Re: [pve-devel] firewall rules format
Just commited this change > > Yes, keep it simple > > > > in ACCEPT(MACRO) -i net0 -source 192.168.2.0 -dest 1.2.3.4 -p tcp > > -dport 80 - sport 20 > > Ok, will go that way ;-) ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] firewall rules format
> >>As long as it is unique. But for now I want to keep things simple. We > >>just need to decide if we move from position based arguments to named > arguments. > > Yes, keep it simple > > in ACCEPT(MACRO) -i net0 -source 192.168.2.0 -dest 1.2.3.4 -p tcp -dport 80 - > sport 20 Ok, will go that way ;-) ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] firewall rules format
>>As long as it is unique. But for now I want to keep things simple. We just >>need to >>decide if we move from position based arguments to named arguments. Yes, keep it simple in ACCEPT(MACRO) -i net0 -source 192.168.2.0 -dest 1.2.3.4 -p tcp -dport 80 -sport 20 seem to be enough - Mail original - De: "Dietmar Maurer" À: "Michael Rasmussen" , pve-devel@pve.proxmox.com Envoyé: Vendredi 16 Mai 2014 19:50:22 Objet: Re: [pve-devel] firewall rules format > > But above syntax is basically iptables format, with some > > simplifications ;-) Or what would you change exactly? > > > -source -> -s > -dest -> -d The getopt-long parser usually accept several option format, like: --source -source -s As long as it is unique. But for now I want to keep things simple. We just need to decide if we move from position based arguments to named arguments. ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] firewall rules format
On Fri, 16 May 2014 17:50:22 + Dietmar Maurer wrote: > The getopt-long parser usually accept several option format, like: > > --source > -source > -s > > As long as it is unique. But for now I want to keep things simple. We just > need to > decide if we move from position based arguments to named arguments. > Ok. I agree that position based options is a pain which should be avoided at all cost. -- Hilsen/Regards Michael Rasmussen Get my public GnuPG keys: michael rasmussen cc http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD3C9A00E mir datanom net http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE501F51C mir miras org http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE3E80917 -- /usr/games/fortune -es says: Our way is peace. -- Septimus, the Son Worshiper, "Bread and Circuses", stardate 4040.7. signature.asc Description: PGP signature ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] firewall rules format
> > But above syntax is basically iptables format, with some > > simplifications ;-) Or what would you change exactly? > > > -source -> -s > -dest -> -d The getopt-long parser usually accept several option format, like: --source -source -s As long as it is unique. But for now I want to keep things simple. We just need to decide if we move from position based arguments to named arguments. ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] firewall rules format
On Fri, 16 May 2014 17:01:19 + Dietmar Maurer wrote: > > beaucse we cannot provide full iptables functionality, and iptables format > is really clumsy (for example multiport maches, ipsets, ...). > True. > But above syntax is basically iptables format, with some simplifications ;-) > Or what would you change exactly? > -source -> -s -dest -> -d -- Hilsen/Regards Michael Rasmussen Get my public GnuPG keys: michael rasmussen cc http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD3C9A00E mir datanom net http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE501F51C mir miras org http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE3E80917 -- /usr/games/fortune -es says: Get in touch with your feelings of hostility against the dying light. -- Dylan Thomas [paraphrased periphrastically] signature.asc Description: PGP signature ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] firewall rules format
> -Original Message- > From: pve-devel [mailto:pve-devel-boun...@pve.proxmox.com] On Behalf Of > Dietmar Maurer > Sent: Freitag, 16. Mai 2014 19:20 > To: Michael Rasmussen; pve-devel@pve.proxmox.com > Subject: Re: [pve-devel] firewall rules format > > > > Why not stick to the iptables format? Or maybe something similar to nftables (iptables is already dead?) ... saddr 192.168.56.0/24 dport 80 ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] firewall rules format
> > Why not stick to the iptables format? > > in ACCEPT(MACRO) -i net0 -s 192.168.2.0 -d 1.2.3.4 -p tcp -dport 80 > > -sport 20 > > beaucse we cannot provide full iptables functionality, and iptables format is > really clumsy (for example multiport maches, ipsets, ...). For example, we want to write: - dport 80 - dport 135,139,445 instead of: --dport 80 --match multiport --dports 135,139,445 ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] firewall rules format
> Why not stick to the iptables format? > in ACCEPT(MACRO) -i net0 -s 192.168.2.0 -d 1.2.3.4 -p tcp -dport 80 -sport 20 beaucse we cannot provide full iptables functionality, and iptables format is really clumsy (for example multiport maches, ipsets, ...). But above syntax is basically iptables format, with some simplifications ;-) Or what would you change exactly? ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] firewall rules format
On Fri, 16 May 2014 15:44:52 + Dietmar Maurer wrote: > We currently use the following format for rules: > > #TYPE ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT > IN ACCEPT(MACRO) net0 192.168.2.0 1.2.3.4 tcp 80 20 > > This hard to write/read because you need to remember the correct order. > > So I thought about using something like: > > in ACCEPT(MACRO) -i net0 -source 192.168.2.0 -dest 1.2.3.4 -p tcp -dport 80 > -sport 20 > > This is a bit harder to parse, but it is easy to add more options in future. > > What do you think? > Why not stick to the iptables format? in ACCEPT(MACRO) -i net0 -s 192.168.2.0 -d 1.2.3.4 -p tcp -dport 80 -sport 20 -- Hilsen/Regards Michael Rasmussen Get my public GnuPG keys: michael rasmussen cc http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD3C9A00E mir datanom net http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE501F51C mir miras org http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE3E80917 -- /usr/games/fortune -es says: Dime is money. signature.asc Description: PGP signature ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] firewall rules format
>>#TYPE ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT >>IN ACCEPT(MACRO) net0 192.168.2.0 1.2.3.4 tcp 80 20 >>This hard to write/read because you need to remember the correct order. >>So I thought about using something like: >>in ACCEPT(MACRO) -i net0 -source 192.168.2.0 -dest 1.2.3.4 -p tcp -dport 80 >>-sport 20 >>This is a bit harder to parse, but it is easy to add more options in future. >>What do you think? Yes, I Agree, better to read indeed ! - Mail original - De: "Dietmar Maurer" À: "Alexandre DERUMIER (aderum...@odiso.com)" Cc: pve-devel@pve.proxmox.com Envoyé: Vendredi 16 Mai 2014 17:44:52 Objet: firewall rules format We currently use the following format for rules: #TYPE ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT IN ACCEPT(MACRO) net0 192.168.2.0 1.2.3.4 tcp 80 20 This hard to write/read because you need to remember the correct order. So I thought about using something like: in ACCEPT(MACRO) -i net0 -source 192.168.2.0 -dest 1.2.3.4 -p tcp -dport 80 -sport 20 This is a bit harder to parse, but it is easy to add more options in future. What do you think? ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] firewall rules format
We currently use the following format for rules: #TYPE ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT IN ACCEPT(MACRO) net0 192.168.2.0 1.2.3.4 tcp 80 20 This hard to write/read because you need to remember the correct order. So I thought about using something like: in ACCEPT(MACRO) -i net0 -source 192.168.2.0 -dest 1.2.3.4 -p tcp -dport 80 -sport 20 This is a bit harder to parse, but it is easy to add more options in future. What do you think? ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel