Re: [pve-devel] [RFC container/firewall/manager/proxmox-firewall/qemu-server 00/37] proxmox firewall nftables implementation

[Stefan Hanreich <s.hanreich@proxmox.com>]

On 4/3/24 07:37, DERUMIER, Alexandre via pve-devel wrote:
> I'll really take time to test it (I was super busy theses last month
> with a datacenter migration), as I wait for nftables since a while.
> 
> Can't help too much with rust, but I really appriciate it, as I had
> some servers with a lot of vms && rules, take more than 10s to generate
> the rules with current perl implementation).

Thanks! I'd be really interested in how this performs with a large
ruleset since I haven't really tried with an excessively large ruleset
so far. I have only done very basic checks of the performance, but it
looked quite promising. 50% of the time is actually spent in
libnftables, so I'd be interested to see how this changes with large
rulesets.

There is also still some room for performance improvements, since
performance wasn't my main concern so far. For instance I am currently
reading the guest configuration files 1:1 via the filesystem, but I
wanted to implement getting the configuration via pmxcfs where one call
would then suffice to retrieve the network configuration of all guests.

If you have a large configuration I could use for testing, that you'd be
willing to share, then I could run tests myself. Otherwise I will
probably use a script to generate a huge config myself at some point.

> I really would like to not have fwbr bridge anymore, because I have
> seen a big performance bug with them: 

I agree 100%, getting rid of those would eliminate several bugs and issues.

> I'll try your code, see the generated rules, and try to see if I can
> get reject working.

Thanks! Maybe you can come up with something. Otherwise we might have to
implement a configuration option that switches between firewall bridge
on/off and people have to make choices about the tradeoffs themselves.