Re: [pve-devel] [PATCH qemu-server 1/1] fix #5619: honor link_down setting when hot-plugging nic

sent a v2: https://lists.proxmox.com/pipermail/pve-devel/2024-July/064855.html On 7/23/24 15:14, Stefan Hanreich wrote: > When detaching and attaching the network device on update, the > link_down setting is not considered and the network device always gets > attached to the gue

[pve-devel] [PATCH qemu-server v2 1/1] fix #5619: honor link_down setting when hot-plugging nic

When detaching and attaching the network device on update, the link_down setting is not considered and the network device always gets attached to the guest - even if link_down is set. Fixes: 3f14f206 ("nic online bridge/vlan change: link disconnect/reconnect") Signed-off-by: Stefa

Re: [pve-devel] [PATCH qemu-server 1/1] fix #5619: honor link_down setting when hot-plugging nic

On 7/23/24 16:00, Fiona Ebner wrote: > > Am 23.07.24 um 15:14 schrieb Stefan Hanreich: >> When detaching and attaching the network device on update, the >> link_down setting is not considered and the network device always gets >> attached to the guest - even if link_

[pve-devel] [PATCH qemu-server 1/1] fix #5619: honor link_down setting when hot-plugging nic

When detaching and attaching the network device on update, the link_down setting is not considered and the network device always gets attached to the guest - even if link_down is set. Fixes: 3f14f206 ("nic online bridge/vlan change: link disconnect/reconnect") Signed-off-by: Stefa

Re: [pve-devel] [PATCH common, widget-toolkit, manager v3 0/3] fix #3893: make bridge vids configurable

tering is on!). This behavior might be conterintuitive for users. Consider this: Tested-By: Stefan Hanreich On 7/3/24 10:01, Aaron Lauterer wrote: > this version reworks a few parts since v2. > > * renamed format in JSONSchema to a more generic `pve-vlan-id-or-range` > * explicit

Re: [pve-devel] [RFC many v2 00/12] notifications: add support for webhook endpoints

Umlauts, I at least get an error message, but cannot save. Other than that everything worked fine - consider this: Tested-By: Stefan Hanreich ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH proxmox-firewall v3 1/1] service: flush firewall rules on force disable

that the file exists and does nothing Reported-by: Hannes Laimer Signed-off-by: Stefan Hanreich --- Changes from v2 to v3: * Use proper debug output formatter Changes from v1 to v2: * Removed misleading/wrong section about the probability of this happening * Added a detailed description

[pve-devel] [PATCH pve-manager 2/2] sdn: ipam: fix editing custom mappings

-off-by: Stefan Hanreich --- www/manager6/tree/DhcpTree.js | 17 +++-- 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/www/manager6/tree/DhcpTree.js b/www/manager6/tree/DhcpTree.js index d0b80803..6868bb60 100644 --- a/www/manager6/tree/DhcpTree.js +++ b/www/manager6/tree

[pve-devel] [PATCH qemu-server 1/2] config: net: avoid duplicate ipam entries on nic update

network changes. Now we only add a new ipam entry if either: * the value of the bridge or mac address changed * the network device has been newly added This way no duplicate IPAM entries should get created. Signed-off-by: Stefan Hanreich --- PVE/QemuServer.pm | 5 +++-- 1 file changed, 3

Re: [pve-devel] [RFC firewall/proxmox{-ve-rs, -firewall, -perl-rs} 00/21] autogenerate ipsets for sdn objects

On 6/28/24 15:46, Gabriel Goller wrote: > Already talked with Stefan offlist, but some major things I noted when > testing: >  * It would be cool to have the generated IPSets visible in the IPSet >    menu under Firewall (Datacenter). We could add a checkmark to hide >    them (as there can be

Re: [pve-devel] [PATCH proxmox-ve-rs 12/21] sdn: add config module

On 6/27/24 12:54, Gabriel Goller wrote: > On 26.06.2024 14:15, Stefan Hanreich wrote: >> diff --git a/proxmox-ve-config/src/sdn/config.rs >> b/proxmox-ve-config/src/sdn/config.rs >> new file mode 100644 >> index 000..8454adf >> --- /dev/null >> ++

Re: [pve-devel] [PATCH proxmox-ve-rs 09/21] sdn: add name types

On 6/27/24 12:56, Gabriel Goller wrote: > On 26.06.2024 14:15, Stefan Hanreich wrote: >> diff --git a/proxmox-ve-config/src/sdn/mod.rs >> b/proxmox-ve-config/src/sdn/mod.rs >> new file mode 100644 >> index 000..4e7c525 >> --- /dev/null >> +++ b/prox

Re: [pve-devel] [PATCH installer 00/14] fix #5536: implement post-(auto-)installation notification mechanism

Did a quick smoke test of this series by creating an ISO with an answer file baked in and checking the response via `nc -l`. Review is inline. Consider this: Tested-By: Stefan Hanreich Reviewed-By: Stefan Hanreich On 7/10/24 15:27, Christoph Heiss wrote: > This implements a mechan

Re: [pve-devel] [PATCH installer 12/14] fix #5536: add post-hook utility for sending notifications after auto-install

On 7/10/24 15:27, Christoph Heiss wrote: > +impl Answer { > +pub fn from_reader(reader: impl BufRead) -> Result { > +let mut buffer = String::new(); > +let lines = reader.lines(); > +for line in lines { > +buffer.push_str(()); > +

Re: [pve-devel] [PATCH installer 06/14] common: split out installer setup files loading functionality

On 7/10/24 15:27, Christoph Heiss wrote: > diff --git a/proxmox-installer-common/src/setup.rs > b/proxmox-installer-common/src/setup.rs > index 9131ac9..29137bf 100644 > --- a/proxmox-installer-common/src/setup.rs > +++ b/proxmox-installer-common/src/setup.rs > @@ -163,24 +163,29 @@ pub fn

Re: [pve-devel] [PATCH installer 10/14] auto-installer: tests: replace left/right with got/expected in output

On 7/10/24 15:27, Christoph Heiss wrote: > Makes more sense and makes debugging easier. > > Signed-off-by: Christoph Heiss > --- > proxmox-auto-installer/tests/parse-answer.rs | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/proxmox-auto-installer/tests/parse-answer.rs

Re: [pve-devel] [PATCH installer 04/14] common: simplify filesystem type serializing & Display trait impl

On 7/10/24 15:27, Christoph Heiss wrote: > +impl<'de> Deserialize<'de> for FsType { > +fn deserialize(deserializer: D) -> Result > +where > +D: serde::Deserializer<'de>, > +{ > +let fs: String = Deserialize::deserialize(deserializer)?; > + > +match fs.as_str() {

Re: [pve-devel] [PATCH proxmox-firewall 1/1] service: flush firewall rules on force disable

superseded by: https://lists.proxmox.com/pipermail/pve-devel/2024-July/064439.html On 5/29/24 15:25, Stefan Hanreich wrote: > When disabling the nftables firewall again, there is a race condition > where the nftables ruleset never gets flushed and persists after > disabling. In

[pve-devel] [PATCH proxmox-firewall v2 1/1] service: flush firewall rules on force disable

that the file exists and does nothing Reported-by: Hannes Laimer Signed-off-by: Stefan Hanreich --- Changes from v1 to v2: * Removed misleading/wrong section about the probability of this happening * Added a detailed description of the scenario this commit prevents proxmox-firewall/src/bin/proxmox

Re: [pve-devel] [PATCH proxmox-firewall 1/1] service: flush firewall rules on force disable

On 7/4/24 12:49, Fabian Grünbichler wrote: > so if I understand this correctly, it should handle the following case: > > proxmox-firewall runs and sets up NFT rules > user disables NFT > pve-firewall runs and sets up legacy rules and force disable file > proxmox-firewall runs and disables NFT

Re: [pve-devel] [PATCH ifupdown2 1/1] fix #5197: do not run scripts ending with .dpkg-{old, new, tmp, dist}

superseded by https://lists.proxmox.com/pipermail/pve-devel/2024-July/064404.html On 6/27/24 17:01, Stefan Hanreich wrote: > This can lead to issue when upgrading from ifupdown to ifupdown2. The > particular issue this fixes occurs in the following scenario: > > * Suppose there

[pve-devel] [PATCH ifupdown2 v2 1/1] fix #5197: do not run scripts ending with .dpkg-{old, new, tmp, dist}

/ccdc386cfab70703b657fe7c0ffceb95448a9c2b/ifupdown2/addons/bond.py#L45 [2] https://github.com/CumulusNetworks/ifupdown2/pull/304 Signed-off-by: Stefan Hanreich Tested-by: Friedrich Weber Reviewed-by: Fabian Grünbichler --- Changes from v1 -> v2: * Improved commit message of patch (thanks @Fabian!) ...dpkg-files-w

[pve-devel] [PATCH proxmox-firewall 3/3] guest: match arp packets via meta

When matching via ether type, VLAN packets are not matched. This can cause ARP packets encapsulated in VLAN frames to be dropped. Signed-off-by: Stefan Hanreich --- proxmox-firewall/src/firewall.rs | 2 +- .../tests/snapshots/integration_tests__firewall.snap | 10

[pve-devel] [PATCH proxmox-firewall 1/3] cargo: bump dependencies of proxmox-ve-config

Signed-off-by: Stefan Hanreich --- proxmox-ve-config/Cargo.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/proxmox-ve-config/Cargo.toml b/proxmox-ve-config/Cargo.toml index cc689c8..b0f3434 100644 --- a/proxmox-ve-config/Cargo.toml +++ b/proxmox-ve-config/Cargo.toml

[pve-devel] [PATCH proxmox-firewall 2/3] conntrack: arp: move handling to guest chains

with VLAN header. Matching via meta protocol ensures that VLAN encapsulated ARP packets are matched as well. Otherwise ARP traffic inside VLANs gets dropped, due to them having conntrack state invalid. Signed-off-by: Stefan Hanreich --- .../resources/proxmox-firewall.nft| 16

Re: [pve-devel] [PATCH pve-network/pve-common/pve-manager] fix #4300 : sdn: add bridge ports isolation

On 6/27/24 18:23, DERUMIER, Alexandre wrote: > isolated on or isolated off > Controls whether a given port will be isolated, which means it will be > able to communicate with non-isolated ports only. By default this flag > is off." Yeah, makes sense this way. I thought since one can set this

Re: [pve-devel] [PATCH pve-network/pve-common/pve-manager] fix #4300 : sdn: add bridge ports isolation

-By: Stefan Hanreich Reviewed-By: Stefan Hanreich 4/25/24 16:43, Alexandre Derumier via pve-devel wrote: > ___ > pve-devel mailing list > pve-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listin

[pve-devel] [PATCH ifupdown2 1/1] fix #5197: do not run scripts ending with .dpkg-{old, new, tmp, dist}

/ccdc386cfab70703b657fe7c0ffceb95448a9c2b/ifupdown2/addons/bond.py#L45 [2] https://github.com/CumulusNetworks/ifupdown2/pull/304 Signed-off-by: Stefan Hanreich --- ...dpkg-files-when-running-hook-scripts.patch | 54 +++ debian/patches/series | 1 + 2 files changed, 55 insertions

Re: [pve-devel] [PATCH pve-firewall 20/21] api: load sdn ipsets

- but works quite well for this use case. We only have to do this for the cluster configuration, since this is the only place where the cluster configuration gets saved. On 6/26/24 14:15, Stefan Hanreich wrote: > Signed-off-by: Stefan Hanreich > --- > src/PVE/API2/Firewall/Cluste

[pve-devel] [PATCH proxmox-firewall 18/21] ipsets: autogenerate ipsets for vnets and ipam

. Signed-off-by: Stefan Hanreich --- proxmox-firewall/src/firewall.rs | 22 +- proxmox-firewall/src/object.rs| 41 +- .../integration_tests__firewall.snap | 1288 + proxmox-nftables/src/expression.rs| 17 +- 4 files changed, 1354

[pve-devel] [PATCH proxmox-firewall 16/21] cargo: update dependencies

Signed-off-by: Stefan Hanreich --- proxmox-firewall/Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proxmox-firewall/Cargo.toml b/proxmox-firewall/Cargo.toml index 4246f18..c0ce579 100644 --- a/proxmox-firewall/Cargo.toml +++ b/proxmox-firewall/Cargo.toml @@ -25,4

[pve-devel] [PATCH pve-firewall 20/21] api: load sdn ipsets

Signed-off-by: Stefan Hanreich --- src/PVE/API2/Firewall/Cluster.pm | 3 ++- src/PVE/API2/Firewall/Rules.pm | 18 +++--- src/PVE/API2/Firewall/VM.pm | 3 ++- 3 files changed, 15 insertions(+), 9 deletions(-) diff --git a/src/PVE/API2/Firewall/Cluster.pm b/src/PVE/API2

[pve-devel] [PATCH proxmox-perl-rs 21/21] add PVE::RS::Firewall::SDN module

Used for obtaining the IPSets that get autogenerated by the nftables firewall. The returned configuration has the same format as the pve-firewall uses internally, making it compatible with the existing pve-firewall code. Signed-off-by: Stefan Hanreich --- pve-rs/Cargo.toml | 1 + pve

[pve-devel] [PATCH proxmox-ve-rs 14/21] tests: add sdn config tests

Signed-off-by: Stefan Hanreich --- proxmox-ve-config/tests/sdn/main.rs | 144 ++ .../tests/sdn/resources/running-config.json | 54 +++ 2 files changed, 198 insertions(+) create mode 100644 proxmox-ve-config/tests/sdn/main.rs create mode 100644 proxmox-ve-config

[pve-devel] [PATCH proxmox-ve-rs 09/21] sdn: add name types

Signed-off-by: Stefan Hanreich --- proxmox-ve-config/src/lib.rs | 1 + proxmox-ve-config/src/sdn/mod.rs | 240 +++ 2 files changed, 241 insertions(+) create mode 100644 proxmox-ve-config/src/sdn/mod.rs diff --git a/proxmox-ve-config/src/lib.rs b/proxmox-ve

[pve-devel] [PATCH proxmox-ve-rs 01/21] debian: add files for packaging

Since we now have a standalone repository for Proxmox VE related crates, add the required files for packaging the crates contained in this repository. Signed-off-by: Stefan Hanreich --- .cargo/config.toml | 5 ++ .gitignore | 8 +++ Cargo.toml

[pve-devel] [PATCH proxmox-ve-rs 07/21] firewall: guest: derive traits according to rust api guidelines

. The following patches will use those for (de-)serialization. Signed-off-by: Stefan Hanreich --- .../src/firewall/types/address.rs | 19 +++ proxmox-ve-config/src/firewall/types/alias.rs | 4 ++-- proxmox-ve-config/src/firewall/types/ipset.rs | 6 +++--- proxmox-ve-config/src

[pve-devel] [PATCH proxmox-ve-rs 03/21] firewall: address: use new iprange type for ip entries

Signed-off-by: Stefan Hanreich --- .../src/firewall/types/address.rs | 81 +++ proxmox-ve-config/src/firewall/types/rule.rs | 6 +- 2 files changed, 31 insertions(+), 56 deletions(-) diff --git a/proxmox-ve-config/src/firewall/types/address.rs b/proxmox-ve-config

[pve-devel] [PATCH proxmox-ve-rs 06/21] ipset: address: add helper methods

Signed-off-by: Stefan Hanreich --- proxmox-ve-config/src/firewall/types/address.rs | 10 ++ proxmox-ve-config/src/firewall/types/ipset.rs | 14 ++ 2 files changed, 24 insertions(+) diff --git a/proxmox-ve-config/src/firewall/types/address.rs b/proxmox-ve-config/src

[pve-devel] [RFC firewall/proxmox{-ve-rs, -firewall, -perl-rs} 00/21] autogenerate ipsets for sdn objects

and should get reviewed as well, I suppose. It is already included when pulling from the proxmox-ve-rs repository. Dependencies: * proxmox-perl-rs and proxmox-firewall depend on proxmox-ve-rs * pve-firewall depends on proxmox-perl-rs proxmox-ve-rs: Stefan Hanreich (15): debian: add files

[pve-devel] [PATCH proxmox-ve-rs 05/21] iprange: add methods for converting an ip range to cidrs

This is mainly used in proxmox-perl-rs, so the generated ipsets can be used in pve-firewall where only CIDRs are supported. Signed-off-by: Stefan Hanreich --- .../src/firewall/types/address.rs | 818 ++ 1 file changed, 818 insertions(+) diff --git a/proxmox-ve

[pve-devel] [PATCH proxmox-ve-rs 12/21] sdn: add config module

enough we could always add a HashSet for looking up values and speeding up the validation. For now, I wanted to avoid the additional complexity. Signed-off-by: Stefan Hanreich --- proxmox-ve-config/src/sdn/config.rs | 571 proxmox-ve-config/src/sdn/mod.rs| 1 + 2

[pve-devel] [PATCH proxmox-ve-rs 10/21] sdn: add ipam module

, this should be fine. Should it turn out to be not performant enough we could always add a HashSet for looking up values and speeding up the validation. For now, I wanted to avoid the additional complexity. Signed-off-by: Stefan Hanreich --- .../src/firewall/types/address.rs | 8 + proxmox-ve

[pve-devel] [PATCH proxmox-firewall 17/21] config: tests: add support for loading sdn and ipam config

Also add example SDN configuration files that get automatically loaded, which can be used for future tests. Signed-off-by: Stefan Hanreich --- proxmox-firewall/src/config.rs| 69 +++ .../tests/input/.running-config.json | 45 proxmox

[pve-devel] [PATCH pve-firewall 19/21] add support for loading sdn firewall configuration

Signed-off-by: Stefan Hanreich --- src/PVE/Firewall.pm | 43 +-- 1 file changed, 41 insertions(+), 2 deletions(-) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 09544ba..95325a0 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm

[pve-devel] [PATCH proxmox-ve-rs 13/21] sdn: config: add method for generating ipsets

ranges configured in the vnet All of them are in the datacenter scope, so the fully qualified name would look something like this: `+dc/{vnet-all}`. Signed-off-by: Stefan Hanreich --- proxmox-ve-config/src/sdn/config.rs | 72 + 1 file changed, 72 insertions(+) diff

[pve-devel] [PATCH proxmox-ve-rs 15/21] tests: add ipam tests

Signed-off-by: Stefan Hanreich --- proxmox-ve-config/tests/sdn/main.rs | 45 +++ proxmox-ve-config/tests/sdn/resources/ipam.db | 26 +++ 2 files changed, 71 insertions(+) create mode 100644 proxmox-ve-config/tests/sdn/resources/ipam.db diff --git a/proxmox-ve

[pve-devel] [PATCH proxmox-ve-rs 11/21] sdn: ipam: add method for generating ipsets

For every guest that has at least one entry in the IPAM we generate an ipset with the name `+dc/guest-ipam-{vmid}`. The ipset contains all IPs from all zones for a guest with {vmid}. Signed-off-by: Stefan Hanreich --- .../src/firewall/types/address.rs | 9 proxmox-ve-config

[pve-devel] [PATCH proxmox-ve-rs 08/21] common: add allowlist

Signed-off-by: Stefan Hanreich --- proxmox-ve-config/src/common/mod.rs | 30 + proxmox-ve-config/src/lib.rs| 1 + 2 files changed, 31 insertions(+) create mode 100644 proxmox-ve-config/src/common/mod.rs diff --git a/proxmox-ve-config/src/common/mod.rs b

[pve-devel] [PATCH proxmox-ve-rs 02/21] firewall: add ip range types

Currently we are using tuples to represent IP ranges which is suboptimal. Validation logic and invariant checking needs to happen at every site using the IP range rather than having a unified struct for enforcing those invariants. Signed-off-by: Stefan Hanreich --- .../src/firewall/types

[pve-devel] [PATCH proxmox-ve-rs 04/21] ipset: add range variant to addresses

A range can be used to store multiple IP addresses in an ipset that do not neatly fit into a single CIDR. Signed-off-by: Stefan Hanreich --- proxmox-ve-config/src/firewall/types/ipset.rs | 9 - 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/proxmox-ve-config/src/firewall

[pve-devel] [PATCH proxmox-firewall 1/1] rules: allow vital ICMP(v6) types

. For ICMP we additionally allow 'Source Quench' as well. Signed-off-by: Stefan Hanreich --- While Source Quench is deprecated, there might be niche use cases using it and allowing it shouldn't really hurt so I've thrown it into the mix as well. .../resources/proxmox-firewall.nft| 22

[pve-devel] [PATCH proxmox-firewall 1/1] service: flush firewall rules on force disable

-firewall main loop almost always runs at least once before the force disable file gets created and flushes the ruleset. Reported-by: Hannes Laimer Signed-off-by: Stefan Hanreich --- proxmox-firewall/src/bin/proxmox-firewall.rs | 4 1 file changed, 4 insertions(+) diff --git a/proxmox-firewall/src

[pve-devel] [PATCH proxmox-firewall 1/2] firewall: improve handling of ARP traffic for guests

to the out direction we can simply accept all incoming ARP traffic, since we do not do any MAC filtering for incoming traffic. Since we create fdb entries for every NIC, guests should only see ARP traffic for their MAC addresses anyway. Signed-off-by: Stefan Hanreich Originally-by: Laurent Guerby

[pve-devel] [PATCH proxmox-firewall 2/2] firewall: improve conntrack handling

The output chain did not have any conntrack rules, which lead to issues when the default output policy is not accept. Also, move the conntrack rules to the beginning of all chains. Signed-off-by: Stefan Hanreich Originally-by: Laurent Guerby --- Based this on the earlier patch in order to avoid

Re: [pve-devel] [PATCH proxmox-firewall 1/1] firewall: properly reject ipv6 traffic

v2 available: https://lists.proxmox.com/pipermail/pve-devel/2024-May/063839.html On 5/13/24 13:35, Stefan Hanreich wrote: > ICMPv6 has different message types for rejecting traffic. With ICMP we > used host-prohibited as rejection type, which doesn't exist in ICMPv6. > Add an additi

[pve-devel] [PATCH proxmox-firewall v2 1/1] firewall: properly reject ipv6 traffic

matched from bypassing the reject chain. Signed-off-by: Stefan Hanreich --- Changes from v1 -> v2: * add a terminal drop statement to prevent any unmatched traffic from bypassing the reject chain * properly match ICMPv6 traffic via l4proto proxmox-firewall/resources/proxmox-firewall.nft

[pve-devel] [PATCH proxmox-firewall 1/1] firewall: properly reject ipv6 traffic

ICMPv6 has different message types for rejecting traffic. With ICMP we used host-prohibited as rejection type, which doesn't exist in ICMPv6. Add an additional rule for IPv6, so it uses admin-prohibited. Signed-off-by: Stefan Hanreich --- proxmox-firewall/resources/proxmox-firewall.nft | 6

[pve-devel] [PATCH proxmox-firewall] firewall: improve error handling of firewall

Error handling of the firewall binary should now be much more robust on configuration errors. Instead of panicking in some cases it should now log an error. Signed-off-by: Stefan Hanreich --- proxmox-firewall/src/bin/proxmox-firewall.rs | 7 +- proxmox-firewall/src/config.rs

[pve-devel] [PATCH proxmox-firewall] config: nftables: add support for icmp-type any

We support any as wildcard for matching all icmp types. Implement parsing logic for parsing the any value and support converting the any value into an nftables expression. Signed-off-by: Stefan Hanreich --- proxmox-nftables/src/expression.rs | 2 ++ proxmox-ve-config/src

[pve-devel] [PATCH proxmox-firewall] config: macros: add SPICEproxy macro

Signed-off-by: Stefan Hanreich --- proxmox-ve-config/resources/macros.json | 9 + 1 file changed, 9 insertions(+) diff --git a/proxmox-ve-config/resources/macros.json b/proxmox-ve-config/resources/macros.json index 67e1d89..2fcc0fb 100644 --- a/proxmox-ve-config/resources/macros.json

[pve-devel] [PATCH proxmox-firewall] fix #5410: config: fix naming scheme for names in firewall config

This should bring the allowed names on par with the pve-firewall naming scheme [1]. [1] https://git.proxmox.com/?p=pve-firewall.git;a=blob;f=src/PVE/Firewall.pm;h=0abfeccffc94cec940760e69a894e392dc33f151;hb=29b48c381d14bf425232dc65c9c0d18f95c8f222#l51 Signed-off-by: Stefan Hanreich

Re: [pve-devel] [PATCH proxmox-firewall] firewall: properly handle REJECT rules

On 4/23/24 18:02, Stefan Hanreich wrote: > Currently we generated DROP statements for all rules involving REJECT. > We only need to generate DROP when in the postrouting chain of tables > with type bridge, since REJECT is disallowed there. Otherwise we jump > into the do-reject

[pve-devel] [PATCH proxmox-firewall] firewall: properly handle REJECT rules

. Signed-off-by: Stefan Hanreich --- Seems like the proper handling for this got lost somewhere during my big refactoring :/ .../resources/proxmox-firewall.nft| 7 +- proxmox-firewall/src/firewall.rs | 9 +- proxmox-firewall/src/rule.rs | 22

[pve-devel] [PATCH proxmox-firewall] firewall: properly cleanup tables when firewall is inactive

to support running multiple separate batches in the NftClient in the future in order to avoid having to call nft twice. Signed-off-by: Stefan Hanreich --- proxmox-firewall/src/bin/proxmox-firewall.rs | 9 + proxmox-firewall/src/firewall.rs | 10 +- 2 files changed, 10

Re: [pve-devel] [PATCH pve-network 0/3] Advertise MTU via DHCP / RA

On 4/22/24 14:06, Thomas Lamprecht wrote: > seems OK from a high-level glance, would need a rebase now though sent a rebased v2: https://lists.proxmox.com/pipermail/pve-devel/2024-April/063588.html ___ pve-devel mailing list

[pve-devel] [PATCH pve-network v2 3/3] dhcp: dnsmasq: send mtu option via dhcp

Signed-off-by: Stefan Hanreich --- src/PVE/Network/SDN/Dhcp.pm | 2 +- src/PVE/Network/SDN/Dhcp/Dnsmasq.pm | 7 ++- src/PVE/Network/SDN/Dhcp/Plugin.pm | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/src/PVE/Network/SDN/Dhcp.pm b/src/PVE/Network/SDN/Dhcp.pm

[pve-devel] [PATCH pve-network v2 2/3] zones: add method for getting MTU

Signed-off-by: Stefan Hanreich --- src/PVE/Network/SDN/Zones.pm | 8 src/PVE/Network/SDN/Zones/Plugin.pm | 7 +++ src/PVE/Network/SDN/Zones/SimplePlugin.pm | 8 +++- 3 files changed, 22 insertions(+), 1 deletion(-) diff --git a/src/PVE/Network/SDN/Zones.pm b

[pve-devel] [PATCH pve-network v2 1/3] dhcp: fix function signatures in abstract class

Signed-off-by: Stefan Hanreich --- src/PVE/Network/SDN/Dhcp/Plugin.pm | 12 ++-- 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/PVE/Network/SDN/Dhcp/Plugin.pm b/src/PVE/Network/SDN/Dhcp/Plugin.pm index b99f598..6e985cd 100644 --- a/src/PVE/Network/SDN/Dhcp/Plugin.pm

[pve-devel] [PATCH network v2 0/3] Advertise MTU via DHCP / RA

Changes from v1 -> v2: * rebased branch, everything else unchanged pve-network: Stefan Hanreich (3): dhcp: fix function signatures in abstract class zones: add method for getting MTU dhcp: dnsmasq: send mtu option via dhcp src/PVE/Network/SDN/Dhcp.pm | 2 +- src/

[pve-devel] [PATCH proxmox-firewall 2/2] firewall: improve systemd unit file

Explicitly mark the service as simple and remove the PIDFile attribute, which doesn't do anything with simple services. Signed-off-by: Stefan Hanreich --- debian/proxmox-firewall.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/proxmox-firewall.service b/debian

[pve-devel] [PATCH proxmox-firewall 1/2] firewall: wait for nft process

NftClient never waits for the child process to terminate leading to defunct leftover processes. Signed-off-by: Stefan Hanreich --- proxmox-nftables/src/client.rs | 38 -- 1 file changed, 9 insertions(+), 29 deletions(-) diff --git a/proxmox-nftables/src

[pve-devel] [PATCH pve-docs v4 5/5] firewall: add documentation for proxmox-firewall

Add a section that explains how to use the new nftables-based proxmox-firewall. Signed-off-by: Stefan Hanreich --- pve-firewall.adoc | 181 ++ 1 file changed, 181 insertions(+) diff --git a/pve-firewall.adoc b/pve-firewall.adoc index a5e40f9..9fb4e46

[pve-devel] [PATCH pve-manager v4 4/5] firewall: expose configuration option for new nftables firewall

Signed-off-by: Stefan Hanreich --- www/manager6/grid/FirewallOptions.js | 1 + 1 file changed, 1 insertion(+) diff --git a/www/manager6/grid/FirewallOptions.js b/www/manager6/grid/FirewallOptions.js index 0ac9979c4..6aacb47be 100644 --- a/www/manager6/grid/FirewallOptions.js +++ b/www/manager6

[pve-devel] [PATCH pve-firewall v4 3/5] add configuration option for new nftables firewall

the option is set to `1`. Signed-off-by: Stefan Hanreich --- This looks a bit awkward, but I wanted to avoid having to re-parse the configuration when calling from pve-firewall but also avoid having to load the config manually when calling from qemu-server / pve-container src/PVE/Firewall.pm

[pve-devel] [PATCH container/docs/firewall/manager/qemu-server v4 0/5] proxmox firewall nftables

hanges only relevant for the firewall itself) qemu-server: Stefan Hanreich (1): firewall: add handling for new nft firewall vm-network-scripts/pve-bridge | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) pve-container: Stefan Hanreich (1): firewall: add handling for new nft fir

[pve-devel] [PATCH qemu-server v4 1/5] firewall: add handling for new nft firewall

When the nftables firewall is enabled, we do not need to create firewall bridges. Signed-off-by: Stefan Hanreich --- vm-network-scripts/pve-bridge | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/vm-network-scripts/pve-bridge b/vm-network-scripts/pve-bridge index

[pve-devel] [PATCH pve-container v4 2/5] firewall: add handling for new nft firewall

When the nftables firewall is enabled, we do not need to create firewall bridges. Signed-off-by: Stefan Hanreich --- src/PVE/LXC.pm | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm index 400cf4f..44f5ccf 100644 --- a/src/PVE/LXC.pm +++ b

[pve-devel] [PATCH proxmox-firewall v3 34/39] firewall: add integration test

Signed-off-by: Stefan Hanreich --- .gitignore|1 + debian/control|1 + proxmox-firewall/Cargo.toml |4 + proxmox-firewall/tests/input/100.conf | 10 + proxmox-firewall/tests/input/100.fw

[pve-devel] [PATCH pve-firewall v3 37/39] add configuration option for new nftables firewall

Introduces new nftables configuration option that en/disables the new nftables firewall. pve-firewall reads this option and only generates iptables rules when nftables is set to `0`. Conversely proxmox-firewall only generates nftables rules when the option is set to `1`. Signed-off-by: Stefan

[pve-devel] [PATCH proxmox-firewall v3 19/39] nftables: expression: add types

Adds an enum containing most of the expressions defined in the nftables-json schema [1]. [1] https://manpages.debian.org/bookworm/libnftables1/libnftables-json.5.en.html#EXPRESSIONS Reviewed-by: Lukas Wagner Reviewed-by: Max Carrara Co-authored-by: Wolfgang Bumiller Signed-off-by: Stefan

[pve-devel] [PATCH proxmox-firewall v3 31/39] firewall: add ruleset generation logic

We create the rules from the firewall config by utilizing the ToNftRules and ToNftObjects traits to convert the firewall config structs to nftables objects/chains/rules. Reviewed-by: Lukas Wagner Reviewed-by: Max Carrara Co-authored-by: Wolfgang Bumiller Signed-off-by: Stefan Hanreich

[pve-devel] [PATCH proxmox-firewall v3 22/39] nftables: statement: add conversion traits for config types

crate can be used standalone without having to pull in the proxmox-ve-config crate. Reviewed-by: Lukas Wagner Reviewed-by: Max Carrara Co-authored-by: Wolfgang Bumiller Signed-off-by: Stefan Hanreich --- proxmox-nftables/src/statement.rs | 71 ++- 1 file changed, 70

[pve-devel] [PATCH proxmox-firewall v3 25/39] nftables: add nft client

Add a thin wrapper around nft, which can be used to run commands defined by the rust types. Reviewed-by: Lukas Wagner Reviewed-by: Max Carrara Co-authored-by: Wolfgang Bumiller Signed-off-by: Stefan Hanreich --- proxmox-nftables/src/client.rs | 85 ++ proxmox

[pve-devel] [PATCH proxmox-firewall v3 28/39] firewall: add config loader

for the guest firewall). Reviewed-by: Lukas Wagner Reviewed-by: Max Carrara Co-authored-by: Wolfgang Bumiller Signed-off-by: Stefan Hanreich --- proxmox-firewall/Cargo.toml| 2 + proxmox-firewall/src/config.rs | 283 + proxmox-firewall/src/main.rs | 3

[pve-devel] [PATCH proxmox-firewall v3 16/39] config: firewall: add conntrack helper types

Reviewed-by: Lukas Wagner Reviewed-by: Max Carrara Co-authored-by: Wolfgang Bumiller Signed-off-by: Stefan Hanreich --- proxmox-ve-config/resources/ct_helper.json | 52 + proxmox-ve-config/src/firewall/ct_helper.rs | 115 proxmox-ve-config/src/firewall/mod.rs

[pve-devel] [PATCH proxmox-firewall v3 09/39] config: firewall: add types for rules

a lot easier, since we can reuse the deserialization logic from serde. Also, we can split the parsing/deserialization logic from the validation logic. Reviewed-by: Lukas Wagner Reviewed-by: Max Carrara Co-authored-by: Wolfgang Bumiller Signed-off-by: Stefan Hanreich --- proxmox-ve-config/src

[pve-devel] [PATCH proxmox-firewall v3 33/39] firewall: add files for debian packaging

Suggested-By: Fabian Grünbichler Signed-off-by: Stefan Hanreich --- .gitignore | 3 ++ Makefile| 70 + debian/changelog| 5 +++ debian/control | 39 ++ debian

[pve-devel] [PATCH proxmox-firewall v3 30/39] firewall: add object generation logic

ToNftObjects is basically a conversion trait that converts firewall config structs into nftables objects. It returns a list of commands that create the respective nftables objects. Reviewed-by: Lukas Wagner Reviewed-by: Max Carrara Co-authored-by: Wolfgang Bumiller Signed-off-by: Stefan

[pve-devel] [PATCH pve-container v3 36/39] firewall: add handling for new nft firewall

When the nftables firewall is enabled, we do not need to create firewall bridges. Signed-off-by: Stefan Hanreich --- src/PVE/LXC.pm | 5 + 1 file changed, 5 insertions(+) diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm index e688ea6..85800ea 100644 --- a/src/PVE/LXC.pm +++ b/src/PVE/LXC.pm

[pve-devel] [PATCH qemu-server v3 35/39] firewall: add handling for new nft firewall

When the nftables firewall is enabled, we do not need to create firewall bridges. Signed-off-by: Stefan Hanreich --- vm-network-scripts/pve-bridge | 9 +++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/vm-network-scripts/pve-bridge b/vm-network-scripts/pve-bridge index

[pve-devel] [PATCH proxmox-firewall v3 21/39] nftables: statement: add types

Adds an enum containing most of the statements defined in the nftables-json schema [1]. [1] https://manpages.debian.org/bookworm/libnftables1/libnftables-json.5.en.html#STATEMENTS Reviewed-by: Lukas Wagner Reviewed-by: Max Carrara Co-authored-by: Wolfgang Bumiller Signed-off-by: Stefan

[pve-devel] [PATCH proxmox-firewall v3 18/39] nftables: add helpers

a Vec would normally do. Reviewed-by: Lukas Wagner Reviewed-by: Max Carrara Co-authored-by: Wolfgang Bumiller Signed-off-by: Stefan Hanreich --- proxmox-nftables/Cargo.toml| 4 + proxmox-nftables/src/helper.rs | 190 + proxmox-nftables/src/lib.rs| 1 + 3

[pve-devel] [PATCH proxmox-firewall v3 13/39] config: firewall: add host specific config + option types

Reviewed-by: Lukas Wagner Reviewed-by: Max Carrara Co-authored-by: Wolfgang Bumiller Signed-off-by: Stefan Hanreich --- proxmox-ve-config/src/firewall/host.rs | 372 + proxmox-ve-config/src/firewall/mod.rs | 1 + 2 files changed, 373 insertions(+) create mode

[pve-devel] [PATCH proxmox-firewall v3 14/39] config: firewall: add guest-specific config + option types

Reviewed-by: Lukas Wagner Reviewed-by: Max Carrara Co-authored-by: Wolfgang Bumiller Signed-off-by: Stefan Hanreich --- proxmox-ve-config/src/firewall/guest.rs | 237 proxmox-ve-config/src/firewall/mod.rs | 1 + 2 files changed, 238 insertions(+) create mode

[pve-devel] [PATCH proxmox-firewall v3 06/39] config: host: add helpers for host network configuration

deem it acceptable for now, since that would usually mean something is amiss with the network configuration and a firewall won't really do anything then anyway. Reviewed-by: Lukas Wagner Reviewed-by: Max Carrara Co-authored-by: Wolfgang Bumiller Signed-off-by: Stefan Hanreich --- proxmox-ve

[pve-devel] [PATCH proxmox-firewall v3 03/39] config: firewall: add types for ports

Signed-off-by: Stefan Hanreich --- proxmox-ve-config/src/firewall/mod.rs| 1 + proxmox-ve-config/src/firewall/ports.rs | 80 proxmox-ve-config/src/firewall/types/mod.rs | 1 + proxmox-ve-config/src/firewall/types/port.rs | 181 +++ 4 files changed, 263

[pve-devel] [PATCH proxmox-firewall v3 04/39] config: firewall: add types for log level and rate limit

Adds types for log and (log-)rate-limiting firewall config options as well as FromStr implementations for parsing them from the config. Reviewed-by: Lukas Wagner Reviewed-by: Max Carrara Co-authored-by: Wolfgang Bumiller Signed-off-by: Stefan Hanreich --- proxmox-ve-config/Cargo.toml

[pve-devel] [PATCH proxmox-firewall v3 01/39] config: add proxmox-ve-config crate

Reviewed-by: Lukas Wagner Reviewed-by: Max Carrara Co-authored-by: Wolfgang Bumiller Signed-off-by: Stefan Hanreich --- .cargo/config| 5 + .gitignore | 6 ++ Cargo.toml | 4 proxmox-ve-config/Cargo.toml | 19

[pve-devel] [PATCH proxmox-firewall v3 29/39] firewall: add rule generation logic

Wagner Reviewed-by: Max Carrara Co-authored-by: Wolfgang Bumiller Signed-off-by: Stefan Hanreich --- proxmox-firewall/src/main.rs | 1 + proxmox-firewall/src/rule.rs | 761 + proxmox-nftables/src/expression.rs | 4 + 3 files changed, 766 insertions

  1   2   3   4   5   6   >