[pve-devel] [PATCH pve-docs v2 17/17] firewall: add documentation for forward direction
Stefan Hanreich
s.hanreich at proxmox.com
Mon Nov 11 15:17:05 CET 2024
On 11/7/24 16:57, Hannes Dürr wrote:
> This is not really true, I can not create rules on the forward chain of
> VMs, can I?
Yes, it would make sense to qualify that further
> I think the "Zones" section could benefit from some rewording because
> IMO the Zone representation is not really fitting and also in the rest
> of the article we are talking about 'Levels' and not 'Zones'.
> I'd propose something like this:
Whilst I agree, zone seems the better name in this context. I've done
quick grepping and level is barely used (twice or thrice outside of log
level) throughout the whole firewall documentation.
> Firewall rules can be created on 4 levels, Cluster, Node, Vnet, VM.
> However, the Rules only act on the 3 levels Node, Vnet and VM.
> The reason for this is the distributed architecture: if a firewall rule
> is created at cluster level, it gets rolled out to all hosts and acts at
> host level.
It might make sense to have a distinction between zone and level? Level
is where rules are defined and Zone is where rules act in practice.
Although that distinction might be a bit too much since it is only
needed for the special DC / Node case.
Maybe it would also make sense to create a short section called
Directions that explains the different semantics for the respective
directions depending on the zone?
More information about the pve-devel
mailing list