[pve-devel] RFC : iptables implementation

Alexandre DERUMIER aderumier at odiso.com
Wed Jan 29 07:40:39 CET 2014


>>Looks good for me. But we need some scripts in order to test that. Maybe
>>we can re-use code from 'pve-firewall'?

yes, sure (I don't have look at it deeply, but I think it should do the job).


Also,I would like to add dynamic tap rules on vm start/stop,to reduce rules when vm are offline migrated to another host. 
what do you think about it ?
Currently we don't have a qemu pve-bridge stop script. Even with it, if the vm is crashing,the script is not launched.
I don't known if it's possible to use magic udev rules to intercept tap interface destroy and delete iptables rules dynamically ?


----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
Envoyé: Mercredi 29 Janvier 2014 07:18:51 
Objet: RE: [pve-devel] RFC : iptables implementation 


> The main idea is to reduce a maximum rules lookup for performance. 
> 
> 1) the forward rules are splitted by bridge, and we only check rules for tap 
> devices on this bridge. This reduce a lot lookups if you have a lot of bridge 
> (bridgevlan for example) 
> 2) the inter-bridge routing is dropped by default. 
> 3) the tap outgoing rules are always processed before incoming. We need to use 
> RETURN in outgoing rules, but we can use ACCEPT in incoming rules. 
> That good, because we can stop lookups when ACCEPT. 

Looks good for me. But we need some scripts in order to test that. Maybe 
we can re-use code from 'pve-firewall'? 



More information about the pve-devel mailing list