> Do you think the overhead is big ?
> I can work on an optimisation to only replace ACCEPT when ips is enabled
>
Ok, lets go the simple way. We can optimize later.
> >>Besides, I cannot see that this patch replaces all ACCEPT actions, for
> example:
> >>
> >>---------------
> >>sub ruleset_generate_vm_rules {
> >>...
>
> >>if ($direction eq 'OUT') {
> >>...
> >>} else {
> >>ruleset_generate_rule($ruleset, $chain, $rule, { REJECT =>
> >>"PVEFW-reject" }); }
> >>
> >>}
> >>----------------
> >>
> >>So that generates normal ACCEPT?
>
> Oh, I didn't see that we have accept in PVEFW-reject and 'PVEFW-Drop
>
> 'PVEFW-Reject' => [
> # ACCEPT critical ICMP types
> { action => 'ACCEPT', proto => 'icmp', dport =>
> 'fragmentation-needed' },
> { action => 'ACCEPT', proto => 'icmp', dport => 'time-exceeded' },
> ],
>
> 'PVEFW-Drop' => [
> # ACCEPT critical ICMP types
> { action => 'ACCEPT', proto => 'icmp', dport =>
> 'fragmentation-needed' },
> { action => 'ACCEPT', proto => 'icmp', dport => 'time-exceeded' },
> ],
>
> I don't known, but if they are critical, maybe can we bypass the ips ?
I guess this is a question to for the IPS developers.
> last question, do you think I need to add PVEFW-Accept for host default
> rules? (as they are mainly inter-cluster rules)
I have no idea if the IPS needs that, sorry.
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
