[pve-devel] [PATCH v3 firewall 00/13] Firewall code cleanups

Tom Weber pve at junkyard.4t2.com
Wed Oct 18 13:14:43 CEST 2017

Am Mittwoch, den 18.10.2017, 12:44 +0200 schrieb Wolfgang Bumiller:
> On Mon, Oct 09, 2017 at 12:16:18PM +0200, Tom Weber wrote:
> > 
> > third version. mostly converting rules into structures.
> > reorganized ruleset_generate_rule and everything around it.
> > please note that some of the stuff implemented in the first patches
> > gets eliminated later. So maybe it's worth reading all patches
> > before
> > flaming me ;-)
> Where would be the fun in that?
> Anyway, the patches seem fine.
> Only thing I'm not too happy about currently is that $pve_std_chains
> is
> still a global. Currently we could clone it in generate_std_chains()
> directly as this is both what modifies and uses it, unless this
> conflicts with later changes of yours - then it would still be a nice
> finish up to this point in the series and change it into a parameter
> passed from the outside later on.

The cloning of the still hardwired _conf is just to make the behavior
of $pve_std_chains similar to what it'd be if we build it from parsing
configuration files.
That means various switches/settings would default and be reset to
whats in the config on every rebuild of the rules and not be carried
around if code changes them in the internal structure - remember what
hit me when I thought I only need to turn on logging?

For now, and the code as it is, it doesn't make a difference but it
makes my thinking and maybe the future a bit easier ;)

Just tell me if I should keep it or drop it for v4

> OTOH the _conf+clone patch could just be skipped for now as well
> until
> we actually need it, as the rest of the series doesn't strictly
> depend
> on that change to be there. Partly due to the length of the series.
> I don't want you to have to drag along the entire patch set with each
> version. Apart from the above I have no objections to applying the
> series as it is.
> (Although we do still miss the Signed-off-by lines which I forgot to
> mention the last couple of times, sorry.)
> So if you can send a v4 with the above changes we could apply it and
> continue from there.

Sounds great. So i'll try to make a v4 this evening.


More information about the pve-devel mailing list