Re: [pve-devel] firewall rules format
Just commited this change Yes, keep it simple in ACCEPT(MACRO) -i net0 -source 192.168.2.0 -dest 1.2.3.4 -p tcp -dport 80 - sport 20 Ok, will go that way ;-) ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] firewall rules format
As long as it is unique. But for now I want to keep things simple. We just need to decide if we move from position based arguments to named arguments. Yes, keep it simple in ACCEPT(MACRO) -i net0 -source 192.168.2.0 -dest 1.2.3.4 -p tcp -dport 80 - sport 20 Ok, will go that way ;-) ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] firewall rules format
We currently use the following format for rules: #TYPE ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT IN ACCEPT(MACRO) net0 192.168.2.0 1.2.3.4 tcp 80 20 This hard to write/read because you need to remember the correct order. So I thought about using something like: in ACCEPT(MACRO) -i net0 -source 192.168.2.0 -dest 1.2.3.4 -p tcp -dport 80 -sport 20 This is a bit harder to parse, but it is easy to add more options in future. What do you think? ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] firewall rules format
#TYPE ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT IN ACCEPT(MACRO) net0 192.168.2.0 1.2.3.4 tcp 80 20 This hard to write/read because you need to remember the correct order. So I thought about using something like: in ACCEPT(MACRO) -i net0 -source 192.168.2.0 -dest 1.2.3.4 -p tcp -dport 80 -sport 20 This is a bit harder to parse, but it is easy to add more options in future. What do you think? Yes, I Agree, better to read indeed ! - Mail original - De: Dietmar Maurer diet...@proxmox.com À: Alexandre DERUMIER (aderum...@odiso.com) aderum...@odiso.com Cc: pve-devel@pve.proxmox.com Envoyé: Vendredi 16 Mai 2014 17:44:52 Objet: firewall rules format We currently use the following format for rules: #TYPE ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT IN ACCEPT(MACRO) net0 192.168.2.0 1.2.3.4 tcp 80 20 This hard to write/read because you need to remember the correct order. So I thought about using something like: in ACCEPT(MACRO) -i net0 -source 192.168.2.0 -dest 1.2.3.4 -p tcp -dport 80 -sport 20 This is a bit harder to parse, but it is easy to add more options in future. What do you think? ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] firewall rules format
On Fri, 16 May 2014 15:44:52 + Dietmar Maurer diet...@proxmox.com wrote: We currently use the following format for rules: #TYPE ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT IN ACCEPT(MACRO) net0 192.168.2.0 1.2.3.4 tcp 80 20 This hard to write/read because you need to remember the correct order. So I thought about using something like: in ACCEPT(MACRO) -i net0 -source 192.168.2.0 -dest 1.2.3.4 -p tcp -dport 80 -sport 20 This is a bit harder to parse, but it is easy to add more options in future. What do you think? Why not stick to the iptables format? in ACCEPT(MACRO) -i net0 -s 192.168.2.0 -d 1.2.3.4 -p tcp -dport 80 -sport 20 -- Hilsen/Regards Michael Rasmussen Get my public GnuPG keys: michael at rasmussen dot cc http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xD3C9A00E mir at datanom dot net http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xE501F51C mir at miras dot org http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xE3E80917 -- /usr/games/fortune -es says: Dime is money. signature.asc Description: PGP signature ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] firewall rules format
Why not stick to the iptables format? in ACCEPT(MACRO) -i net0 -s 192.168.2.0 -d 1.2.3.4 -p tcp -dport 80 -sport 20 beaucse we cannot provide full iptables functionality, and iptables format is really clumsy (for example multiport maches, ipsets, ...). But above syntax is basically iptables format, with some simplifications ;-) Or what would you change exactly? ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] firewall rules format
Why not stick to the iptables format? in ACCEPT(MACRO) -i net0 -s 192.168.2.0 -d 1.2.3.4 -p tcp -dport 80 -sport 20 beaucse we cannot provide full iptables functionality, and iptables format is really clumsy (for example multiport maches, ipsets, ...). For example, we want to write: - dport 80 - dport 135,139,445 instead of: --dport 80 --match multiport --dports 135,139,445 ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] firewall rules format
-Original Message- From: pve-devel [mailto:pve-devel-boun...@pve.proxmox.com] On Behalf Of Dietmar Maurer Sent: Freitag, 16. Mai 2014 19:20 To: Michael Rasmussen; pve-devel@pve.proxmox.com Subject: Re: [pve-devel] firewall rules format Why not stick to the iptables format? Or maybe something similar to nftables (iptables is already dead?) ... saddr 192.168.56.0/24 dport 80 ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] firewall rules format
On Fri, 16 May 2014 17:01:19 + Dietmar Maurer diet...@proxmox.com wrote: beaucse we cannot provide full iptables functionality, and iptables format is really clumsy (for example multiport maches, ipsets, ...). True. But above syntax is basically iptables format, with some simplifications ;-) Or what would you change exactly? -source - -s -dest - -d -- Hilsen/Regards Michael Rasmussen Get my public GnuPG keys: michael at rasmussen dot cc http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xD3C9A00E mir at datanom dot net http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xE501F51C mir at miras dot org http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xE3E80917 -- /usr/games/fortune -es says: Get in touch with your feelings of hostility against the dying light. -- Dylan Thomas [paraphrased periphrastically] signature.asc Description: PGP signature ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] firewall rules format
But above syntax is basically iptables format, with some simplifications ;-) Or what would you change exactly? -source - -s -dest - -d The getopt-long parser usually accept several option format, like: --source -source -s As long as it is unique. But for now I want to keep things simple. We just need to decide if we move from position based arguments to named arguments. ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] firewall rules format
On Fri, 16 May 2014 17:50:22 + Dietmar Maurer diet...@proxmox.com wrote: The getopt-long parser usually accept several option format, like: --source -source -s As long as it is unique. But for now I want to keep things simple. We just need to decide if we move from position based arguments to named arguments. Ok. I agree that position based options is a pain which should be avoided at all cost. -- Hilsen/Regards Michael Rasmussen Get my public GnuPG keys: michael at rasmussen dot cc http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xD3C9A00E mir at datanom dot net http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xE501F51C mir at miras dot org http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xE3E80917 -- /usr/games/fortune -es says: Our way is peace. -- Septimus, the Son Worshiper, Bread and Circuses, stardate 4040.7. signature.asc Description: PGP signature ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] firewall rules format
As long as it is unique. But for now I want to keep things simple. We just need to decide if we move from position based arguments to named arguments. Yes, keep it simple in ACCEPT(MACRO) -i net0 -source 192.168.2.0 -dest 1.2.3.4 -p tcp -dport 80 -sport 20 seem to be enough - Mail original - De: Dietmar Maurer diet...@proxmox.com À: Michael Rasmussen m...@datanom.net, pve-devel@pve.proxmox.com Envoyé: Vendredi 16 Mai 2014 19:50:22 Objet: Re: [pve-devel] firewall rules format But above syntax is basically iptables format, with some simplifications ;-) Or what would you change exactly? -source - -s -dest - -d The getopt-long parser usually accept several option format, like: --source -source -s As long as it is unique. But for now I want to keep things simple. We just need to decide if we move from position based arguments to named arguments. ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
