On 4/2/24 22:47, Laurent GUERBY wrote:
> REJECT is a L3 IP feature, to implement it properly in all cases your
> firewall rule needs to know both about IP adresses involved (and the
> corresponding MAC too in the ethernet case).
Yes indeed, although we have L3 and L4 information available in the
On 4/3/24 07:37, DERUMIER, Alexandre via pve-devel wrote:
> I'll really take time to test it (I was super busy theses last month
> with a datacenter migration), as I wait for nftables since a while.
>
> Can't help too much with rust, but I really appriciate it, as I had
> some servers with a lot o
Versions of Gotify < 2.2.0 only supported the 'X-Gotify-Key' header
for passing the API token. This comment sets this header in addition
to the regular 'Authorization' header in order to be compatible with
older Gotify servers.
Signed-off-by: Lukas Wagner
---
proxmox-notify/src/endpoints/gotify.
On 4/3/24 08:05, DERUMIER, Alexandre via pve-devel wrote:
> Personnaly, I'm not sure than using reject / tcp-reset in a bridged is
> a good idea. (Even if personally I'm using it production, I don't have
> problem to switch to DROP, if I can avoid other problems)
Yes, I tend to agree. But ther
On Tue, Apr 02, 2024 at 04:55:11PM +0200, Aaron Lauterer wrote:
[..]
> >
> > - While trying out different configurations, I wondered if for the
> >network something like this would be better for static IPs:
> >
> > [network.manual]
> > cidr = ".."
> > dns = ".."
> > [..]
> >
On 2024-04-03 10:19, Christoph Heiss wrote:
On Tue, Apr 02, 2024 at 04:55:11PM +0200, Aaron Lauterer wrote:
[..]
- While trying out different configurations, I wondered if for the
network something like this would be better for static IPs:
[network.manual]
cidr = ".."
Hi!
Please use our bugtracker for feature requests and bug reports [1].
[1] https://bugzilla.proxmox.com
___
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Currently, after adding a storage to a pool, opening any edit window
will send a GET request with a superfluous `poolid` parameter and
cause a parameter verification error in the GUI. This breaks all edit
windows of the current session. A workaround is to reload the current
browser session.
This h
Currently, `Proxmox.window.Edit` initializes `extraRequestParams` to
an object that, if not overwritten, is shared between all instances of
subclasses. This bears the danger of modifying the shared object in a
subclass instead of overwriting it, which affects all edit windows of
the current session
Currently, `Proxmox.window.Edit` initializes `extraRequestParams` to
an object that, if not overwritten, is shared between all instances of
subclasses. This bears the danger of modifying the shared object in a
subclass instead of overwriting it, which affects all edit windows of
the current session
Currently, all instances of `PVE.pool.AddVM` in a session share the
same `extraRequestParams` object. Right now, this does not cause any
problems because only one window can be active at a time, and all
relevant keys are always overwritten.
Still, in order to avoid hard-to-catch bugs due to the sh
Commit 3f83a0332ef5850c7b2324ca5958fa9b4b4dd61c switched the nodes
`wakeonlan` configuration parameter to be a property string and the
subsequent patches added bind-interface and broadcast-address as
additional optional parameters.
Make this editable in the node options, by adding a dedicated edit
This adds an empty line between the feature list and the "more
information" paragraph, which looks a lot better.
The exact same is already present in the HTML template for both other
products, probably a simple oversight.
Signed-off-by: Christoph Heiss
---
html/pbs/extract1-license.htm | 2 +-
On Tue Apr 2, 2024 at 7:15 PM CEST, Stefan Hanreich wrote:
> Includes types for all kinds of IP values that can occur in the
> firewall config. Additionally, FromStr implementations are available
> for parsing from the config files.
>
> Co-authored-by: Wolfgang Bumiller
> Signed-off-by: Stefan Han
On Tue Apr 2, 2024 at 7:16 PM CEST, Stefan Hanreich wrote:
> Since the basic format of cluster, host and guest firewall
> configurations is the same, we create a generic parser that can handle
> the common config format. The main difference is in the available
> options, which can be passed via a g
On Tue Apr 2, 2024 at 7:15 PM CEST, Stefan Hanreich wrote:
> Currently the helpers for obtaining the host network configuration
> panic on error, which could be avoided by the use of
> OnceLock::get_or_init, but this method is currently only available in
> nightly versions.
>
> Generally, if there
On Tue Apr 2, 2024 at 7:16 PM CEST, Stefan Hanreich wrote:
> Co-authored-by: Wolfgang Bumiller
> Signed-off-by: Stefan Hanreich
> ---
> proxmox-ve-config/src/firewall/host.rs | 309 +
> proxmox-ve-config/src/firewall/mod.rs | 1 +
> 2 files changed, 310 insertions(+)
>
On Tue Apr 2, 2024 at 7:16 PM CEST, Stefan Hanreich wrote:
> Additionally we implement FromStr for all rule types and parts, which
> can be used for parsing firewall config rules. Initial rule parsing
> works by parsing the different options into a HashMap and only then
> de-serializing a struct fr
On Tue Apr 2, 2024 at 7:16 PM CEST, Stefan Hanreich wrote:
> Adds an enum containing most of the statements defined in the
> nftables-json schema [1].
>
> [1]
> https://manpages.debian.org/bookworm/libnftables1/libnftables-json.5.en.html#STATEMENTS
>
> Co-authored-by: Wolfgang Bumiller
> Signed-o
copying files within a cifs-share currently result in the following
trace:
```
[ 495.388739] BUG: unable to handle page fault for address: fffe
[ 495.388744] #PF: supervisor read access in kernel mode
[ 495.388746] #PF: error_code(0x) - not-present page
[ 495.388747] PGD 172c3f0
On Tue Apr 2, 2024 at 6:07 PM CEST, Stefan Lendl wrote:
> This add several tests for SDN VNets.
> State setup as well as testing results is done only via the API to test on the
> API boundaries and not against the internal state. Internal state and config
> files are mocked to avoid requiring acces
--- Begin Message ---
> Maybe it is time to disable dynamic mac-learning by default ?
> The code is already here and works fine.
>
> AFAIK, other hypervisor like vmware disable port flooding by default
> with static mac registration too.
>>Might be a good idea, although it still wouldn't solve
On 4/3/24 14:03, DERUMIER, Alexandre via pve-devel wrote:
> maybe revert the kernel patch ? ^_^
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/net/bridge/netfilter/nft_reject_bridge.c?h=v6.8.2&id=127917c29a432c3b798e014a1714e9c1af0f87fe
I also thought about it shortly. I
also as a short fyi, since I forgot to mention it in my cover letter:
I've refrained from adding stuff like flowtables and broute for now -
but it is certainly something I want to add in future revisions. For the
initial POC I wanted to stay as basic as possible and create a 1:1
replacement withou
--- Begin Message ---
Message initial
De: Stefan Hanreich
Répondre à: Proxmox VE development discussion
À: pve-devel@lists.proxmox.com
Objet: Re: [pve-devel] [RFC container/firewall/manager/proxmox-
firewall/qemu-server 00/37] proxmox firewall nftables implementation
Date: 03/04
On 4/3/24 15:04, DERUMIER, Alexandre via pve-devel wrote:
> I think you can just use DROP for this kind of traffic, as anyway, you
> don't expect to receive a response like tcp-reset or icmp port
> unreachable.
Yes, of course, replied too quickly without thinking twice...
just looked at the packaging, mostly related to clean building, but not
only.
On April 2, 2024 7:16 pm, Stefan Hanreich wrote:
> Signed-off-by: Stefan Hanreich
> ---
> Makefile| 93 +
> debian/changelog| 5 ++
> debian/cont
As Fabian has already mentioned here[0], there can be a race between two
parallel imports. More specifically, if both imports have --allow-rename
set and the desired name already exists, then it can happen that both
imports get the same name. The reason for this is that we currently only
check whic
--- Begin Message ---
Hi,
Right, that makes a lot more sense! So the correct reading is more akin to
"an object that contains unknown keys, but the objects behind those keys
have a known schema"
Thank you for clarifying!
Kind regards,
Johannes
On Tue, Apr 2, 2024 at 10:00 AM Wolfgang Bumiller
29 matches
Mail list logo
