From: Christoph Heiss <c.heiss@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH firewall v5 02/11] firewall: add connmark rule with VMID to all guest chains
Date: Wed, 30 Jul 2025 11:45:36 +0200 [thread overview]
Message-ID: <20250730094549.263805-3-c.heiss@proxmox.com> (raw)
In-Reply-To: <20250730094549.263805-1-c.heiss@proxmox.com>
Adds a connmark attribute with the VMID inside to anything flowing
in/out the guest, which are also carried over to all conntrack entries.
This enables differentiating conntrack entries between VMs for
live-migration.
Reviewed-by: Stefan Hanreich <s.hanreich@proxmox.com>
Tested-by: Stefan Hanreich <s.hanreich@proxmox.com>
Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
Changes v1 -> v2:
* no changes
Changes v2 -> v3:
* rebased on trixie
Changes v3 -> v4:
* no changes
Changes v4 -> v5:
* no changes
src/PVE/Firewall.pm | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index fd5d457..49430b1 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2551,11 +2551,14 @@ sub ruleset_chain_add_input_filters {
}
sub ruleset_create_vm_chain {
- my ($ruleset, $chain, $ipversion, $options, $macaddr, $ipfilter_ipset, $direction) = @_;
+ my ($ruleset, $chain, $ipversion, $options, $macaddr, $ipfilter_ipset, $direction, $vmid) = @_;
ruleset_create_chain($ruleset, $chain);
my $accept = generate_nfqueue($options);
+ # needs to be first, to ensure that it gets always applied
+ ruleset_addrule($ruleset, $chain, "", "-j CONNMARK --set-mark $vmid");
+
if (!(defined($options->{dhcp}) && $options->{dhcp} == 0)) {
if ($ipversion == 4) {
if ($direction eq 'OUT') {
@@ -2796,7 +2799,14 @@ sub generate_tap_rules_direction {
if ($options->{enable}) {
# create chain with mac and ip filter
ruleset_create_vm_chain(
- $ruleset, $tapchain, $ipversion, $options, $macaddr, $ipfilter_ipset, $direction,
+ $ruleset,
+ $tapchain,
+ $ipversion,
+ $options,
+ $macaddr,
+ $ipfilter_ipset,
+ $direction,
+ $vmid,
);
ruleset_generate_vm_rules(
--
2.49.0
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next prev parent reply other threads:[~2025-07-30 9:45 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-30 9:45 [pve-devel] [PATCH firewall/qemu-server/manager/docs v5 00/11] fix #5180: migrate conntrack state on live migration Christoph Heiss
2025-07-30 9:45 ` [pve-devel] [PATCH proxmox-firewall v5 01/11] firewall: add connmark rule with VMID to all guest chains Christoph Heiss
2025-07-30 9:45 ` Christoph Heiss [this message]
2025-07-30 9:45 ` [pve-devel] [PATCH firewall v5 03/11] firewall: helpers: add sub for flushing conntrack entries by mark Christoph Heiss
2025-07-30 9:45 ` [pve-devel] [PATCH qemu-server v5 04/11] qmp helpers: allow passing structured args via qemu_objectadd() Christoph Heiss
2025-07-30 9:45 ` [pve-devel] [PATCH qemu-server v5 05/11] api2: qemu: add module exposing node migration capabilities Christoph Heiss
2025-07-30 9:45 ` [pve-devel] [PATCH qemu-server v5 06/11] fix #5180: dbus-vmstate: add daemon for QEMUs dbus-vmstate interface Christoph Heiss
2025-07-30 9:45 ` [pve-devel] [PATCH qemu-server v5 07/11] fix #5180: migrate: integrate helper for live-migrating conntrack info Christoph Heiss
2025-07-30 9:45 ` [pve-devel] [PATCH qemu-server v5 08/11] migrate: flush old VM conntrack entries after successful migration Christoph Heiss
2025-07-30 9:45 ` [pve-devel] [PATCH manager v5 09/11] api2: capabilities: expose new qemu/migration endpoint Christoph Heiss
2025-07-30 9:45 ` [pve-devel] [PATCH manager v5 10/11] ui: window: Migrate: add checkbox for migrating VM conntrack state Christoph Heiss
2025-07-30 9:45 ` [pve-devel] [PATCH docs v5 11/11] qm: document conntrack state migration for live migrations Christoph Heiss
2025-07-30 23:48 ` [pve-devel] applied: " Thomas Lamprecht
2025-07-30 22:45 ` [pve-devel] applied-series: [PATCH firewall/qemu-server/manager/docs v5 00/11] fix #5180: migrate conntrack state on live migration Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250730094549.263805-3-c.heiss@proxmox.com \
--to=c.heiss@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.