> Also,I would like to add dynamic tap rules on vm start/stop,to reduce rules > when > vm are offline migrated to another host. > what do you think about it ?
>>Yes, we can update firewall rules whenever we start/stop a VM. oh, yes, seem simple. > Currently we don't have a qemu pve-bridge stop script. >>we don't really need an external script, instead we can directly setup the >>firewall >>inside the API handler. We need that for hotplug anyways? Yes,through api handle, seem good :) > Even with it, if the vm is > crashing,the script is not launched. >>This is only an optimization, so we can safely ignore that case? Yes, it's not a problem if the rules exist and tap is down I'll have a look at pve-firewall this week. ----- Mail original ----- De: "Dietmar Maurer" <diet...@proxmox.com> À: "Alexandre DERUMIER" <aderum...@odiso.com> Cc: "pve-devel" <pve-devel@pve.proxmox.com> Envoyé: Mercredi 29 Janvier 2014 08:29:29 Objet: RE: [pve-devel] RFC : iptables implementation > Also,I would like to add dynamic tap rules on vm start/stop,to reduce rules > when > vm are offline migrated to another host. > what do you think about it ? Yes, we can update firewall rules whenever we start/stop a VM. > Currently we don't have a qemu pve-bridge stop script. we don't really need an external script, instead we can directly setup the firewall inside the API handler. We need that for hotplug anyways? > Even with it, if the vm is > crashing,the script is not launched. This is only an optimization, so we can safely ignore that case? > I don't known if it's possible to use magic udev rules to intercept tap > interface > destroy and delete iptables rules dynamically ? no, I don't like to use such things. _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
