Re: [pve-devel] [PATCH pve-docs v3 18/18] firewall: add documentation for forward direction

From: Hannes Duerr <h.duerr@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
	Stefan Hanreich <s.hanreich@proxmox.com>
Subject: Re: [pve-devel] [PATCH pve-docs v3 18/18] firewall: add documentation for forward direction
Date: Wed, 13 Nov 2024 16:37:13 +0100	[thread overview]
Message-ID: <b9674b96-f21a-4982-b950-b911293be26a@proxmox.com> (raw)
In-Reply-To: <20241112122615.88854-19-s.hanreich@proxmox.com>

I am still not really conviced about the 'zone', but this does not have 
to change with this series.
I like the other changes, but I think there are some minor issues.

On 12.11.24 13:26, Stefan Hanreich wrote:
> diff --git a/pve-firewall.adoc b/pve-firewall.adoc
> index b428703..d5c664f 100644
> --- a/pve-firewall.adoc
> +++ b/pve-firewall.adoc
> @@ -48,18 +48,34 @@ there is no need to maintain a different set of rules for IPv6.
>   Zones
>   -----
>   
> -The Proxmox VE firewall groups the network into the following logical zones:
> +The Proxmox VE firewall groups the network into the following logical zones.
> +Depending on the zone, you can define firewall rules for incoming, outgoing or
> +forwarded traffic.
>   
>   Host::
>   
> -Traffic from/to a cluster node
> +Traffic going from/to a host or traffic that is forwarded by a host.
> +
> +You can define rules for this zone either at the datacenter level or at the node
> +level. Rules at node level take precedence over rules at datacenter level.
If I am too picky please tell me:
First we talk about traffic through the 'host' and then we switch to 
talking about 'node level'.
Shouldn't we at least stick with one word? I think this can confuse users.

>   
>   VM::
>   
> -Traffic from/to a specific VM
> +Traffic going from/to a VM or CT.
> +
> +You cannot define rules for the forward direction, only for incoming / outgoing.
Isn't the word 'traffic' missing at the end?
> +
> +VNet::
>   
> -For each zone, you can define firewall rules for incoming and/or
> -outgoing traffic.
> +Traffic passing through a SDN VNet, either from guest to guest or from host to
> +guest and vice-versa. Since this traffic is always forwarded traffic, it is only
I think the verb is missing in this sentence also i'd change the 
structure to:
Traffic is passing trough a SDN VNet, either from guest to guest, from 
host to guest or vice-versa.
> +possible to create rules with direction forward.
> +
> +
> +IMPORTANT: Creating rules for forwarded traffic or on a VNet-level is currently
> +only possible when using the new
> +xref:pve_firewall_nft[nftables-based proxmox-firewall]. Any forward rules will be
> +ignored by the stock `pve-firewall` and have no effect!

_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel