[pve-devel] [PATCH manager] fix #871: netstat: include veth devices

[Wolfgang Bumiller]

> On January 25, 2016 at 9:20 AM Wolfgang Bumiller <w.bumiller at proxmox.com> wrote:
> 
> 
> > On January 25, 2016 at 8:50 AM Stefan Priebe - Profihost AG <s.priebe at profihost.ag> wrote:
> > 
> > 
> > Am 22.01.2016 um 10:37 schrieb Dietmar Maurer:
> > >> Am 20.01.2016 um 10:26 schrieb Wolfgang Bumiller:
> > >>> Just a quick follow-up question: Is this not supposed to include
> > >>> data blocked by the firewall?
> > >>
> > >> Yes but that's the way it works. If you rent a server somewhere you
> > >> still have to pay traffic which is blocked by YOUR iptables / Firewall
> > >> rules. The data was / is already transfered. Same for me and our
> > >> upstream carriers.
> > > 
> > > The patches from Wolfgang do not count blocked 
> > > incoming traffic (blocked by the pve firewall)!
> > > 
> > > @Stefan: Is this the behaviour you want?
> > 
> > I just looked at the code regarding #871 which just adds veth devices.
> > Which patch do you mean?
> 
> I think my question and your last answer have been a bit confusing as to
> which firewall and traffic was meant, so I'll be explicit now and talk
> about the 'PVE-firewall' since the VM's guest-firewall can be mostly
> ignored, iow. when I say outgoing traffic (WAN => VM) I implicitly mean

Obviously I had to mix up the arrows here, this was supposed to be VM=>WAN.
*sigh*

> it already passed the VM's guest firewall, whereas when I say incoming
> traffic (VM => WAN) I don't care what the VM's guest firwall does with it.

And WAN => VM

> Basically this current code (not just my patch) counts incoming traffic
> only if it passes through the PVE-firewall, while it counts all outgoing
> traffic even if it's dropped by the PVE-firewall. We're wondering if this
> behavior is the desired one for *both* directions. (I suppose this is
> partially a question of whether the client has access to the PVE firwall
> or only the one inside the VM.)