[pve-devel] [PATCH manager] fix #871: netstat: include veth devices
Wolfgang Bumiller
w.bumiller at proxmox.com
Mon Jan 25 09:20:39 CET 2016
> On January 25, 2016 at 8:50 AM Stefan Priebe - Profihost AG <s.priebe at profihost.ag> wrote:
>
>
> Am 22.01.2016 um 10:37 schrieb Dietmar Maurer:
> >> Am 20.01.2016 um 10:26 schrieb Wolfgang Bumiller:
> >>> Just a quick follow-up question: Is this not supposed to include
> >>> data blocked by the firewall?
> >>
> >> Yes but that's the way it works. If you rent a server somewhere you
> >> still have to pay traffic which is blocked by YOUR iptables / Firewall
> >> rules. The data was / is already transfered. Same for me and our
> >> upstream carriers.
> >
> > The patches from Wolfgang do not count blocked
> > incoming traffic (blocked by the pve firewall)!
> >
> > @Stefan: Is this the behaviour you want?
>
> I just looked at the code regarding #871 which just adds veth devices.
> Which patch do you mean?
I think my question and your last answer have been a bit confusing as to
which firewall and traffic was meant, so I'll be explicit now and talk
about the 'PVE-firewall' since the VM's guest-firewall can be mostly
ignored, iow. when I say outgoing traffic (WAN => VM) I implicitly mean
it already passed the VM's guest firewall, whereas when I say incoming
traffic (VM => WAN) I don't care what the VM's guest firwall does with it.
Basically this current code (not just my patch) counts incoming traffic
only if it passes through the PVE-firewall, while it counts all outgoing
traffic even if it's dropped by the PVE-firewall. We're wondering if this
behavior is the desired one for *both* directions. (I suppose this is
partially a question of whether the client has access to the PVE firwall
or only the one inside the VM.)
More information about the pve-devel
mailing list