[pve-devel] pve-firewall : nftables ?
Tom Weber
pve at junkyard.4t2.com
Wed Nov 28 11:06:23 CET 2018
Am Dienstag, den 27.11.2018, 14:55 +0100 schrieb Wolfgang Bumiller:
> The pve-firewall code is very iptables-oriented though, and I'm not
> sure
> if maybe we're not better off splitting the rule-generating part out
> and write the nftables variant from scratch... The iptables part
> would
> be considered feature-frozen from that point on I'd say/hope/think...
Yes, I think in the long term rule generation really needs to be
separated completely from rule definition. Right now there's a lot of
implicit iptable rule generation inside pve-firewall, which makes it a
real pain.
Just to throw in another idea:
How about using something like shorewall (shorewall.net) to handle the
whole firewall generation code from a higher level. I'm using it for in
really complex setups for years and i am very happy with it. (I know
this won't solve the nftables problem right now).
Tom
More information about the pve-devel
mailing list