[pve-devel] PVE Firewall
Stefan Priebe - Profihost AG
s.priebe at profihost.ag
Mon Jun 16 10:08:40 CEST 2014
Am 16.06.2014 09:57, schrieb Alexandre DERUMIER:
>>> - Network card base checkbox
>>>
>>> Why do we need the VM based checkbox if we already have that for each nic?
>
> I think we could remove the enable|disable firewall option, for qemu and openvz veth.
> (we retrieve net->firewall in firewall rules generation, so no problem here)
>
> the code is:
>
> foreach my $vmid (keys %{$vmdata->{qemu}}) {
> eval {
> my $conf = $vmdata->{qemu}->{$vmid};
> my $vmfw_conf = $vmfw_configs->{$vmid};
> return if !$vmfw_conf;
> return if !$vmfw_conf->{options}->{enable}; >> skip if vm firewall is disable
>
> generate_ipset_chains($ipset_ruleset, $cluster_conf, $vmfw_conf);
>
> foreach my $netid (keys %$conf) {
> next if $netid !~ m/^net(\d+)$/;
> my $net = PVE::QemuServer::parse_net($conf->{$netid});
> next if !$net->{firewall}; >> skip is net firewall is disable
>
>
>
> but for openvz venet, we need to have an option somewhere.
I think this would make it more clear.
Stefan
> ----- Mail original -----
>
> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
> À: "Dietmar Maurer" <dietmar at proxmox.com>, pve-devel at pve.proxmox.com
> Envoyé: Lundi 16 Juin 2014 09:31:07
> Objet: Re: [pve-devel] PVE Firewall
>
> Am 16.06.2014 09:21, schrieb Stefan Priebe - Profihost AG:
>> Am 13.06.2014 20:33, schrieb Dietmar Maurer:
>>>> i would like to have different levels of firewall. Something the USER / VM Owner
>>>> can control and something the PVE Manage / Sysadmin can control.
>>>>
>>>> So i can give the user the ability to use the new cool firewall code but i can still
>>>> be shure that he doesn't use a DHCP Server, didn't disable the MAC filter and
>>>> doesn't fake IP adresses.
>
>> That sounds great too ;-)
>>
>> Still need to figure out why the firewall does not work for me at all.
>
> OK got the answer. May be a bit too difficult for new users ;-)
>
> You need to also check the firewall button on the network interface.
>
> Isn't that a bit too complex?
>
> So we have:
> - gobal firewall button (cluster.fw) (ok makes sense - so the proxmox
> admin can decide whether VM users can use this feature at all)
>
> - VM based firewall checkbox to enable / disable this per VM
>
> - Network card base checkbox
>
> Why do we need the VM based checkbox if we already have that for each nic?
>
> Stefan
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
More information about the pve-devel
mailing list