[pve-devel] PVE Firewall

Stefan Priebe - Profihost AG s.priebe at profihost.ag
Mon Jun 16 10:08:40 CEST 2014 

Am 16.06.2014 09:57, schrieb Alexandre DERUMIER:
>>> - Network card base checkbox
>>>
>>> Why do we need the VM based checkbox if we already have that for each nic?
> 
> I think we could remove the enable|disable firewall option, for qemu and openvz veth.
> (we retrieve net->firewall in firewall rules generation, so no problem here)
> 
> the code is:
> 
>     foreach my $vmid (keys %{$vmdata->{qemu}}) {
>         eval {
>             my $conf = $vmdata->{qemu}->{$vmid};
>             my $vmfw_conf = $vmfw_configs->{$vmid};
>             return if !$vmfw_conf;
>             return if !$vmfw_conf->{options}->{enable};   >> skip if vm firewall is disable
> 
>             generate_ipset_chains($ipset_ruleset, $cluster_conf, $vmfw_conf);
> 
>             foreach my $netid (keys %$conf) {
>                 next if $netid !~ m/^net(\d+)$/;
>                 my $net = PVE::QemuServer::parse_net($conf->{$netid});
>                 next if !$net->{firewall};   >> skip is net firewall is disable
> 
> 
> 
> but for openvz venet, we need to have an option somewhere.

I think this would make it more clear.

Stefan

> ----- Mail original ----- 
> 
> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
> À: "Dietmar Maurer" <dietmar at proxmox.com>, pve-devel at pve.proxmox.com 
> Envoyé: Lundi 16 Juin 2014 09:31:07 
> Objet: Re: [pve-devel] PVE Firewall 
> 
> Am 16.06.2014 09:21, schrieb Stefan Priebe - Profihost AG: 
>> Am 13.06.2014 20:33, schrieb Dietmar Maurer: 
>>>> i would like to have different levels of firewall. Something the USER / VM Owner 
>>>> can control and something the PVE Manage / Sysadmin can control. 
>>>>
>>>> So i can give the user the ability to use the new cool firewall code but i can still 
>>>> be shure that he doesn't use a DHCP Server, didn't disable the MAC filter and 
>>>> doesn't fake IP adresses. 
> 
>> That sounds great too ;-) 
>>
>> Still need to figure out why the firewall does not work for me at all. 
> 
> OK got the answer. May be a bit too difficult for new users ;-) 
> 
> You need to also check the firewall button on the network interface. 
> 
> Isn't that a bit too complex? 
> 
> So we have: 
> - gobal firewall button (cluster.fw) (ok makes sense - so the proxmox 
> admin can decide whether VM users can use this feature at all) 
> 
> - VM based firewall checkbox to enable / disable this per VM 
> 
> - Network card base checkbox 
> 
> Why do we need the VM based checkbox if we already have that for each nic? 
> 
> Stefan 
> _______________________________________________ 
> pve-devel mailing list 
> pve-devel at pve.proxmox.com 
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
>

More information about the pve-devel mailing list