[pve-devel] pve-firewall : iptables V2
Alexandre DERUMIER
aderumier at odiso.com
Fri Feb 14 18:20:28 CET 2014
>>Oh, I do not care about crashed VM (why?).
(I thinked of stale tap chain, that normally we can remove at vm_stop for example, and not removed if vm crash)
>>My idea was that we simply compute the whole set of chains we need.
>>Then we compare that with the current ruleset, and only apply the diff (and
>>remove rules which are no longer needed).
when you say the whole set of chains, do you mean the full firewall config ?
(I'll wait for your patches too see exactly ;)
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Vendredi 14 Février 2014 17:14:01
Objet: RE: [pve-devel] pve-firewall : iptables V2
> you should also add theses chains to clear all
>
> vmbrx-IN
> vmbrx-OUT
> GROUP-xxx
OK
> >>Does that makes sense?
> Yes.
>
> But how do you remove stale chain ?
> (like a stale tap chain, because of a vm crash for example)
Oh, I do not care about crashed VM (why?).
My idea was that we simply compute the whole set of chains we need.
Then we compare that with the current ruleset, and only apply the diff (and
remove rules which are no longer needed).
More information about the pve-devel
mailing list