From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 79CCC1FF17C for ; Wed, 9 Jul 2025 21:46:07 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 9AFD214D70; Wed, 9 Jul 2025 21:46:07 +0200 (CEST) From: Stefan Hanreich To: pve-devel@lists.proxmox.com Date: Wed, 9 Jul 2025 21:45:24 +0200 Message-Id: <20250709194526.560709-6-s.hanreich@proxmox.com> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20250709194526.560709-1-s.hanreich@proxmox.com> References: <20250709194526.560709-1-s.hanreich@proxmox.com> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.220 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record Subject: [pve-devel] [PATCH pve-firewall 1/1] firewall: add altname support X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" Add support for altnames by transparently mapping them with the information from 'ip link' when generating the ruleset. The firewall will now replace any altname in the ruleset with the actual, physical, name from the interface. We handle it this way, because iptables cannot match on the altnames on interfaces, only the 'real' name. Signed-off-by: Stefan Hanreich --- src/PVE/Firewall.pm | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 173ce98..e3d21f6 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -2861,6 +2861,8 @@ sub enable_host_firewall { my $rules = $hostfw_conf->{rules}; my $cluster_rules = $cluster_conf->{rules}; + my $interface_mapping = PVE::Network::altname_mapping(); + # corosync preparation my $corosync_rule = "-p udp --dport 5404:5405"; my $corosync_local_addresses = {}; @@ -2908,7 +2910,7 @@ sub enable_host_firewall { next if !$rule->{enable} || $rule->{errors}; next if $rule->{ipversion} && ($rule->{ipversion} != $ipversion); - $rule->{iface_in} = $rule->{iface} if $rule->{iface}; + $rule->{iface_in} = ($interface_mapping->{$rule->{iface}} // $rule->{iface}) if $rule->{iface}; eval { $rule->{logmsg} = "$rule->{action}: "; @@ -2994,7 +2996,8 @@ sub enable_host_firewall { next if !$rule->{enable} || $rule->{errors}; next if $rule->{ipversion} && ($rule->{ipversion} != $ipversion); - $rule->{iface_out} = $rule->{iface} if $rule->{iface}; + $rule->{iface_out} = ($interface_mapping->{$rule->{iface}} // $rule->{iface}) if $rule->{iface}; + eval { $rule->{logmsg} = "$rule->{action}: "; if ($rule->{type} eq 'group') { -- 2.39.5 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel