Re: [pve-devel] [PATCH pve-docs v3 18/18] firewall: add documentation for forward direction

From: Stefan Hanreich <s.hanreich@proxmox.com>
To: Hannes Duerr <h.duerr@proxmox.com>,
	Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Subject: Re: [pve-devel] [PATCH pve-docs v3 18/18] firewall: add documentation for forward direction
Date: Fri, 15 Nov 2024 08:49:07 +0100	[thread overview]
Message-ID: <3960d8bd-c343-473b-a5a5-b5bbf41a0c05@proxmox.com> (raw)
In-Reply-To: <b9674b96-f21a-4982-b950-b911293be26a@proxmox.com>

On 11/13/24 16:37, Hannes Duerr wrote:
> I am still not really conviced about the 'zone', but this does not have
> to change with this series.
> I like the other changes, but I think there are some minor issues.
> 
> On 12.11.24 13:26, Stefan Hanreich wrote:
>> diff --git a/pve-firewall.adoc b/pve-firewall.adoc
>> index b428703..d5c664f 100644
>> --- a/pve-firewall.adoc
>> +++ b/pve-firewall.adoc
>> @@ -48,18 +48,34 @@ there is no need to maintain a different set of
>> rules for IPv6.
>>   Zones
>>   -----
>>   -The Proxmox VE firewall groups the network into the following
>> logical zones:
>> +The Proxmox VE firewall groups the network into the following logical
>> zones.
>> +Depending on the zone, you can define firewall rules for incoming,
>> outgoing or
>> +forwarded traffic.
>>     Host::
>>   -Traffic from/to a cluster node
>> +Traffic going from/to a host or traffic that is forwarded by a host.
>> +
>> +You can define rules for this zone either at the datacenter level or
>> at the node
>> +level. Rules at node level take precedence over rules at datacenter
>> level.
> If I am too picky please tell me:
> First we talk about traffic through the 'host' and then we switch to
> talking about 'node level'.
> Shouldn't we at least stick with one word? I think this can confuse users.

Yes, that is indeed true. I'll try and unify the terminology

> 
>>     VM::
>>   -Traffic from/to a specific VM
>> +Traffic going from/to a VM or CT.
>> +
>> +You cannot define rules for the forward direction, only for
>> incoming / outgoing.
> Isn't the word 'traffic' missing at the end?

It's referring to the direction earlier in the sentence, but re-reading
it, it would just be better to make it explicit.

>> +
>> +VNet::
>>   -For each zone, you can define firewall rules for incoming and/or
>> -outgoing traffic.
>> +Traffic passing through a SDN VNet, either from guest to guest or
>> from host to
>> +guest and vice-versa. Since this traffic is always forwarded traffic,
>> it is only
> I think the verb is missing in this sentence also i'd change the
> structure to:
> Traffic is passing trough a SDN VNet, either from guest to guest, from
> host to guest or vice-versa.

Yes, that sounds better.

>> +possible to create rules with direction forward.
>> +
>> +
>> +IMPORTANT: Creating rules for forwarded traffic or on a VNet-level is
>> currently
>> +only possible when using the new
>> +xref:pve_firewall_nft[nftables-based proxmox-firewall]. Any forward
>> rules will be
>> +ignored by the stock `pve-firewall` and have no effect!

_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel