Am Dienstag, den 27.11.2018, 14:55 +0100 schrieb Wolfgang Bumiller: > The pve-firewall code is very iptables-oriented though, and I'm not > sure > if maybe we're not better off splitting the rule-generating part out > and write the nftables variant from scratch... The iptables part > would > be considered feature-frozen from that point on I'd say/hope/think...
Yes, I think in the long term rule generation really needs to be separated completely from rule definition. Right now there's a lot of implicit iptable rule generation inside pve-firewall, which makes it a real pain. Just to throw in another idea: How about using something like shorewall (shorewall.net) to handle the whole firewall generation code from a higher level. I'm using it for in really complex setups for years and i am very happy with it. (I know this won't solve the nftables problem right now). Tom _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
