From: Stefan Lendl <s.lendl@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH pve-network 2/2] Create a cluster-wide firewall for SDN subnets
Date: Wed, 8 Nov 2023 12:35:35 +0100 [thread overview]
Message-ID: <20231108113535.3905405-3-s.lendl@proxmox.com> (raw)
In-Reply-To: <20231108113535.3905405-1-s.lendl@proxmox.com>
Upon creation of a subnet, we create a cluster-wide firewall alias.
Signed-off-by: Stefan Lendl <s.lendl@proxmox.com>
---
Notes:
Creates the alias directly when the Subnet is created.
Other SDN objects are created upon 'Apply': commit_config().
Although, IPAM creates the subnet right away as well.
This should not be an issue but is inconsistent.
src/PVE/Network/SDN/Subnets.pm | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/src/PVE/Network/SDN/Subnets.pm b/src/PVE/Network/SDN/Subnets.pm
index 6bb42e5..fe67abd 100644
--- a/src/PVE/Network/SDN/Subnets.pm
+++ b/src/PVE/Network/SDN/Subnets.pm
@@ -6,6 +6,7 @@ use warnings;
use Net::Subnet qw(subnet_matcher);
use Net::IP;
use NetAddr::IP qw(:lower);
+use PVE::API2::Firewall::Aliases;
use PVE::Cluster qw(cfs_read_file cfs_write_file cfs_lock_file);
use PVE::Network::SDN::Dns;
@@ -161,6 +162,13 @@ sub del_dns_ptr_record {
$plugin->del_ptr_record($plugin_config, $reversezone, $ip);
}
+sub get_fw_alias_name {
+ my ($subnet) = @_;
+ my $cidr = $subnet->{cidr};
+ $cidr =~ tr/.\//-/;
+ return "$subnet->{zone}_$subnet->{vnet}_$cidr";
+}
+
sub add_subnet {
my ($zone, $subnetid, $subnet) = @_;
@@ -170,6 +178,13 @@ sub add_subnet {
my $plugin_config = $ipam_cfg->{ids}->{$ipam};
my $plugin = PVE::Network::SDN::Ipams::Plugin->lookup($plugin_config->{type});
$plugin->add_subnet($plugin_config, $subnetid, $subnet);
+
+ my $param = {
+ name => get_fw_alias_name($subnet),
+ cidr => $subnet->{cidr},
+ comment => "Automatically created Alias from SDN => Zone: $subnet->{zone}, VNet: $subnet->{vnet}, Subnet: $subnet->{cidr}"
+ };
+ PVE::API2::Firewall::ClusterAliases->create_alias($param);
}
sub del_subnet {
@@ -181,6 +196,9 @@ sub del_subnet {
my $plugin_config = $ipam_cfg->{ids}->{$ipam};
my $plugin = PVE::Network::SDN::Ipams::Plugin->lookup($plugin_config->{type});
$plugin->del_subnet($plugin_config, $subnetid, $subnet);
+
+ my $param = { name => get_fw_alias_name($subnet) };
+ PVE::API2::Firewall::ClusterAliases->remove_alias($param);
}
sub next_free_ip {
--
2.41.0
next prev parent reply other threads:[~2023-11-08 11:35 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-08 11:35 [pve-devel] [PATCH firewall/network 0/2] SDN: Create firewall aliases " Stefan Lendl
2023-11-08 11:35 ` [pve-devel] [PATCH pve-firewall 1/2] Manually construct guest config path Stefan Lendl
2023-11-08 14:31 ` Thomas Lamprecht
2023-11-10 13:26 ` Stefan Lendl
2023-11-12 17:44 ` Thomas Lamprecht
2023-11-08 11:35 ` Stefan Lendl [this message]
2023-11-08 14:36 ` [pve-devel] [PATCH pve-network 2/2] Create a cluster-wide firewall for SDN subnets Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231108113535.3905405-3-s.lendl@proxmox.com \
--to=s.lendl@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.