[pve-devel] [PATCH pve-docs v3 18/18] firewall: add documentation for forward direction
Stefan Hanreich
s.hanreich at proxmox.com
Fri Nov 15 08:49:07 CET 2024
On 11/13/24 16:37, Hannes Duerr wrote:
> I am still not really conviced about the 'zone', but this does not have
> to change with this series.
> I like the other changes, but I think there are some minor issues.
>
> On 12.11.24 13:26, Stefan Hanreich wrote:
>> diff --git a/pve-firewall.adoc b/pve-firewall.adoc
>> index b428703..d5c664f 100644
>> --- a/pve-firewall.adoc
>> +++ b/pve-firewall.adoc
>> @@ -48,18 +48,34 @@ there is no need to maintain a different set of
>> rules for IPv6.
>> Zones
>> -----
>> -The Proxmox VE firewall groups the network into the following
>> logical zones:
>> +The Proxmox VE firewall groups the network into the following logical
>> zones.
>> +Depending on the zone, you can define firewall rules for incoming,
>> outgoing or
>> +forwarded traffic.
>> Host::
>> -Traffic from/to a cluster node
>> +Traffic going from/to a host or traffic that is forwarded by a host.
>> +
>> +You can define rules for this zone either at the datacenter level or
>> at the node
>> +level. Rules at node level take precedence over rules at datacenter
>> level.
> If I am too picky please tell me:
> First we talk about traffic through the 'host' and then we switch to
> talking about 'node level'.
> Shouldn't we at least stick with one word? I think this can confuse users.
Yes, that is indeed true. I'll try and unify the terminology
>
>> VM::
>> -Traffic from/to a specific VM
>> +Traffic going from/to a VM or CT.
>> +
>> +You cannot define rules for the forward direction, only for
>> incoming / outgoing.
> Isn't the word 'traffic' missing at the end?
It's referring to the direction earlier in the sentence, but re-reading
it, it would just be better to make it explicit.
>> +
>> +VNet::
>> -For each zone, you can define firewall rules for incoming and/or
>> -outgoing traffic.
>> +Traffic passing through a SDN VNet, either from guest to guest or
>> from host to
>> +guest and vice-versa. Since this traffic is always forwarded traffic,
>> it is only
> I think the verb is missing in this sentence also i'd change the
> structure to:
> Traffic is passing trough a SDN VNet, either from guest to guest, from
> host to guest or vice-versa.
Yes, that sounds better.
>> +possible to create rules with direction forward.
>> +
>> +
>> +IMPORTANT: Creating rules for forwarded traffic or on a VNet-level is
>> currently
>> +only possible when using the new
>> +xref:pve_firewall_nft[nftables-based proxmox-firewall]. Any forward
>> rules will be
>> +ignored by the stock `pve-firewall` and have no effect!
More information about the pve-devel
mailing list