On 11/7/24 16:57, Hannes Dürr wrote: > This is not really true, I can not create rules on the forward chain of > VMs, can I?
Yes, it would make sense to qualify that further > I think the "Zones" section could benefit from some rewording because > IMO the Zone representation is not really fitting and also in the rest > of the article we are talking about 'Levels' and not 'Zones'. > I'd propose something like this: Whilst I agree, zone seems the better name in this context. I've done quick grepping and level is barely used (twice or thrice outside of log level) throughout the whole firewall documentation. > Firewall rules can be created on 4 levels, Cluster, Node, Vnet, VM. > However, the Rules only act on the 3 levels Node, Vnet and VM. > The reason for this is the distributed architecture: if a firewall rule > is created at cluster level, it gets rolled out to all hosts and acts at > host level. It might make sense to have a distinction between zone and level? Level is where rules are defined and Zone is where rules act in practice. Although that distinction might be a bit too much since it is only needed for the special DC / Node case. Maybe it would also make sense to create a short section called Directions that explains the different semantics for the respective directions depending on the zone? _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
