From: Stefan Hanreich <s.hanreich@proxmox.com>
To: "Hannes Dürr" <h.duerr@proxmox.com>,
"Proxmox VE development discussion" <pve-devel@lists.proxmox.com>
Subject: Re: [pve-devel] [PATCH pve-docs v2 17/17] firewall: add documentation for forward direction
Date: Mon, 11 Nov 2024 15:17:05 +0100 [thread overview]
Message-ID: <d7905866-8e28-4332-8dd5-0b2eafdc0550@proxmox.com> (raw)
In-Reply-To: <c79bd667-b49e-4108-a51b-6d51c7d8f189@proxmox.com>
On 11/7/24 16:57, Hannes Dürr wrote:
> This is not really true, I can not create rules on the forward chain of
> VMs, can I?
Yes, it would make sense to qualify that further
> I think the "Zones" section could benefit from some rewording because
> IMO the Zone representation is not really fitting and also in the rest
> of the article we are talking about 'Levels' and not 'Zones'.
> I'd propose something like this:
Whilst I agree, zone seems the better name in this context. I've done
quick grepping and level is barely used (twice or thrice outside of log
level) throughout the whole firewall documentation.
> Firewall rules can be created on 4 levels, Cluster, Node, Vnet, VM.
> However, the Rules only act on the 3 levels Node, Vnet and VM.
> The reason for this is the distributed architecture: if a firewall rule
> is created at cluster level, it gets rolled out to all hosts and acts at
> host level.
It might make sense to have a distinction between zone and level? Level
is where rules are defined and Zone is where rules act in practice.
Although that distinction might be a bit too much since it is only
needed for the special DC / Node case.
Maybe it would also make sense to create a short section called
Directions that explains the different semantics for the respective
directions depending on the zone?
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next prev parent reply other threads:[~2024-11-11 14:17 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-10 15:56 [pve-devel] [PATCH docs/firewall/manager/network/proxmox{-ve-rs, -firewall} v2 00/17] add forward chain firewalling for hosts and vnets Stefan Hanreich
2024-10-10 15:56 ` [pve-devel] [PATCH proxmox-ve-rs v2 01/17] firewall: add forward direction Stefan Hanreich
2024-10-10 15:56 ` [pve-devel] [PATCH proxmox-ve-rs v2 02/17] firewall: add bridge firewall config parser Stefan Hanreich
2024-10-10 15:56 ` [pve-devel] [PATCH proxmox-ve-rs v2 03/17] config: firewall: add tests for interface and directions Stefan Hanreich
2024-10-10 15:56 ` [pve-devel] [PATCH proxmox-ve-rs v2 04/17] host: add struct representing bridge names Stefan Hanreich
2024-10-10 15:56 ` [pve-devel] [PATCH proxmox-firewall v2 05/17] nftables: derive additional traits for nftables types Stefan Hanreich
2024-10-10 15:56 ` [pve-devel] [PATCH proxmox-firewall v2 06/17] sdn: add support for loading vnet-level firewall config Stefan Hanreich
2024-10-10 15:56 ` [pve-devel] [PATCH proxmox-firewall v2 07/17] sdn: create forward firewall rules Stefan Hanreich
2024-10-10 15:56 ` [pve-devel] [PATCH proxmox-firewall v2 08/17] use std::mem::take over drain() Stefan Hanreich
2024-10-10 15:56 ` [pve-devel] [PATCH proxmox-firewall v2 09/17] cargo: make proxmox-ve-config a workspace dependency Stefan Hanreich
2024-10-10 15:56 ` [pve-devel] [PATCH pve-firewall v2 10/17] sdn: add vnet firewall configuration Stefan Hanreich
2024-11-06 14:32 ` Hannes Dürr
2024-11-06 15:46 ` Hannes Dürr
2024-11-08 13:59 ` Wolfgang Bumiller
2024-10-10 15:56 ` [pve-devel] [PATCH pve-firewall v2 11/17] api: add vnet endpoints Stefan Hanreich
2024-10-10 15:56 ` [pve-devel] [PATCH pve-manager v2 12/17] firewall: add forward direction to rule panel Stefan Hanreich
2024-10-10 15:56 ` [pve-devel] [PATCH pve-manager v2 13/17] firewall: add vnet to firewall options component Stefan Hanreich
2024-10-10 15:56 ` [pve-devel] [PATCH pve-manager v2 14/17] firewall: make base_url dynamically configurable in " Stefan Hanreich
2024-10-10 15:56 ` [pve-devel] [PATCH pve-manager v2 15/17] sdn: add firewall panel Stefan Hanreich
2024-10-10 15:56 ` [pve-devel] [PATCH pve-network v2 16/17] firewall: add endpoints for vnet-level firewall Stefan Hanreich
2024-10-10 15:56 ` [pve-devel] [PATCH pve-docs v2 17/17] firewall: add documentation for forward direction Stefan Hanreich
2024-11-07 15:57 ` Hannes Dürr
2024-11-11 14:17 ` Stefan Hanreich [this message]
2024-11-12 12:34 ` [pve-devel] [PATCH docs/firewall/manager/network/proxmox{-ve-rs, -firewall} v2 00/17] add forward chain firewalling for hosts and vnets Stefan Hanreich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d7905866-8e28-4332-8dd5-0b2eafdc0550@proxmox.com \
--to=s.hanreich@proxmox.com \
--cc=h.duerr@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox