[pve-devel] firewall : cluster.fw [rules] section ?

Stefan Priebe - Profihost AG s.priebe at profihost.ag
Wed Jul 9 16:12:53 CEST 2014


Am 09.07.2014 16:11, schrieb Alexandre DERUMIER:
> Hi,
> 
> some news, I have finished the ip6tables implementation, I'll send patches tomorrow !
> 
> (I'll work on ebtables this weekend)

Great!

Stefan

> ----- Mail original ----- 
> 
> De: "Alexandre DERUMIER" <aderumier at odiso.com> 
> À: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
> Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
> Envoyé: Mardi 8 Juillet 2014 10:43:31 
> Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ? 
> 
>>> Great and thanks for your work. 
> 
> I'm going to holiday on 17 July, so I'll try to send patches before. 
> 
> 
> ----- Mail original ----- 
> 
> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
> À: "Alexandre DERUMIER" <aderumier at odiso.com> 
> Cc: "pve-devel" <pve-devel at pve.proxmox.com>, "Dietmar Maurer" <dietmar at proxmox.com> 
> Envoyé: Mardi 8 Juillet 2014 10:32:51 
> Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ? 
> 
> Am 08.07.2014 00:25, schrieb Alexandre DERUMIER: 
>>>> Sure, but especially in this case i wouldn't go with nftables. Nobody 
>>>> knows how many bugs there arre. How many crashes in kernel or userspace 
>>>> somebody has to expect. And even nobody knows when it will be declared 
>>>> stable. 
>>
>> I should have a full ebtables + ip6tables patch for next week I think. 
> 
> Great and thanks for your work. 
> 
> Stefan 
> 
>> nftable seem really to not be ready soon. (I have add other commands segfault and found missing features in current redhat kernel too) 
> 
> 
>> ----- Mail original ----- 
>>
>> De: "Stefan Priebe" <s.priebe at profihost.ag> 
>> À: "Dietmar Maurer" <dietmar at proxmox.com>, "Alexandre DERUMIER" <aderumier at odiso.com> 
>> Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
>> Envoyé: Lundi 7 Juillet 2014 21:01:15 
>> Objet: Re: [pve-devel] firewall : cluster.fw [rules] section ? 
>>
>>
>> Am 07.07.2014 15:48, schrieb Dietmar Maurer: 
>>>> I really would love to see the mac filter for layer2 in the first release. At least to 
>>>> me it's a pretty important thing. Otherwise the current mac filter is pretty 
>>>> "useless". 
>>>
>>> Maybe it is useles for hosters, but it is very useful for small enterprises. 
>>
>> Sorry useless was a bit harsh - that's why i put it into ticks. I thing 
>> it's simply not complete. Somebody checking mac filter might expect 
>> something different not only on layer 3 basis. 
>>
>> I'm not thinking about hosters. I don't care about me ;-) i can just add 
>> it to the code using ebtables myself. 
>>
>> I was caring about pve users expecting something which it isn't. 
>>
>>> I want to release that 
>>> asap, and don't really want to add new features right now. 
>>
>> OK. 
>>
>>> We also need to carefully utilize our resources, so anything that saves work is good. 
>>> doing things twice is only possible if someone pay for that. 
>>
>> Sure, but especially in this case i wouldn't go with nftables. Nobody 
>> knows how many bugs there arre. How many crashes in kernel or userspace 
>> somebody has to expect. And even nobody knows when it will be declared 
>> stable. 
>>
>> Greets, 
>> Stefan 
>>
> _______________________________________________ 
> pve-devel mailing list 
> pve-devel at pve.proxmox.com 
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
> 


More information about the pve-devel mailing list