> That mean that when we do a live migration, > the rules are not apply until the config file is moved. (and vm resume just > after). > > So, we can have some seconds where the rules are not yet applied. > > > I'm not sure how we could handle this correctly ? > > 1) force rules update after the config move but before the resume.(but maybe > for complex/big iptables this will give us some seconds of timeout for the vm) > > 2) update rules during live migration (maybe simply detect if vm process is > running (pid ? systemd scope ?), or if vmbrfw device exist ?
Maybe live migration can tell firewall on target node to activate rules before we start migration. But I am not sure how to implement that. _______________________________________________ pve-devel mailing list [email protected] https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
