[pve-devel] pve-firewall : iptables V2

Stefan Priebe s.priebe at profihost.ag
Thu Feb 13 20:45:07 CET 2014


Am 13.02.2014 17:26, schrieb Alexandre DERUMIER:
> Hi Stefan,
> thanks for the report.
>
> I don't use iptables to save config
> (I'm using iptables-restore to commit the whole ruleset)
>
> But i'm using iptables to check if a rules,chain already exist for example.
>
> Do you known if the problem occur on read only ?

only write / change

> (I don't have read yet all the bug reports, I'll do it tomorrow)
>
>
> ----- Mail original -----
>
> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
> À: "Alexandre DERUMIER" <aderumier at odiso.com>, pve-devel at pve.proxmox.com
> Envoyé: Jeudi 13 Février 2014 11:33:59
> Objet: Re: [pve-devel] pve-firewall : iptables V2
>
> Hi Alexandre,
>
> i see the following Problem regarding the basic IP Tables
> implementation. The iptables binary is not "thread" safe / can't be run
> in parallel. It then exits with exit code 4 and you see a kernel message
> Ressource temporarly unavailable.
>
> This means you have to check each iptables command for exit code 4 and
> have to reexecute it in that case.
>
> Examples / Bug Reports:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=712691
>
> http://lists.netfilter.org/pipermail/netfilter-devel/2006-June/024640.html
>
> http://www.redhat.com/archives/libvir-list/2012-March/msg00746.html
>
> and many more...
>
> Stefan
> Am 13.02.2014 05:57, schrieb Alexandre DERUMIER:
>> any comments for theses patches ?
>>
>>
>> ----- Mail original -----
>>
>> De: "Alexandre Derumier" <aderumier at odiso.com>
>> À: pve-devel at pve.proxmox.com
>> Envoyé: Vendredi 7 Février 2014 16:22:26
>> Objet: [pve-devel] pve-firewall : iptables V2
>>
>> changelog:
>>
>> add support for host firewall and group rules.
>> It's use iptables-restore now, so rules are applied atomicaly
>>
>> Also, I don't use anymore return in inbound rule, but directly jump in outbound rules, so less rules lookup
>>
>> FORWARD chains lists are
>>
>> FORWARD--->proxmoxfw-FORWARD
>> ----> BRIDGEFW-OUT
>> --->VMBRX-OUT
>> ------->TAPXX-OUT
>> --->ACCEPT(==JUMP VMBRX-IN)
>> --->GROUP-xxx-OUT
>> --->ACCEPT(==JUMP BRIDGEFW-IN)
>> ---->BRIDGEFW-IN
>> ---->VMBRX-IN
>> ------->TAPXX-IN
>> ---->ACCEPT
>> ---->GROUP-xxx-IN
>> ----->ACCEPT
>>
>>
>> Please test :)
>> (config files sample for host,group,vm firewall are in commits)
>>
>> _______________________________________________
>> pve-devel mailing list
>> pve-devel at pve.proxmox.com
>> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>> _______________________________________________
>> pve-devel mailing list
>> pve-devel at pve.proxmox.com
>> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>>



More information about the pve-devel mailing list