On 11/13/24 16:37, Hannes Duerr wrote: > I am still not really conviced about the 'zone', but this does not have > to change with this series. > I like the other changes, but I think there are some minor issues. > > On 12.11.24 13:26, Stefan Hanreich wrote: >> diff --git a/pve-firewall.adoc b/pve-firewall.adoc >> index b428703..d5c664f 100644 >> --- a/pve-firewall.adoc >> +++ b/pve-firewall.adoc >> @@ -48,18 +48,34 @@ there is no need to maintain a different set of >> rules for IPv6. >> Zones >> ----- >> -The Proxmox VE firewall groups the network into the following >> logical zones: >> +The Proxmox VE firewall groups the network into the following logical >> zones. >> +Depending on the zone, you can define firewall rules for incoming, >> outgoing or >> +forwarded traffic. >> Host:: >> -Traffic from/to a cluster node >> +Traffic going from/to a host or traffic that is forwarded by a host. >> + >> +You can define rules for this zone either at the datacenter level or >> at the node >> +level. Rules at node level take precedence over rules at datacenter >> level. > If I am too picky please tell me: > First we talk about traffic through the 'host' and then we switch to > talking about 'node level'. > Shouldn't we at least stick with one word? I think this can confuse users.
Yes, that is indeed true. I'll try and unify the terminology > >> VM:: >> -Traffic from/to a specific VM >> +Traffic going from/to a VM or CT. >> + >> +You cannot define rules for the forward direction, only for >> incoming / outgoing. > Isn't the word 'traffic' missing at the end? It's referring to the direction earlier in the sentence, but re-reading it, it would just be better to make it explicit. >> + >> +VNet:: >> -For each zone, you can define firewall rules for incoming and/or >> -outgoing traffic. >> +Traffic passing through a SDN VNet, either from guest to guest or >> from host to >> +guest and vice-versa. Since this traffic is always forwarded traffic, >> it is only > I think the verb is missing in this sentence also i'd change the > structure to: > Traffic is passing trough a SDN VNet, either from guest to guest, from > host to guest or vice-versa. Yes, that sounds better. >> +possible to create rules with direction forward. >> + >> + >> +IMPORTANT: Creating rules for forwarded traffic or on a VNet-level is >> currently >> +only possible when using the new >> +xref:pve_firewall_nft[nftables-based proxmox-firewall]. Any forward >> rules will be >> +ignored by the stock `pve-firewall` and have no effect! _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
