[pve-devel] pvefw security group questions

Dietmar Maurer dietmar at proxmox.com
Thu Feb 27 11:32:39 CET 2014


I still have problems with the security group design, for example:

--100.fw-
[IN]

GROUP-group1 net0 
GROUP-group2 net0 

[OUT]

GROUP-group2 net0 
GROUP-group1 net0
-----

Note: group order is different between  IN and OUT

--100.fw-
[IN]

GROUP-group1 net0 1.2.3.4
-----

Note: we only jump to group if source == 1.2.3.4?

Do we want such functionality?

another example:

--100.fw-
[IN]

GROUP-group1 net0 
GROUP-group2 net0 

[OUT]

GROUP-group1 net3
GROUP-group2 net0 
-----

Note:  Usage of 'net3' instead of 'net0' is a typo? Or do we want to allow that?

We could avoid all those problems by introducing a [GROUPS] section:

--100.fw-
[GROUPS]
group1 net0 
group2 net0 

[IN]

 [OUT]

-----

what do you think?




More information about the pve-devel mailing list