From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 36BA91FF13C for ; Thu, 19 Feb 2026 15:56:36 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id DE56918679; Thu, 19 Feb 2026 15:57:09 +0100 (CET) From: Stefan Hanreich To: pve-devel@lists.proxmox.com Subject: [PATCH pve-network 2/3] fabrics: wireguard: add schema definitions for wireguard Date: Thu, 19 Feb 2026 15:56:32 +0100 Message-ID: <20260219145649.441418-16-s.hanreich@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260219145649.441418-1-s.hanreich@proxmox.com> References: <20260219145649.441418-1-s.hanreich@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.176 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record Message-ID-Hash: TGJTWUQQTRJFAV3JAMHFAYWD23G2XGZY X-Message-ID-Hash: TGJTWUQQTRJFAV3JAMHFAYWD23G2XGZY X-MailFrom: hoan@cray.proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Add the newly introduced properties for fabrics / nodes to the existing schema definition. The existing fabric / node endpoints will then work with the new WireGuard entities, without any additional changes. To properly detect changes in the peers property, which is an array, it needs to be added to the encode_value function as well, which is used for comparing the pending configuration to the running configuration. Originally-by: Christoph Heiss Signed-off-by: Stefan Hanreich --- src/PVE/API2/Network/SDN.pm | 2 +- src/PVE/Network/SDN.pm | 9 +- src/PVE/Network/SDN/Fabrics.pm | 257 ++++++++++++++++++++++++++++++++- 3 files changed, 260 insertions(+), 8 deletions(-) diff --git a/src/PVE/API2/Network/SDN.pm b/src/PVE/API2/Network/SDN.pm index b35a588..aa8d359 100644 --- a/src/PVE/API2/Network/SDN.pm +++ b/src/PVE/API2/Network/SDN.pm @@ -107,7 +107,7 @@ my $create_reload_network_worker = sub { } }, ); - #my $upid = PVE::API2::Network->reload_network_config(node => $nodename}); + #my $upid = PVE::API2::Network->reload_network_config({ node => $nodename }); my $res = PVE::Tools::upid_decode($upid); return $res->{pid}; diff --git a/src/PVE/Network/SDN.pm b/src/PVE/Network/SDN.pm index c7c390e..78b15d5 100644 --- a/src/PVE/Network/SDN.pm +++ b/src/PVE/Network/SDN.pm @@ -472,7 +472,14 @@ sub generate_dhcp_config { sub encode_value { my ($type, $key, $value) = @_; - if ($key eq 'nodes' || $key eq 'exitnodes' || $key eq 'dhcp-range' || $key eq 'interfaces') { + if ( + $key eq 'nodes' + || $key eq 'exitnodes' + || $key eq 'dhcp-range' + || $key eq 'interfaces' + || $key eq 'peers' + || $key eq 'allowed_ips' + ) { if (ref($value) eq 'HASH') { return join(',', sort keys(%$value)); } elsif (ref($value) eq 'ARRAY') { diff --git a/src/PVE/Network/SDN/Fabrics.pm b/src/PVE/Network/SDN/Fabrics.pm index d90992a..a81b62e 100644 --- a/src/PVE/Network/SDN/Fabrics.pm +++ b/src/PVE/Network/SDN/Fabrics.pm @@ -45,7 +45,44 @@ PVE::JSONSchema::register_standard_option( { description => "Type of configuration entry in an SDN Fabric section config", type => 'string', - enum => ['openfabric', 'ospf'], + enum => ['openfabric', 'ospf', 'wireguard'], + }, +); + +PVE::JSONSchema::register_format( + 'pve-sdn-fabric-wireguard-interface', + { + name => { + type => 'string', + format => 'pve-iface', + description => 'Name of the network interface', + }, + public_key => { + type => 'string', + description => 'The public key of this interface', + optional => 1, + }, + ip => { + type => 'string', + format => 'CIDRv4', + description => 'IPv4 address for this node', + optional => 1, + }, + ip6 => { + type => 'string', + format => 'CIDRv6', + description => 'IPv6 address for this node', + optional => 1, + }, + listen_port => { + type => 'number', + 'type-property' => 'protocol', + 'instance-types' => ['wireguard'], + description => 'Port to listen on for WireGuard traffic.', + optional => 1, + minimum => 1, + maximum => 65535, + }, }, ); @@ -203,18 +240,202 @@ sub node_properties { description => 'OSPF network interface', optional => 1, }, + { + type => 'array', + 'instance-types' => ['wireguard'], + items => { + description => + "Type of configuration entry in an SDN Fabric section config", + type => 'string', + format => 'pve-sdn-fabric-wireguard-interface', + }, + description => 'WireGuard network interface', + optional => 1, + }, ], }, - }; - - if ($update) { - $properties->{delete} = { + public_key => { + 'type-property' => 'protocol', + 'instance-types' => ['wireguard'], + description => 'The role of this node in the WireGuard fabric.', + type => 'string', + optional => 1, + }, + role => { + 'type-property' => 'protocol', + 'instance-types' => ['wireguard'], + description => 'The role of this node in the WireGuard fabric.', + type => 'string', + enum => ['internal', 'external'], + optional => 1, + }, + endpoint => { + 'type-property' => 'protocol', + 'instance-types' => ['wireguard'], + description => 'The endpoint used for connecting to this node.', + optional => 1, + type => 'string', + }, + allowed_ips => { + 'type-property' => 'protocol', + 'instance-types' => ['wireguard'], type => 'array', + optional => 1, + description => + 'A list of IPs that are routable via this node in the WireGuard fabric.', items => { type => 'string', - enum => ['interfaces', 'ip', 'ip6'], + format => 'CIDR', }, + }, + peers => { + 'type-property' => 'protocol', + 'instance-types' => ['wireguard'], optional => 1, + type => 'array', + items => { + type => 'string', + format => { + type => { + type => 'string', + enum => ['internal', 'external'], + }, + node => { + description => + 'The name of the peer (if external) or the name of the node and interface (if internal).', + type => 'string', + }, + node_iface => { + description => + 'The interface of this node that uses this peer definition.', + optional => 1, + type => 'string', + }, + iface => { + description => + 'The interface of this node that uses this peer definition.', + optional => 1, + type => 'string', + }, + endpoint => { + description => + 'Override for the endpoint settings in the node section.', + optional => 1, + type => 'string', + }, + allowed_ips => { + type => 'array', + optional => 1, + description => 'Additional allowed IPs for this peer.', + items => { + type => 'string', + format => 'CIDR', + }, + }, + }, + }, + }, + role => { + 'type-property' => 'protocol', + 'instance-types' => ['wireguard'], + description => 'The role of this node in the WireGuard fabric.', + type => 'string', + enum => ['internal', 'external'], + optional => 1, + }, + endpoint => { + 'type-property' => 'protocol', + 'instance-types' => ['wireguard'], + description => 'The endpoint used for connecting to this node.', + optional => 1, + type => 'string', + }, + allowed_ips => { + 'type-property' => 'protocol', + 'instance-types' => ['wireguard'], + type => 'array', + optional => 1, + description => + 'A list of IPs that are routable via this node in the WireGuard fabric.', + items => { + type => 'string', + format => 'CIDR', + }, + }, + peers => { + 'type-property' => 'protocol', + 'instance-types' => ['wireguard'], + optional => 1, + type => 'array', + items => { + type => 'string', + format => { + type => { + type => 'string', + enum => ['internal', 'external'], + }, + node => { + description => + 'The name of the peer (if external) or the name of the node and interface (if internal).', + type => 'string', + }, + node_iface => { + description => + 'The interface of this node that uses this peer definition.', + optional => 1, + type => 'string', + }, + iface => { + description => + 'The interface of this node that uses this peer definition.', + optional => 1, + type => 'string', + }, + endpoint => { + description => + 'Override for the endpoint settings in the node section.', + optional => 1, + type => 'string', + }, + allowed_ips => { + type => 'array', + optional => 1, + description => 'Additional allowed IPs for this peer.', + items => { + type => 'string', + format => 'CIDR', + }, + }, + }, + }, + }, + }; + + if ($update) { + $properties->{delete} = { + # coerce this value into an array before parsing (oneOf workaround) + type => 'array', + 'type-property' => 'protocol', + oneOf => [ + { + type => 'array', + 'instance-types' => ['openfabric', 'ospf'], + items => { + type => 'string', + enum => ['interfaces', 'ip', 'ip6'], + }, + optional => 1, + }, + { + type => 'array', + 'instance-types' => ['wireguard'], + items => { + type => 'string', + enum => ['allowed_ips', 'endpoint', 'interfaces', 'ip', 'ip6', 'peers'], + }, + optional => 1, + }, + ], }; } @@ -267,6 +488,21 @@ sub fabric_properties { 'OSPF area. Either a IPv4 address or a 32-bit number. Gets validated in rust.', optional => 1, }, + persistent_keepalive => { + type => 'number', + 'type-property' => 'protocol', + 'instance-types' => ['wireguard'], + description => 'A seconds interval, between 1 and 65535 inclusive, of how often to' + . ' send an authenticated empty packet to the peer for the purpose of keeping a' + . ' stateful firewall or NAT mapping valid persistently. For example, if the' + . ' interface very rarely sends traffic, but it might at anytime receive traffic' + . ' from another node, and it is behind NAT, the interface might benefit from' + . ' having a persistent keepalive interval of 25 seconds. If unset or set to 0, it' + . ' is turned off', + optional => 1, + minimum => 0, + maximum => 65535, + }, }; if ($update) { @@ -293,6 +529,15 @@ sub fabric_properties { }, optional => 1, }, + { + type => 'array', + 'instance-types' => ['wireguard'], + items => { + type => 'string', + enum => ['persistent_keepalive'], + }, + optional => 1, + }, ], }; } -- 2.47.3