Reviewed-by: Lukas Wagner
Reviewed-by: Max Carrara
Co-authored-by: Wolfgang Bumiller
Signed-off-by: Stefan Hanreich
---
proxmox-ve-config/src/firewall/types/ipset.rs | 349 ++
proxmox-ve-config/src/firewall/types/mod.rs | 2 +
2 files changed, 351 insertions(+)
create mode
Reviewed-by: Lukas Wagner
Reviewed-by: Max Carrara
Co-authored-by: Wolfgang Bumiller
Signed-off-by: Stefan Hanreich
---
proxmox-ve-config/src/firewall/guest.rs | 237
proxmox-ve-config/src/firewall/mod.rs | 1 +
2 files changed, 238 insertions(+)
create mode 10064
Reviewed-by: Lukas Wagner
Reviewed-by: Max Carrara
Co-authored-by: Wolfgang Bumiller
Signed-off-by: Stefan Hanreich
---
proxmox-ve-config/src/firewall/host.rs | 372 +
proxmox-ve-config/src/firewall/mod.rs | 1 +
2 files changed, 373 insertions(+)
create mode 100644
Since the basic format of cluster, host and guest firewall
configurations is the same, we create a generic parser that can handle
the common config format. The main difference is in the available
options, which can be passed via a generic parameter.
Reviewed-by: Lukas Wagner
Reviewed-by: Max Carr
Some types from the firewall configuration map directly onto nftables
expressions. For those we implement conversion traits so we can
conveniently convert between the configuration types and the
respective nftables types.
Those are guarded behind a feature so the nftables crate can be used
standal
Reviewed-by: Lukas Wagner
Reviewed-by: Max Carrara
Co-authored-by: Wolfgang Bumiller
Signed-off-by: Stefan Hanreich
---
Cargo.toml | 1 +
proxmox-firewall/Cargo.toml | 17 +
proxmox-firewall/src/main.rs | 5 +
3 files changed, 23 insertions(+)
create m
Reviewed-by: Lukas Wagner
Reviewed-by: Max Carrara
Co-authored-by: Wolfgang Bumiller
Signed-off-by: Stefan Hanreich
---
proxmox-ve-config/resources/macros.json | 914
proxmox-ve-config/src/firewall/fw_macros.rs | 69 ++
proxmox-ve-config/src/firewall/mod.rs |
Currently this is parsing the config files via the filesystem. In the
future we could also get this information from pmxcfs directly via
IPC which should be more performant, particularly for a large number
of VMs.
Reviewed-by: Lukas Wagner
Reviewed-by: Max Carrara
Co-authored-by: Wolfgang Bumill
When the nftables firewall is enabled, we do not need to create
firewall bridges.
Signed-off-by: Stefan Hanreich
---
vm-network-scripts/pve-bridge | 9 +++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/vm-network-scripts/pve-bridge b/vm-network-scripts/pve-bridge
index 8599
Additionally we implement FromStr for all rule types and parts, which
can be used for parsing firewall config rules. Initial rule parsing
works by parsing the different options into a HashMap and only then
de-serializing a struct from the parsed options.
This intermediate step makes rule parsing a
Add rust types for most of the nftables commands as defined by
libnftables-json [1].
Different commands require different keys to be set for the same type
of object. E.g. deleting an object usually only requires a name +
name of the container (table/chain/rule). Creating an object usually
requires
Signed-off-by: Stefan Hanreich
---
.gitignore|1 +
debian/control|1 +
proxmox-firewall/Cargo.toml |4 +
proxmox-firewall/src/lib.rs |4 +
proxmox-firewall/tests/input/100.conf
Some types from the firewall configuration map directly onto nftables
statements. For those we implement conversion traits so we can
conveniently convert between the configuration types and the
respective nftables types.
As with the expressions, those are guarded behind a feature so the
nftables c
Some parts of the firewall config map directly to nftables objects, so
we introduce conversion traits for convenient conversion into the
respective nftables objects / types.
They are guarded behind a feature, so the nftables crate can be used
standalone without depending on the proxmox-ve-config c
Add a section that explains how to use the new nftables-based
proxmox-firewall.
Signed-off-by: Stefan Hanreich
---
pve-firewall.adoc | 162 ++
1 file changed, 162 insertions(+)
diff --git a/pve-firewall.adoc b/pve-firewall.adoc
index a5e40f9..ac3d9ba
We load the firewall configuration from the default paths, as well as
only the guest configurations that are local to the node itself. In
the future we could change this to use pmxcfs directly instead.
We also load information from nftables directly about dynamically
created chains (mostly chains
ToNftRules is basically a conversion trait for firewall config structs
to convert them into the respective nftables statements.
We are passing a list of rules to the method, which then modifies the
list of rules such that all relevant rules in the list have statements
appended that apply the confi
Adds an enum containing most of the expressions defined in the
nftables-json schema [1].
[1]
https://manpages.debian.org/bookworm/libnftables1/libnftables-json.5.en.html#EXPRESSIONS
Reviewed-by: Lukas Wagner
Reviewed-by: Max Carrara
Co-authored-by: Wolfgang Bumiller
Signed-off-by: Stefan Hanr
Suggested-By: Fabian Grünbichler
Signed-off-by: Stefan Hanreich
---
.gitignore | 3 ++
Makefile| 70 +
debian/changelog| 5 +++
debian/control | 38 ++
debian/copyright
Reviewed-by: Lukas Wagner
Reviewed-by: Max Carrara
Co-authored-by: Wolfgang Bumiller
Signed-off-by: Stefan Hanreich
---
proxmox-ve-config/resources/ct_helper.json | 52 +
proxmox-ve-config/src/firewall/ct_helper.rs | 115
proxmox-ve-config/src/firewall/mod.rs
When the nftables firewall is enabled, we do not need to create
firewall bridges.
Signed-off-by: Stefan Hanreich
---
src/PVE/LXC.pm | 5 +
1 file changed, 5 insertions(+)
diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index e688ea6..85800ea 100644
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@
Am 16/04/2024 um 14:09 schrieb Fiona Ebner:
> Changes in v4 (Thanks to Thomas for feedback!):
> * rename tab from 'Performance' to 'Advanced'
> * move repeat-missed setting there too
> * update docs to clarify that those settings can be found in the
> advanced tab
>
> Changes in
On 4/17/24 15:52, Fabian Grünbichler wrote:
On April 17, 2024 3:10 pm, Dominik Csapak wrote:
On 4/17/24 14:45, Fabian Grünbichler wrote:
On April 16, 2024 3:18 pm, Dominik Csapak wrote:
+sub cleanup_extracted_image {
same for this?
+my ($source) = @_;
+
+if ($source =~ m|^(/.+/\.tm
On 1/16/24 15:33, Folke Gleumes wrote:
> This patch allows the user to set a custom ACME directory by providing
> a 'Custom' option in the directory dropdown. This in turn reveals an
> input for the url. When using a custom directory the directory has to
> be manually queried via button press to
Do not use the 'noacl' mount option when mounting a container disk with
an ext4 file system. The option was removed from the kernel in commit
2d544ec923db
Signed-off-by: Filip Schauer
---
Changes since v3:
* Simplify ext4 detection
* Do not add noacl if $acl is undefined
src/PVE/LXC.pm | 16 +++
On 11/04/2024 15:44, Fabian Grünbichler wrote:
I am not sure this is correct.. or rather, wouldn't it be simpler to say
if $storage && $format eq 'raw' => no noacl ?
if we get complains that somebody did something non-standard (i.e.,
manually formatted a raw volume using a different filesystem)
Am 15/04/2024 um 14:56 schrieb Folke Gleumes:
> The original fix disabled the xsaves feature for zen1/2. The issue has
> since been fixed in the cpus microcode and this patch keeps the feature
> enabled
> if the microcode version is recent enough to contain the fix.
>
> Signed-off-by: Folke Gleum
Am 15/04/2024 um 14:48 schrieb Fiona Ebner:
> Signed-off-by: Fiona Ebner
> ---
> pve-storage-pbs.adoc | 4
> 1 file changed, 4 insertions(+)
>
>
applied, thanks!
___
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/c
Am 15/04/2024 um 14:48 schrieb Fiona Ebner:
> Commit 7020491 ("esxi: add 'port' config parameter") started using
> the 'port' option in a second plugin, but the definition stayed in the
> PBS plugin. Avoid the hidden dependency and move the definition to the
> base plugin instead.
>
> It is necess
Am 11/04/2024 um 12:10 schrieb Fabian Grünbichler:
> else this can break an upgrade for unrelated reasons (regular debhelper also
> constructs the restart invocations like this, it even redirects output to
> /dev/null)
>
> Signed-off-by: Fabian Grünbichler
> ---
> debian/postinst | 12 ++
Am 11/04/2024 um 12:10 schrieb Fabian Grünbichler:
> else this can break an upgrade for unrelated reasons.
>
> this also mimics debhelper behaviour more (which we only not use here because
> of lack of reload support) - restructured the snippet to be more similar with
> an explicit `if` as well.
>
Am 11/04/2024 um 12:04 schrieb Roland:
> where arcsize is not taken into account
>
> https://bugzilla.proxmox.com/show_bug.cgi?id=3859
I think this bug should be split, as those are two completely different
things implementation wise.
The existing one could be kept for RRD, and a new one added fo
This patch allows the user to set a custom ACME directory by providing
a 'Custom' option in the directory dropdown. This in turn reveals an
input for the url. When using a custom directory the directory has to
be manually queried via button press to prevent from spamming the
directory on every inpu
Adds fields for eab credentials. By default eab is optional, but if the
directory should report that eab is required, the eab credential fields
are marked as mandatory and prevent the form from being submittable
until credentials are provided.
Signed-off-by: Folke Gleumes
---
www/manager6/node/A
This patch series adds the option to set a custom directory for ACME and
enables the user to use external account binding, which is required by
some providers.
manager:
Folke Gleumes (2):
fix #5093: webui: acme: custom directory option
webui: acme: add eab fields
www/manager6/node/ACME.js |
Am 12/04/2024 um 16:15 schrieb Friedrich Weber:
> The new `overrule-shutdown` parameter is boolean and defaults to 0. If
> it is 1, all active `vzshutdown` tasks for the same CT (which are
> visible to the user/token) are aborted before attempting to stop the
> CT.
>
> Passing `overrule-shutdown=1
Am 12/04/2024 um 16:15 schrieb Friedrich Weber:
> Given a `(type, user, vmid)` tuple, the helper aborts all tasks of the
> given `type` for guest `vmid` that `user` is allowed to abort:
>
> - If `user` has `Sys.Modify` on the node, they can abort any task
> - If `user` is an API token, it can abor
Am 12/04/2024 um 16:15 schrieb Friedrich Weber:
> The new `overrule-shutdown` parameter is boolean and defaults to 0. If
> it is 1, all active `qmshutdown` tasks for the same VM (which are
> visible to the user/token) are aborted before attempting to stop the
> VM.
>
> Passing `overrule-shutdown=1
Am 12/04/2024 um 16:15 schrieb Friedrich Weber:
> This way, it can be used to retrieve the current list of tasks.
>
> Signed-off-by: Friedrich Weber
> ---
>
> Notes:
> changes v2 -> v3:
> * no changes
>
> new in v2:
> * moved fix for pve-cluster-tasks store into its own patc
Am 17/04/2024 um 17:55 schrieb Folke Gleumes:
> This patch series adds the option to set a custom directory for ACME and
> enables the user to use external account binding, which is required by
> some providers.
>
> manager:
>
> Folke Gleumes (2):
> fix #5093: webui: acme: custom directory opti
> Dominik Csapak hat am 17.04.2024 15:19 CEST
> geschrieben:
> On 4/17/24 15:11, Fabian Grünbichler wrote:
> > On April 16, 2024 3:18 pm, Dominik Csapak wrote:
> >> This series enables importing ova/ovf from directory based storages,
> >> inclusive upload/download via the webui (ova only).
> >>
>
> Dominik Csapak hat am 17.04.2024 16:07 CEST
> geschrieben:
> On 4/17/24 15:52, Fabian Grünbichler wrote:
> > On April 17, 2024 3:10 pm, Dominik Csapak wrote:
> >> On 4/17/24 14:45, Fabian Grünbichler wrote:
> >>> On April 16, 2024 3:18 pm, Dominik Csapak wrote:
> +sub cleanup_extracted_ima
101 - 142 of 142 matches
Mail list logo
