[pve-devel] [PATCH manager] fix #871: netstat: include veth devices
Wolfgang Bumiller
w.bumiller at proxmox.com
Mon Jan 25 09:22:45 CET 2016
> On January 25, 2016 at 9:20 AM Wolfgang Bumiller <w.bumiller at proxmox.com> wrote:
>
>
> > On January 25, 2016 at 8:50 AM Stefan Priebe - Profihost AG <s.priebe at profihost.ag> wrote:
> >
> >
> > Am 22.01.2016 um 10:37 schrieb Dietmar Maurer:
> > >> Am 20.01.2016 um 10:26 schrieb Wolfgang Bumiller:
> > >>> Just a quick follow-up question: Is this not supposed to include
> > >>> data blocked by the firewall?
> > >>
> > >> Yes but that's the way it works. If you rent a server somewhere you
> > >> still have to pay traffic which is blocked by YOUR iptables / Firewall
> > >> rules. The data was / is already transfered. Same for me and our
> > >> upstream carriers.
> > >
> > > The patches from Wolfgang do not count blocked
> > > incoming traffic (blocked by the pve firewall)!
> > >
> > > @Stefan: Is this the behaviour you want?
> >
> > I just looked at the code regarding #871 which just adds veth devices.
> > Which patch do you mean?
>
> I think my question and your last answer have been a bit confusing as to
> which firewall and traffic was meant, so I'll be explicit now and talk
> about the 'PVE-firewall' since the VM's guest-firewall can be mostly
> ignored, iow. when I say outgoing traffic (WAN => VM) I implicitly mean
Obviously I had to mix up the arrows here, this was supposed to be VM=>WAN.
*sigh*
> it already passed the VM's guest firewall, whereas when I say incoming
> traffic (VM => WAN) I don't care what the VM's guest firwall does with it.
And WAN => VM
> Basically this current code (not just my patch) counts incoming traffic
> only if it passes through the PVE-firewall, while it counts all outgoing
> traffic even if it's dropped by the PVE-firewall. We're wondering if this
> behavior is the desired one for *both* directions. (I suppose this is
> partially a question of whether the client has access to the PVE firwall
> or only the one inside the VM.)
More information about the pve-devel
mailing list