Am 08/11/2023 um 12:35 schrieb Stefan Lendl:
> Upon creation of a subnet, we create a cluster-wide firewall alias.
>
> Signed-off-by: Stefan Lendl <s.le...@proxmox.com>
> ---
>
> Notes:
> Creates the alias directly when the Subnet is created.
>
> Other SDN objects are created upon 'Apply': commit_config().
> Although, IPAM creates the subnet right away as well.
> This should not be an issue but is inconsistent.
>
> src/PVE/Network/SDN/Subnets.pm | 18 ++++++++++++++++++
> 1 file changed, 18 insertions(+)
>
> diff --git a/src/PVE/Network/SDN/Subnets.pm b/src/PVE/Network/SDN/Subnets.pm
> index 6bb42e5..fe67abd 100644
> --- a/src/PVE/Network/SDN/Subnets.pm
> +++ b/src/PVE/Network/SDN/Subnets.pm
> @@ -6,6 +6,7 @@ use warnings;
> use Net::Subnet qw(subnet_matcher);
> use Net::IP;
> use NetAddr::IP qw(:lower);
> +use PVE::API2::Firewall::Aliases;
This would need pve-firewall to get added to the dependency list in the
debian/control file, otherwise it will only work by luck but break, e.g.,
bootstrapping.
>
> use PVE::Cluster qw(cfs_read_file cfs_write_file cfs_lock_file);
> use PVE::Network::SDN::Dns;
> @@ -161,6 +162,13 @@ sub del_dns_ptr_record {
> $plugin->del_ptr_record($plugin_config, $reversezone, $ip);
> }
>
> +sub get_fw_alias_name {
> + my ($subnet) = @_;
> + my $cidr = $subnet->{cidr};
> + $cidr =~ tr/.\//-/;
> + return "$subnet->{zone}_$subnet->{vnet}_$cidr";
> +}
this can easily clash with existing aliases, that then are deleted or addition
fails below.
wouldn't it be nicer if firewall gets the SDN subnets and manages those aliases
in a separate namespaces, i.e., such that they cannot clash with the explicit
aliases from the config?
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
