>>another way, we can list of all the tap,group,bridge with firewall enabled,
I think it can be done fast, listing /sys/class/net/vmbrX/brif/tapX so we can find in iptables-save if stale tap chains exist ----- Mail original ----- De: "Alexandre DERUMIER" <[email protected]> À: "Dietmar Maurer" <[email protected]> Cc: [email protected] Envoyé: Vendredi 14 Février 2014 07:55:17 Objet: Re: [pve-devel] pve-firewall : iptables V2 >>Wait. Maybe we can optimize/fix your way. >> >>(I guess it would be great if we can update FW rules for single VM, or single >>security groups.) Ok :) >>My idea is to do a 'iptables-save' first, and parse that output to see what >>chains exist. good idea >>Maybe we can compute MD5sum to see if something changed? Yes, I think it should work. another way, we can list of all the tap,group,bridge with firewall enabled, parse iptables-save, make a diff and delete stale chains ----- Mail original ----- De: "Dietmar Maurer" <[email protected]> À: "Alexandre DERUMIER" <[email protected]> Cc: [email protected] Envoyé: Vendredi 14 Février 2014 07:15:04 Objet: RE: [pve-devel] pve-firewall : iptables V2 > >>I would not rely on that. We need a way to correctly update rules without > relying on previous state. > > Ok, I'll send a patch to generale the whole firewall rules. > I don't think it'll be slow anyway. (and no more iptables_exist, so it can be > more reliable too) Wait. Maybe we can optimize/fix your way. (I guess it would be great if we can update FW rules for single VM, or single security groups.) My idea is to do a 'iptables-save' first, and parse that output to see what chains exist. Maybe we can compute MD5sum to see if something changed? _______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel _______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
