>>1.) Is there any reason you generally allowed IPv4 and IPv6? Personally >>i would like to allow IPv4 but block IPv6.
Do you want to do it by vm or globally ? In my ebtables patch, I just accept for ipv4 and ipv6 at the begin, to manage mac filtering at iptables level. (for performance, because with conntrack established, we don't need to check each packet) >>2.) Generally i would like to see the macfilter enabled for iptables and >>ebtables even if the network card has firewall=0 but the vm has >>firewall=1. Does this makes sense? It's possible, but we also want do bypass iptables/ebtables for non firewall vms. Because they are performance impact to parse each chain sequentially in iptables, (nftables improve that). so, if you have for example 100 mac filter taps, a non firewall tap will crawl the 100 rules, before accept. Note that I think we could do it for arp,and other layer2 protocol. This are not too much traffic. ----- Mail original ----- De: "Stefan Priebe - Profihost AG" <s.pri...@profihost.ag> À: "Alexandre Derumier" <aderum...@odiso.com>, pve-devel@pve.proxmox.com Envoyé: Mardi 15 Juillet 2014 10:48:34 Objet: Re: [pve-devel] pve-firewall : ebtables Am 15.07.2014 06:39, schrieb Alexandre Derumier: > Hi, > here the ebtables patches, details are in commits. > > Please comment, feel free to change and adapt them. Some questions: 1.) Is there any reason you generally allowed IPv4 and IPv6? Personally i would like to allow IPv4 but block IPv6. 2.) Generally i would like to see the macfilter enabled for iptables and ebtables even if the network card has firewall=0 but the vm has firewall=1. Does this makes sense? Stefan _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
