>>Looks good for me. But we need some scripts in order to test that. Maybe >>we can re-use code from 'pve-firewall'?
yes, sure (I don't have look at it deeply, but I think it should do the job). Also,I would like to add dynamic tap rules on vm start/stop,to reduce rules when vm are offline migrated to another host. what do you think about it ? Currently we don't have a qemu pve-bridge stop script. Even with it, if the vm is crashing,the script is not launched. I don't known if it's possible to use magic udev rules to intercept tap interface destroy and delete iptables rules dynamically ? ----- Mail original ----- De: "Dietmar Maurer" <diet...@proxmox.com> À: "Alexandre DERUMIER" <aderum...@odiso.com> Cc: "pve-devel" <pve-devel@pve.proxmox.com> Envoyé: Mercredi 29 Janvier 2014 07:18:51 Objet: RE: [pve-devel] RFC : iptables implementation > The main idea is to reduce a maximum rules lookup for performance. > > 1) the forward rules are splitted by bridge, and we only check rules for tap > devices on this bridge. This reduce a lot lookups if you have a lot of bridge > (bridgevlan for example) > 2) the inter-bridge routing is dropped by default. > 3) the tap outgoing rules are always processed before incoming. We need to > use > RETURN in outgoing rules, but we can use ACCEPT in incoming rules. > That good, because we can stop lookups when ACCEPT. Looks good for me. But we need some scripts in order to test that. Maybe we can re-use code from 'pve-firewall'? _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
