filter might expect
> something different not only on layer 3 basis.
>
> I'm not thinking about hosters. I don't care about me ;-) i can just add
> it to the code using ebtables myself.
>
> I was caring about pve users expecting something which it isn't.
>
>> I want to release that
>> asap, and don't really want to add new features right now.
>
> OK.
>
>> We also need to carefully utilize our resources, so anything that saves work is good.
>> doing things twice is only possible if someone pay for that.
>
> Sure, but especially in this case i wouldn't go with nftables. Nobody
> knows how many bugs there arre. How many crashes in kernel or userspace
> somebody has to expect. And even nobody knows when it will be declared
> stable.
>
> Greets,
> Stefan
>
More information about the pve-devel
mailing list