> - you can defined rules (chain names up to 28characters), and reuse them for > differents vms > -you can apply rules on vms or group > - if you need to change a chain/security group, you can simply flush the chain > (iptables -F chain) before reapply rules, > without need to regenerate/"compile" all rules > -they are not relation with bridge, only tap interfaces, so you can move a > interface from a bridge to another bridge without breaking rules. > -it's possible to do security groups with mac address of vms, and allow ports > opening from a group to another group. > -it's possible enable/disable firewall log for each vm separatly > -No need to maintain shorewall config files,compile rules,... > we can simply generate chains in live by security group are > created/modified, > or edit tap chain when group are apply/remove to a tap interface. > > what do you think about it ?
That sounds reasonable so far. How would you present that to the user (how would you design a GUI for that)? What configuration files do we need for that (syntax)? And can we easily implement that with OVS (stateless)? _______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
