> >>Oh, I do not care about crashed VM (why?). > > (I thinked of stale tap chain, that normally we can remove at vm_stop for > example, and not removed if vm crash)
We can't do that anyway, because we do not know when a VM crashes. > >>My idea was that we simply compute the whole set of chains we need. > >>Then we compare that with the current ruleset, and only apply the diff > >>(and remove rules which are no longer needed). > > when you say the whole set of chains, do you mean the full firewall config ? Yes - but only for the VMs residing on the node. I guess we can optimize that later to only process required parts if it turns out to be a performance problem - but I doubt this is a problem. > (I'll wait for your patches too see exactly ;) OK, will work on that next week. _______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
