Hi Stefan, thanks for the report. I don't use iptables to save config (I'm using iptables-restore to commit the whole ruleset)
But i'm using iptables to check if a rules,chain already exist for example. Do you known if the problem occur on read only ? (I don't have read yet all the bug reports, I'll do it tomorrow) ----- Mail original ----- De: "Stefan Priebe - Profihost AG" <[email protected]> À: "Alexandre DERUMIER" <[email protected]>, [email protected] Envoyé: Jeudi 13 Février 2014 11:33:59 Objet: Re: [pve-devel] pve-firewall : iptables V2 Hi Alexandre, i see the following Problem regarding the basic IP Tables implementation. The iptables binary is not "thread" safe / can't be run in parallel. It then exits with exit code 4 and you see a kernel message Ressource temporarly unavailable. This means you have to check each iptables command for exit code 4 and have to reexecute it in that case. Examples / Bug Reports: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=712691 http://lists.netfilter.org/pipermail/netfilter-devel/2006-June/024640.html http://www.redhat.com/archives/libvir-list/2012-March/msg00746.html and many more... Stefan Am 13.02.2014 05:57, schrieb Alexandre DERUMIER: > any comments for theses patches ? > > > ----- Mail original ----- > > De: "Alexandre Derumier" <[email protected]> > À: [email protected] > Envoyé: Vendredi 7 Février 2014 16:22:26 > Objet: [pve-devel] pve-firewall : iptables V2 > > changelog: > > add support for host firewall and group rules. > It's use iptables-restore now, so rules are applied atomicaly > > Also, I don't use anymore return in inbound rule, but directly jump in > outbound rules, so less rules lookup > > FORWARD chains lists are > > FORWARD--->proxmoxfw-FORWARD > ----> BRIDGEFW-OUT > --->VMBRX-OUT > ------->TAPXX-OUT > --->ACCEPT(==JUMP VMBRX-IN) > --->GROUP-xxx-OUT > --->ACCEPT(==JUMP BRIDGEFW-IN) > ---->BRIDGEFW-IN > ---->VMBRX-IN > ------->TAPXX-IN > ---->ACCEPT > ---->GROUP-xxx-IN > ----->ACCEPT > > > Please test :) > (config files sample for host,group,vm firewall are in commits) > > _______________________________________________ > pve-devel mailing list > [email protected] > http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel > _______________________________________________ > pve-devel mailing list > [email protected] > http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel > _______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
