[pve-devel] [PATCH docs 1/4] fix some typos

found with: typos *.adoc Signed-off-by: Maximiliano Sandoval --- datacenter.cfg.5-opts.adoc | 2 +- ha-manager.1-synopsis.adoc | 6 +++--- ha-resources-opts.adoc | 2 +- notifications.adoc | 2 +- pct.1-synopsis.adoc| 8 pct.conf.5-opts.adoc | 2 +- pve-ne

[pve-devel] [PATCH docs 4/4] btrfs: Add link to upstream docs regarding its status

Signed-off-by: Maximiliano Sandoval --- local-btrfs.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/local-btrfs.adoc b/local-btrfs.adoc index 629dcdd7..1db72577 100644 --- a/local-btrfs.adoc +++ b/local-btrfs.adoc @@ -32,7 +32,7 @@ introduced as optional selection for the

[pve-devel] [PATCH docs 2/4] firewall: fix typo on pcAnywhere

The spelling is taken from its Wikipedia article https://en.wikipedia.org/wiki/PcAnywhere. Signed-off-by: Maximiliano Sandoval --- pve-firewall-macros.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pve-firewall-macros.adoc b/pve-firewall-macros.adoc index 56c66604..d398

[pve-devel] [PATCH docs 3/4] btrfs: Capitalize item and remove nul item

Other items in the same list are capitalized. Signed-off-by: Maximiliano Sandoval --- local-btrfs.adoc | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/local-btrfs.adoc b/local-btrfs.adoc index 3512131c..629dcdd7 100644 --- a/local-btrfs.adoc +++ b/local-btrfs.adoc @@ -28,9

[pve-devel] [PATCH docs v2 1/4] fix some typos

found with: typos *.adoc Signed-off-by: Maximiliano Sandoval --- datacenter.cfg.5-opts.adoc | 2 +- ha-resources-opts.adoc | 2 +- notifications.adoc | 2 +- pct.conf.5-opts.adoc | 2 +- pve-network.adoc | 2 +- pveceph.adoc | 2 +- pveum.adoc

[pve-devel] [PATCH docs v2 3/4] btrfs: Capitalize item and remove nul item

Other items in the same list are capitalized. Signed-off-by: Maximiliano Sandoval --- local-btrfs.adoc | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/local-btrfs.adoc b/local-btrfs.adoc index 3512131c..629dcdd7 100644 --- a/local-btrfs.adoc +++ b/local-btrfs.adoc @@ -28,9

[pve-devel] [PATCH docs v2 4/4] btrfs: Add link to upstream docs regarding its status

Signed-off-by: Maximiliano Sandoval --- local-btrfs.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/local-btrfs.adoc b/local-btrfs.adoc index 629dcdd7..1db72577 100644 --- a/local-btrfs.adoc +++ b/local-btrfs.adoc @@ -32,7 +32,7 @@ introduced as optional selection for the

[pve-devel] [PATCH docs v2 2/4] firewall: fix typo on pcAnywhere

The spelling is taken from its Wikipedia article https://en.wikipedia.org/wiki/PcAnywhere. Signed-off-by: Maximiliano Sandoval --- pve-firewall-macros.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pve-firewall-macros.adoc b/pve-firewall-macros.adoc index 56c66604..d398

Re: [pve-devel] [PATCH docs v2 1/4] fix some typos

I forgot to add: Differences from v1: - Remove autogenerated files. Maximiliano Sandoval writes: > found with: > > typos *.adoc > > Signed-off-by: Maximiliano Sandoval > --- > datacenter.cfg.5-opts.adoc | 2 +- > ha-resources-opts.adoc | 2 +- > notifications.adoc | 2 +- >

Re: [pve-devel] [PATCH ifupdown2 1/1] Correctly handle IPv6 addresses in vxlan

--- Begin Message --- Yes, I read all of the PRs and discussion on ifupdown2 GitHub before implementing this. Ultimately I disagreed with the solution to use a separate parameter for IPv6, for the following reasons: - We can only have one local tunnel IP, so having two parameters means we need

[pve-devel] [PATCH docs/firewall/manager/proxmox{-ve-rs, -firewall, -perl-rs} v2 00/25] autogenerate ipsets for sdn objects

This patch series adds support for autogenerating ipsets for SDN objects. It autogenerates ipsets for every VNet as follows: * ipset containing all IP ranges of the VNet * ipset containing all gateways of the VNet * ipset containing all IP ranges of the subnet - except gateways * ipset containing

[pve-devel] [PATCH proxmox-ve-rs v2 15/25] sdn: add config module

Similar to how the IPAM module works, we separate the internal representation from the concrete schema of the configuration file. We provide structs for parsing the running SDN configuration and a struct that is used internally for representing an SDN configuration, as well as a method for convert

[pve-devel] [PATCH proxmox-perl-rs v2 23/25] add PVE::RS::Firewall::SDN module

Used for obtaining the IPSets that get autogenerated by the nftables firewall. The returned configuration has the same format as the pve-firewall uses internally, making it compatible with the existing pve-firewall code. Signed-off-by: Stefan Hanreich --- pve-rs/Cargo.toml | 1 + pve-

[pve-devel] [PATCH proxmox-ve-rs v2 17/25] tests: add sdn config tests

Signed-off-by: Stefan Hanreich --- proxmox-ve-config/tests/sdn/main.rs | 144 ++ .../tests/sdn/resources/running-config.json | 54 +++ 2 files changed, 198 insertions(+) create mode 100644 proxmox-ve-config/tests/sdn/main.rs create mode 100644 proxmox-ve-config/

[pve-devel] [PATCH proxmox-ve-rs v2 12/25] sdn: add name types

Signed-off-by: Stefan Hanreich --- proxmox-ve-config/src/lib.rs | 1 + proxmox-ve-config/src/sdn/mod.rs | 240 +++ 2 files changed, 241 insertions(+) create mode 100644 proxmox-ve-config/src/sdn/mod.rs diff --git a/proxmox-ve-config/src/lib.rs b/proxmox-ve-conf

[pve-devel] [PATCH proxmox-ve-rs v2 18/25] tests: add ipam tests

Signed-off-by: Stefan Hanreich --- proxmox-ve-config/tests/sdn/main.rs | 45 +++ proxmox-ve-config/tests/sdn/resources/ipam.db | 26 +++ 2 files changed, 71 insertions(+) create mode 100644 proxmox-ve-config/tests/sdn/resources/ipam.db diff --git a/proxmox-ve-c

[pve-devel] [PATCH proxmox-ve-rs v2 02/17] firewall: add bridge firewall config parser

We introduce a new type of firewall config file that can be used for defining rules on bridge-level, similar to the existing cluster/host/vm configuration files. Signed-off-by: Stefan Hanreich --- proxmox-ve-config/src/firewall/bridge.rs | 64 1 file changed, 64 insertio

[pve-devel] [PATCH proxmox-ve-rs v2 14/25] sdn: ipam: add method for generating ipsets

For every guest that has at least one entry in the IPAM we generate an ipset with the name `+sdn/guest-ipam-{vmid}`. The ipset contains all IPs from all zones for a guest with {vmid}. Signed-off-by: Stefan Hanreich --- .../src/firewall/types/address.rs | 9 proxmox-ve-config/sr

[pve-devel] [PATCH proxmox-firewall v2 09/17] cargo: make proxmox-ve-config a workspace dependency

Since it is used by both libraries, and they need the same version. Signed-off-by: Stefan Hanreich --- Cargo.toml | 3 +++ proxmox-firewall/Cargo.toml | 2 +- proxmox-nftables/Cargo.toml | 2 +- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/Cargo.toml b/Cargo.to

[pve-devel] [PATCH proxmox-ve-rs v2 03/17] config: firewall: add tests for interface and directions

Add tests for validating the directions in the guest firewall configuration. While I'm at it, I also added tests for validating interface names, since this functionality did not get tested before. Signed-off-by: Stefan Hanreich --- proxmox-ve-config/src/firewall/guest.rs | 53 +++

[pve-devel] [PATCH docs/firewall/manager/network/proxmox{-ve-rs, -firewall} v2 00/17] add forward chain firewalling for hosts and vnets

## Introduction This patch series introduces a new direction for firewall rules: forward. Additionally this patch series introduces defining firewall rules on a vnet level. ## Use Cases For hosts: * hosts utilizing NAT can define firewall rules for NATed traffic * hosts utilizing EVPN zones can

[pve-devel] [PATCH pve-manager v2 14/17] firewall: make base_url dynamically configurable in options component

This adds the ability to dynamically configure and change the base_url for the firewall options. This is needed for the SDN firewall dialog, that updates the firewall components based on the selected vnet. This avoids having to reinstantiate the component every time the user selects a new vnet. Si

[pve-devel] [PATCH proxmox-ve-rs v2 08/25] iprange: add methods for converting an ip range to cidrs

This is mainly used in proxmox-perl-rs, so the generated ipsets can be used in pve-firewall where only CIDRs are supported. Signed-off-by: Stefan Hanreich --- .../src/firewall/types/address.rs | 818 ++ 1 file changed, 818 insertions(+) diff --git a/proxmox-ve-config

[pve-devel] [PATCH pve-manager v2 12/17] firewall: add forward direction to rule panel

Enables us to use the new forward direction as an option when creating or editing firewall rules. By introducing firewall_type we can switch between the available directions depending on which ruleset is being edited. Signed-off-by: Stefan Hanreich --- www/manager6/dc/Config.js | 1 +

[pve-devel] [PATCH pve-manager v2 15/17] sdn: add firewall panel

Expose the ability to create vnet-level firewalls in the PVE UI Signed-off-by: Stefan Hanreich --- www/manager6/Makefile| 2 + www/manager6/dc/Config.js| 8 +++ www/manager6/sdn/FirewallPanel.js| 48 + www/manager6/sdn/FirewallVnetView.js | 77 ++

[pve-devel] [PATCH proxmox-firewall v2 06/17] sdn: add support for loading vnet-level firewall config

Signed-off-by: Stefan Hanreich --- proxmox-firewall/src/config.rs | 88 - proxmox-firewall/tests/integration_tests.rs | 12 +++ 2 files changed, 98 insertions(+), 2 deletions(-) diff --git a/proxmox-firewall/src/config.rs b/proxmox-firewall/src/config.rs index c2

[pve-devel] [PATCH proxmox-ve-rs v2 13/25] sdn: add ipam module

This module includes structs for representing the JSON schema from the PVE ipam. Those can be used to parse the current IPAM state. We also include a general Ipam struct, and provide a method for converting the PVE IPAM to the general struct. The idea behind this is that we have multiple IPAM plug

[pve-devel] [PATCH proxmox-firewall v2 08/17] use std::mem::take over drain()

This is more efficient than draining and collecting the Vec. It also fixes the respective clippy lint. Signed-off-by: Stefan Hanreich --- proxmox-firewall/src/rule.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proxmox-firewall/src/rule.rs b/proxmox-firewall/src/rule.rs i

[pve-devel] [PATCH proxmox-ve-rs v2 01/25] debian: add files for packaging

Since we now have a standalone repository for Proxmox VE related crates, add the required files for packaging the crates contained in this repository. Signed-off-by: Stefan Hanreich --- .cargo/config.toml | 5 ++ .gitignore | 8 +++ Cargo.toml

[pve-devel] [PATCH proxmox-ve-rs v2 10/25] firewall: guest: derive traits according to rust api guidelines

Almost every type should implement them anyway, and many of them are required for those types to be used in BTreeMaps, which the nftables firewall uses for generating stable output. Additionally, we derive Serialize and Deserialize for a few types that occur in the sdn configuration. The following

[pve-devel] [PATCH proxmox-ve-rs v2 05/25] firewall: add ip range types

Currently we are using tuples to represent IP ranges which is suboptimal. Validation logic and invariant checking needs to happen at every site using the IP range rather than having a unified struct for enforcing those invariants. Signed-off-by: Stefan Hanreich --- .../src/firewall/types/address

[pve-devel] [PATCH proxmox-ve-rs v2 06/25] firewall: address: use new iprange type for ip entries

Signed-off-by: Stefan Hanreich --- .../src/firewall/types/address.rs | 81 +++ proxmox-ve-config/src/firewall/types/rule.rs | 6 +- 2 files changed, 31 insertions(+), 56 deletions(-) diff --git a/proxmox-ve-config/src/firewall/types/address.rs b/proxmox-ve-config/s

[pve-devel] [PATCH proxmox-ve-rs v2 07/25] ipset: add range variant to addresses

A range can be used to store multiple IP addresses in an ipset that do not neatly fit into a single CIDR. Signed-off-by: Stefan Hanreich --- proxmox-ve-config/src/firewall/types/ipset.rs | 9 - 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/proxmox-ve-config/src/firewall/ty

[pve-devel] [PATCH proxmox-ve-rs v2 11/25] common: add allowlist

Signed-off-by: Stefan Hanreich --- proxmox-ve-config/src/common/mod.rs | 31 + proxmox-ve-config/src/lib.rs| 1 + 2 files changed, 32 insertions(+) create mode 100644 proxmox-ve-config/src/common/mod.rs diff --git a/proxmox-ve-config/src/common/mod.rs b/pro

[pve-devel] [PATCH pve-firewall v2 10/17] sdn: add vnet firewall configuration

Signed-off-by: Stefan Hanreich --- src/PVE/Firewall.pm | 122 ++-- src/PVE/Firewall/Helpers.pm | 12 2 files changed, 128 insertions(+), 6 deletions(-) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 9943f2e..e8096aa 100644 --- a/src/PVE

[pve-devel] [PATCH proxmox-ve-rs v2 01/17] firewall: add forward direction

This direction will be used for specifying rules on bridge-level firewalls as well as rules on the cluster / host level that are for forwarded network packets. Since with the introduction of this direction not every type of firewall configuration can contain all types of directions, we additionall

[pve-devel] [PATCH proxmox-ve-rs v2 09/25] ipset: address: add helper methods

Signed-off-by: Stefan Hanreich --- proxmox-ve-config/src/firewall/types/address.rs | 10 ++ proxmox-ve-config/src/firewall/types/ipset.rs | 14 ++ 2 files changed, 24 insertions(+) diff --git a/proxmox-ve-config/src/firewall/types/address.rs b/proxmox-ve-config/src/firewal

[pve-devel] [PATCH pve-firewall v2 22/25] api: load sdn ipsets

Since the SDN configuration reads the IPAM config file, which resides in /etc/pve/priv we need to add the protected flag to several endpoints. Signed-off-by: Stefan Hanreich --- src/PVE/API2/Firewall/Cluster.pm | 8 ++-- src/PVE/API2/Firewall/Rules.pm | 12 +++- src/PVE/API2/Firew

[pve-devel] [PATCH proxmox-ve-rs v2 03/25] bump dependencies

Signed-off-by: Stefan Hanreich --- proxmox-ve-config/Cargo.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/proxmox-ve-config/Cargo.toml b/proxmox-ve-config/Cargo.toml index 5f11bf9..79ba164 100644 --- a/proxmox-ve-config/Cargo.toml +++ b/proxmox-ve-config/Cargo.toml @

[pve-devel] [PATCH pve-manager v2 24/25] firewall: add sdn scope to IPRefSelector

Signed-off-by: Stefan Hanreich --- www/manager6/form/IPRefSelector.js | 8 +++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/www/manager6/form/IPRefSelector.js b/www/manager6/form/IPRefSelector.js index d41cde5f5..16078e428 100644 --- a/www/manager6/form/IPRefSelector.js +++

[pve-devel] [PATCH pve-network v2 16/17] firewall: add endpoints for vnet-level firewall

Signed-off-by: Stefan Hanreich --- src/PVE/API2/Network/SDN/Vnets.pm | 6 ++ 1 file changed, 6 insertions(+) diff --git a/src/PVE/API2/Network/SDN/Vnets.pm b/src/PVE/API2/Network/SDN/Vnets.pm index 05915f6..e48b048 100644 --- a/src/PVE/API2/Network/SDN/Vnets.pm +++ b/src/PVE/API2/Network/SD

[pve-devel] [PATCH proxmox-ve-rs v2 04/25] firewall: add sdn scope for ipsets

Signed-off-by: Stefan Hanreich --- proxmox-ve-config/src/firewall/types/ipset.rs | 3 +++ 1 file changed, 3 insertions(+) diff --git a/proxmox-ve-config/src/firewall/types/ipset.rs b/proxmox-ve-config/src/firewall/types/ipset.rs index c1af642..6fbdca8 100644 --- a/proxmox-ve-config/src/firewall

[pve-devel] [PATCH proxmox-ve-rs v2 02/25] bump serde_with to 3

From: Fabian Grünbichler Signed-off-by: Fabian Grünbichler Signed-off-by: Stefan Hanreich --- proxmox-ve-config/Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proxmox-ve-config/Cargo.toml b/proxmox-ve-config/Cargo.toml index ab8a7a0..5f11bf9 100644 --- a/proxmox

[pve-devel] [PATCH proxmox-firewall v2 20/25] ipsets: autogenerate ipsets for vnets and ipam

They act like virtual ipsets, similar to ipfilter-net, that can be used for defining firewall rules for sdn objects dynamically. The changes in proxmox-ve-config also introduced a dedicated struct for representing ip ranges, so we update the existing code, so that it uses that struct as well. Sig

Re: [pve-devel] [RFC firewall/proxmox{-ve-rs, -firewall, -perl-rs} 00/21] autogenerate ipsets for sdn objects

v2 here: https://lore.proxmox.com/pve-devel/20241010155637.255451-1-s.hanre...@proxmox.com/T/ ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [RFC firewall/manager/network/proxmox{-ve-rs, -firewall} 00/15] add forward chain firewalling for hosts and bridges

v2 here: https://lore.proxmox.com/pve-devel/20241010155650.255698-1-s.hanre...@proxmox.com/T/ ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH pve-docs v2 25/25] sdn: add documentation for firewall integration

Signed-off-by: Stefan Hanreich --- pvesdn.adoc | 92 + 1 file changed, 92 insertions(+) diff --git a/pvesdn.adoc b/pvesdn.adoc index 39de80f..c187365 100644 --- a/pvesdn.adoc +++ b/pvesdn.adoc @@ -702,6 +702,98 @@ For more information please co

[pve-devel] [PATCH pve-firewall v2 21/25] add support for loading sdn firewall configuration

This also includes support for parsing rules referencing IPSets in the new SDN scope and generating those IPSets in the firewall. Loading SDN configuration is optional, since loading it requires root privileges which we do not have in all call sites. Adding the flag allows us to selectively load t

[pve-devel] [PATCH proxmox-firewall v2 05/17] nftables: derive additional traits for nftables types

Signed-off-by: Stefan Hanreich --- proxmox-nftables/src/types.rs | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/proxmox-nftables/src/types.rs b/proxmox-nftables/src/types.rs index 3101436..d8f3b62 100644 --- a/proxmox-nftables/src/types.rs +++ b/proxmox-nftables/src/t

[pve-devel] [PATCH pve-docs v2 17/17] firewall: add documentation for forward direction

Additionally add information about the SDN VNet firewall, which has been introduced with this changes. Signed-off-by: Stefan Hanreich --- Makefile | 1 + gen-pve-firewall-vnet-opts.pl | 12 pve-firewall-vnet-opts.adoc | 8 ++ pve-firewall.adoc |

[pve-devel] [PATCH proxmox-firewall v2 19/25] config: tests: add support for loading sdn and ipam config

Also add example SDN configuration files that get automatically loaded, which can be used for future tests. Signed-off-by: Stefan Hanreich --- proxmox-firewall/src/config.rs| 69 +++ .../tests/input/.running-config.json | 45 proxmox-firewall

[pve-devel] [PATCH pve-firewall v2 11/17] api: add vnet endpoints

Signed-off-by: Stefan Hanreich --- src/PVE/API2/Firewall/Makefile | 1 + src/PVE/API2/Firewall/Rules.pm | 84 + src/PVE/API2/Firewall/Vnet.pm | 168 + src/PVE/Firewall.pm| 10 ++ 4 files changed, 263 insertions(+) create mode 10064

[pve-devel] [PATCH proxmox-ve-rs v2 04/17] host: add struct representing bridge names

Signed-off-by: Stefan Hanreich --- proxmox-ve-config/Cargo.toml| 1 + proxmox-ve-config/src/host/mod.rs | 1 + proxmox-ve-config/src/host/types.rs | 46 + 3 files changed, 48 insertions(+) create mode 100644 proxmox-ve-config/src/host/types.rs diff --git

[pve-devel] [PATCH proxmox-ve-rs v2 16/25] sdn: config: add method for generating ipsets

We generate the following ipsets for every vnet in the running sdn configuration: * {vnet}-all: contains all subnets of the vnet * {vnet}-no-gateway: contains all subnets of the vnet except for all gateways * {vnet}-gateway: contains all gateways in the vnet * {vnet}-dhcp: contains all dhcp rang

[pve-devel] [PATCH pve-manager v2 13/17] firewall: add vnet to firewall options component

Add the configuration options for vnet-level firewalls to the options component. Additionally add the new policy_forward configuration option to the datacenter-level firewall as well. Signed-off-by: Stefan Hanreich --- www/manager6/grid/FirewallOptions.js | 38 +++- 1 fil

[pve-devel] [PATCH proxmox-firewall v2 07/17] sdn: create forward firewall rules

Signed-off-by: Stefan Hanreich --- .../resources/proxmox-firewall.nft| 54 proxmox-firewall/src/firewall.rs | 122 +- proxmox-firewall/src/rule.rs | 5 +- .../integration_tests__firewall.snap | 86 proxmo