* [pve-devel] [PATCH firewall 1/2] compile: report rule errors to syslog if running as daemon
@ 2025-07-02 13:03 Christoph Heiss
2025-07-02 13:09 ` [pve-devel] [PATCH RFC firewall 2/2] firewall: adjust to new qemu-server module structure Christoph Heiss
0 siblings, 1 reply; 4+ messages in thread
From: Christoph Heiss @ 2025-07-02 13:03 UTC (permalink / raw)
To: pve-devel
.. otherwise, they just get silently swallowed and never reported to the
user/service log.
Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
src/PVE/Firewall.pm | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 491c738..13112be 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -4392,7 +4392,14 @@ sub compile_iptables_filter {
);
}
};
- warn $@ if $@; # just to be sure - should not happen
+
+ if ($@) {
+ if ($verbose) { # running from cli
+ warn $@;
+ } else {
+ syslog('warn', "$@\n");
+ }
+ }
}
# generate firewall rules for LXC containers
--
2.49.0
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 4+ messages in thread
* [pve-devel] [PATCH RFC firewall 2/2] firewall: adjust to new qemu-server module structure
2025-07-02 13:03 [pve-devel] [PATCH firewall 1/2] compile: report rule errors to syslog if running as daemon Christoph Heiss
@ 2025-07-02 13:09 ` Christoph Heiss
2025-07-03 7:37 ` Fabian Grünbichler
0 siblings, 1 reply; 4+ messages in thread
From: Christoph Heiss @ 2025-07-02 13:09 UTC (permalink / raw)
To: pve-devel
PVE::QemuServer::parse_net() was moved to PVE::QemuServer::Network in
qemu-server eac162a86 ("introduce Network module"), so adjust all
references here accordingly.
Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
This would require a corresponding `Depends` entry update in d/control.
But currently, this dependency is not recorded to due being cyclic - at
least according to the comment at the top of the file.
I've thus marked this patch as RFC & left that change out for now - but
somehow this API break must be versioned properly. Maybe someone with
more insight can chime in here?
src/PVE/Firewall.pm | 6 +++---
src/PVE/FirewallSimulator.pm | 2 +-
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 13112be..41b740a 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -4363,7 +4363,7 @@ sub compile_iptables_filter {
foreach my $netid (sort keys %$conf) {
next if $netid !~ m/^net(\d+)$/;
- my $net = PVE::QemuServer::parse_net($conf->{$netid});
+ my $net = PVE::QemuServer::Network::parse_net($conf->{$netid});
next if !$net->{firewall};
my $iface = "tap${vmid}i$1";
@@ -4503,7 +4503,7 @@ sub compile_ipsets {
my $device_ips = {};
foreach my $netid (keys %$conf) {
next if $netid !~ m/^net(\d+)$/;
- my $net = PVE::QemuServer::parse_net($conf->{$netid});
+ my $net = PVE::QemuServer::Network::parse_net($conf->{$netid});
next if !$net->{firewall};
if ($vmfw_conf->{options}->{ipfilter} && !$ipsets->{"ipfilter-$netid"}) {
@@ -4623,7 +4623,7 @@ sub compile_ebtables_filter {
foreach my $netid (sort keys %$conf) {
next if $netid !~ m/^net(\d+)$/;
- my $net = PVE::QemuServer::parse_net($conf->{$netid});
+ my $net = PVE::QemuServer::Network::parse_net($conf->{$netid});
next if !$net->{firewall};
my $iface = "tap${vmid}i$1";
my $macaddr = $net->{macaddr};
diff --git a/src/PVE/FirewallSimulator.pm b/src/PVE/FirewallSimulator.pm
index 877e646..0a3100b 100644
--- a/src/PVE/FirewallSimulator.pm
+++ b/src/PVE/FirewallSimulator.pm
@@ -491,7 +491,7 @@ sub extract_vm_info {
my $info = { type => 'vm', vmid => $vmid };
my $conf = $vmdata->{qemu}->{$vmid} || die "no such VM '$vmid'";
- my $net = PVE::QemuServer::parse_net($conf->{"net$netnum"});
+ my $net = PVE::QemuServer::Network::parse_net($conf->{"net$netnum"});
$info->{macaddr} = $net->{macaddr} || die "unable to get mac address";
$info->{bridge} = $net->{bridge} || die "unable to get bridge";
$info->{fwbr} = "fwbr${vmid}i$netnum";
--
2.49.0
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [pve-devel] [PATCH RFC firewall 2/2] firewall: adjust to new qemu-server module structure
2025-07-02 13:09 ` [pve-devel] [PATCH RFC firewall 2/2] firewall: adjust to new qemu-server module structure Christoph Heiss
@ 2025-07-03 7:37 ` Fabian Grünbichler
2025-07-03 13:04 ` [pve-devel] applied-series: " Fabian Grünbichler
0 siblings, 1 reply; 4+ messages in thread
From: Fabian Grünbichler @ 2025-07-03 7:37 UTC (permalink / raw)
To: Proxmox VE development discussion, Christoph Heiss
> Christoph Heiss <c.heiss@proxmox.com> hat am 02.07.2025 15:09 CEST geschrieben:
>
>
> PVE::QemuServer::parse_net() was moved to PVE::QemuServer::Network in
> qemu-server eac162a86 ("introduce Network module"), so adjust all
> references here accordingly.
>
> Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
> ---
> This would require a corresponding `Depends` entry update in d/control.
> But currently, this dependency is not recorded to due being cyclic - at
> least according to the comment at the top of the file.
>
> I've thus marked this patch as RFC & left that change out for now - but
> somehow this API break must be versioned properly. Maybe someone with
> more insight can chime in here?
we can either add a wrapper back to QemuServer.pm and carry that for the
duration of PVE 9 or we can bump pve-firewall with this patch here included
and do a versioned breaks..
in any case, thanks for noticing!
>
> src/PVE/Firewall.pm | 6 +++---
> src/PVE/FirewallSimulator.pm | 2 +-
> 2 files changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
> index 13112be..41b740a 100644
> --- a/src/PVE/Firewall.pm
> +++ b/src/PVE/Firewall.pm
> @@ -4363,7 +4363,7 @@ sub compile_iptables_filter {
>
> foreach my $netid (sort keys %$conf) {
> next if $netid !~ m/^net(\d+)$/;
> - my $net = PVE::QemuServer::parse_net($conf->{$netid});
> + my $net = PVE::QemuServer::Network::parse_net($conf->{$netid});
> next if !$net->{firewall};
>
> my $iface = "tap${vmid}i$1";
> @@ -4503,7 +4503,7 @@ sub compile_ipsets {
> my $device_ips = {};
> foreach my $netid (keys %$conf) {
> next if $netid !~ m/^net(\d+)$/;
> - my $net = PVE::QemuServer::parse_net($conf->{$netid});
> + my $net = PVE::QemuServer::Network::parse_net($conf->{$netid});
> next if !$net->{firewall};
>
> if ($vmfw_conf->{options}->{ipfilter} && !$ipsets->{"ipfilter-$netid"}) {
> @@ -4623,7 +4623,7 @@ sub compile_ebtables_filter {
>
> foreach my $netid (sort keys %$conf) {
> next if $netid !~ m/^net(\d+)$/;
> - my $net = PVE::QemuServer::parse_net($conf->{$netid});
> + my $net = PVE::QemuServer::Network::parse_net($conf->{$netid});
> next if !$net->{firewall};
> my $iface = "tap${vmid}i$1";
> my $macaddr = $net->{macaddr};
> diff --git a/src/PVE/FirewallSimulator.pm b/src/PVE/FirewallSimulator.pm
> index 877e646..0a3100b 100644
> --- a/src/PVE/FirewallSimulator.pm
> +++ b/src/PVE/FirewallSimulator.pm
> @@ -491,7 +491,7 @@ sub extract_vm_info {
> my $info = { type => 'vm', vmid => $vmid };
>
> my $conf = $vmdata->{qemu}->{$vmid} || die "no such VM '$vmid'";
> - my $net = PVE::QemuServer::parse_net($conf->{"net$netnum"});
> + my $net = PVE::QemuServer::Network::parse_net($conf->{"net$netnum"});
> $info->{macaddr} = $net->{macaddr} || die "unable to get mac address";
> $info->{bridge} = $net->{bridge} || die "unable to get bridge";
> $info->{fwbr} = "fwbr${vmid}i$netnum";
> --
> 2.49.0
>
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 4+ messages in thread
* [pve-devel] applied-series: [PATCH RFC firewall 2/2] firewall: adjust to new qemu-server module structure
2025-07-03 7:37 ` Fabian Grünbichler
@ 2025-07-03 13:04 ` Fabian Grünbichler
0 siblings, 0 replies; 4+ messages in thread
From: Fabian Grünbichler @ 2025-07-03 13:04 UTC (permalink / raw)
To: Proxmox VE development discussion, Christoph Heiss
thanks!
ended up requiring a bumped versioned dependency from qemu-server to
pve-firewall for unrelated reasons, but that meant not requiring
anything else to force the upgrade/desired constraint here.
> Fabian Grünbichler <f.gruenbichler@proxmox.com> hat am 03.07.2025 09:37 CEST geschrieben:
> > Christoph Heiss <c.heiss@proxmox.com> hat am 02.07.2025 15:09 CEST geschrieben:
> >
> >
> > PVE::QemuServer::parse_net() was moved to PVE::QemuServer::Network in
> > qemu-server eac162a86 ("introduce Network module"), so adjust all
> > references here accordingly.
> >
> > Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
> > ---
> > This would require a corresponding `Depends` entry update in d/control.
> > But currently, this dependency is not recorded to due being cyclic - at
> > least according to the comment at the top of the file.
> >
> > I've thus marked this patch as RFC & left that change out for now - but
> > somehow this API break must be versioned properly. Maybe someone with
> > more insight can chime in here?
>
> we can either add a wrapper back to QemuServer.pm and carry that for the
> duration of PVE 9 or we can bump pve-firewall with this patch here included
> and do a versioned breaks..
>
> in any case, thanks for noticing!
>
> >
> > src/PVE/Firewall.pm | 6 +++---
> > src/PVE/FirewallSimulator.pm | 2 +-
> > 2 files changed, 4 insertions(+), 4 deletions(-)
> >
> > diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
> > index 13112be..41b740a 100644
> > --- a/src/PVE/Firewall.pm
> > +++ b/src/PVE/Firewall.pm
> > @@ -4363,7 +4363,7 @@ sub compile_iptables_filter {
> >
> > foreach my $netid (sort keys %$conf) {
> > next if $netid !~ m/^net(\d+)$/;
> > - my $net = PVE::QemuServer::parse_net($conf->{$netid});
> > + my $net = PVE::QemuServer::Network::parse_net($conf->{$netid});
> > next if !$net->{firewall};
> >
> > my $iface = "tap${vmid}i$1";
> > @@ -4503,7 +4503,7 @@ sub compile_ipsets {
> > my $device_ips = {};
> > foreach my $netid (keys %$conf) {
> > next if $netid !~ m/^net(\d+)$/;
> > - my $net = PVE::QemuServer::parse_net($conf->{$netid});
> > + my $net = PVE::QemuServer::Network::parse_net($conf->{$netid});
> > next if !$net->{firewall};
> >
> > if ($vmfw_conf->{options}->{ipfilter} && !$ipsets->{"ipfilter-$netid"}) {
> > @@ -4623,7 +4623,7 @@ sub compile_ebtables_filter {
> >
> > foreach my $netid (sort keys %$conf) {
> > next if $netid !~ m/^net(\d+)$/;
> > - my $net = PVE::QemuServer::parse_net($conf->{$netid});
> > + my $net = PVE::QemuServer::Network::parse_net($conf->{$netid});
> > next if !$net->{firewall};
> > my $iface = "tap${vmid}i$1";
> > my $macaddr = $net->{macaddr};
> > diff --git a/src/PVE/FirewallSimulator.pm b/src/PVE/FirewallSimulator.pm
> > index 877e646..0a3100b 100644
> > --- a/src/PVE/FirewallSimulator.pm
> > +++ b/src/PVE/FirewallSimulator.pm
> > @@ -491,7 +491,7 @@ sub extract_vm_info {
> > my $info = { type => 'vm', vmid => $vmid };
> >
> > my $conf = $vmdata->{qemu}->{$vmid} || die "no such VM '$vmid'";
> > - my $net = PVE::QemuServer::parse_net($conf->{"net$netnum"});
> > + my $net = PVE::QemuServer::Network::parse_net($conf->{"net$netnum"});
> > $info->{macaddr} = $net->{macaddr} || die "unable to get mac address";
> > $info->{bridge} = $net->{bridge} || die "unable to get bridge";
> > $info->{fwbr} = "fwbr${vmid}i$netnum";
> > --
> > 2.49.0
> >
> >
> >
> > _______________________________________________
> > pve-devel mailing list
> > pve-devel@lists.proxmox.com
> > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2025-07-03 13:04 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-07-02 13:03 [pve-devel] [PATCH firewall 1/2] compile: report rule errors to syslog if running as daemon Christoph Heiss
2025-07-02 13:09 ` [pve-devel] [PATCH RFC firewall 2/2] firewall: adjust to new qemu-server module structure Christoph Heiss
2025-07-03 7:37 ` Fabian Grünbichler
2025-07-03 13:04 ` [pve-devel] applied-series: " Fabian Grünbichler
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.