[pve-devel] PVE Firewall

Alexandre DERUMIER aderumier at odiso.com
Mon Jun 16 09:57:57 CEST 2014 

>>- Network card base checkbox
>>
>>Why do we need the VM based checkbox if we already have that for each nic?

I think we could remove the enable|disable firewall option, for qemu and openvz veth.
(we retrieve net->firewall in firewall rules generation, so no problem here)

the code is:

    foreach my $vmid (keys %{$vmdata->{qemu}}) {
        eval {
            my $conf = $vmdata->{qemu}->{$vmid};
            my $vmfw_conf = $vmfw_configs->{$vmid};
            return if !$vmfw_conf;
            return if !$vmfw_conf->{options}->{enable};   >> skip if vm firewall is disable

            generate_ipset_chains($ipset_ruleset, $cluster_conf, $vmfw_conf);

            foreach my $netid (keys %$conf) {
                next if $netid !~ m/^net(\d+)$/;
                my $net = PVE::QemuServer::parse_net($conf->{$netid});
                next if !$net->{firewall};   >> skip is net firewall is disable



but for openvz venet, we need to have an option somewhere.

----- Mail original ----- 

De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
À: "Dietmar Maurer" <dietmar at proxmox.com>, pve-devel at pve.proxmox.com 
Envoyé: Lundi 16 Juin 2014 09:31:07 
Objet: Re: [pve-devel] PVE Firewall 

Am 16.06.2014 09:21, schrieb Stefan Priebe - Profihost AG: 
> Am 13.06.2014 20:33, schrieb Dietmar Maurer: 
>>> i would like to have different levels of firewall. Something the USER / VM Owner 
>>> can control and something the PVE Manage / Sysadmin can control. 
>>> 
>>> So i can give the user the ability to use the new cool firewall code but i can still 
>>> be shure that he doesn't use a DHCP Server, didn't disable the MAC filter and 
>>> doesn't fake IP adresses. 

> That sounds great too ;-) 
> 
> Still need to figure out why the firewall does not work for me at all. 

OK got the answer. May be a bit too difficult for new users ;-) 

You need to also check the firewall button on the network interface. 

Isn't that a bit too complex? 

So we have: 
- gobal firewall button (cluster.fw) (ok makes sense - so the proxmox 
admin can decide whether VM users can use this feature at all) 

- VM based firewall checkbox to enable / disable this per VM 

- Network card base checkbox 

Why do we need the VM based checkbox if we already have that for each nic? 

Stefan 
_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

More information about the pve-devel mailing list