[pve-devel] pve-firewall : basic bridge iptables implementation

Alexandre DERUMIER aderumier at odiso.com
Fri Jan 31 17:25:48 CET 2014


>>so maybe iptables-restore can do the job the apply rules chain by chain. 

just tested with iptables-restore, it's work really fine.
If 1 rule is wrong, the whole rulesets are not apply. So it's atomic, and don't need to manage rollback :)

----- Mail original ----- 

De: "Alexandre DERUMIER" <aderumier at odiso.com> 
À: "Dietmar Maurer" <dietmar at proxmox.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Vendredi 31 Janvier 2014 17:06:19 
Objet: Re: [pve-devel] pve-firewall : basic bridge iptables implementation 

from netfilter doc: 

http://www.netfilter.org/documentation/FAQ/netfilter-faq-4.html#ss4.5 

" 
4.5 Is there an C/C++ API for adding/removing rules? 

The answer unfortunately is: No. 

Now you might think 'but what about libiptc?'. As has been pointed out numerous times on the mailinglist(s), libiptc was _NEVER_ meant to be used as a public interface. We don't guarantee a stable interface, and it is planned to remove it in the next incarnation of linux packet filtering. libiptc is way too low-layer to be used reasonably anyway. 

We are well aware that there is a fundamental lack for such an API, and we are working on improving that situation. Until then, it is recommended to either use system() or open a pipe into stdin of iptables-restore. The latter will give you a way better performance. 
" 

so maybe iptables-restore can do the job the apply rules chain by chain. 



----- Mail original ----- 

De: "Alexandre DERUMIER" <aderumier at odiso.com> 
À: "Dietmar Maurer" <dietmar at proxmox.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Vendredi 31 Janvier 2014 16:28:46 
Objet: Re: [pve-devel] pve-firewall : basic bridge iptables implementation 

>>looks better, yes. 

But they are 2 big problem, don't support ipv6 :( , 
and need to be patched for last iptables release (last patch from sept 2013, so author seem to be active) 
https://rt.cpan.org/Public/Bug/Display.html?id=70639 

But it could break with new iptables releases. 


I found this class to manage rules cleanly 
http://search.cpan.org/~mrash/IPTables-ChainMgr-1.2/lib/IPTables/ChainMgr.pm 
(available in debian repo) 

but it's use iptables commands. 

(I'm not sure that it's a problem, as I manage rules in chains once by once) 


>>Did you already check how shorewall handles that? 
I really don't known, I'll try to have a look at it. 



----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com>, pve-devel at pve.proxmox.com 
Envoyé: Vendredi 31 Janvier 2014 16:13:07 
Objet: RE: [pve-devel] pve-firewall : basic bridge iptables implementation 

> Maybe it's better to handle atomically chain and rules creation ? 
> (and avoid need to rollback if 1 iptables command fail ) 

looks better, yes. Did you already check how shorewall handles that? 
_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 


More information about the pve-devel mailing list