From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 43BE01FF13F for ; Thu, 21 May 2026 13:21:51 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id B38A8FC2D; Thu, 21 May 2026 13:21:48 +0200 (CEST) From: Stefan Hanreich To: pve-devel@lists.proxmox.com Subject: [PATCH pve-network 1/1] sdn: fabrics: wireguard: re-migrate endpoints of internal nodes Date: Thu, 21 May 2026 13:19:15 +0200 Message-ID: <20260521111917.275330-1-s.hanreich@proxmox.com> X-Mailer: git-send-email 2.47.3 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1779362457180 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.601 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [fabrics.pm] Message-ID-Hash: KYBBJAC7ECR2APG4DRFSXUKHE3ZXZL4K X-Message-ID-Hash: KYBBJAC7ECR2APG4DRFSXUKHE3ZXZL4K X-MailFrom: s.hanreich@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Strip the port of all endpoints of internal nodes again, since they're derived from the internal nodes' endpoints as well as the referenced interface of the internal node in the respective peer definition. Only replace ports if IPv6 endpoints are given with brackets, or if the string before a potential port suffix is a valid IPv4 address, otherwise leave the string unchanged (e.g. fe80::1:51820 would stay the same). Signed-off-by: Stefan Hanreich --- src/PVE/Network/SDN/Fabrics.pm | 49 +++++++++++++++------------------- 1 file changed, 21 insertions(+), 28 deletions(-) diff --git a/src/PVE/Network/SDN/Fabrics.pm b/src/PVE/Network/SDN/Fabrics.pm index b828d3d6..9a23f210 100644 --- a/src/PVE/Network/SDN/Fabrics.pm +++ b/src/PVE/Network/SDN/Fabrics.pm @@ -3,7 +3,7 @@ package PVE::Network::SDN::Fabrics; use strict; use warnings; -use Socket qw(inet_pton AF_INET6); +use Socket qw(inet_pton AF_INET AF_INET6); use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_lock_file cfs_write_file); use PVE::JSONSchema qw(get_standard_option); @@ -124,31 +124,32 @@ sub write_fabrics_config { # FIXME: remove with PVE 10 # # WireGuard fabrics from libpve-network-perl 1.5.0 stored a port-less endpoint -# and derived the port from the interface's listen_port; the endpoint is now a -# full host:port. On read, append the node's listen port to such legacy -# node-level endpoints (a bare IPv6 is bracketed). A port-less per-peer -# endpoint override cannot be expressed anymore and its target port is not -# available here, so it is dropped - the peer then falls back to the -# referenced node's (migrated) endpoint. Values already carrying a port, and -# external nodes (no interface, no port), are left for the strict parser. +# and derived the port from the interface's listen_port; This has shortly been +# changed to full host:port in 1.6.3. Revert this change by removing the port +# from endpoints with either valid IPv6 bracket notation or an IPv4 adresses +# succeeded by a port definition. sub migrate_legacy_wireguard_endpoints { my ($raw) = @_; return $raw if !length($raw // ''); return $raw if $raw !~ /^wireguard_node:/m; - # a port-less endpoint is a colon-free bare IPv4/hostname or a bare IPv6 - my $is_portless = sub { $_[0] !~ /:/ || defined(inet_pton(AF_INET6, $_[0])) }; - my @lines = split(/\n/, $raw, -1); - my ($endpoint_idx, $host, $listen_port, $in_wg_node); + my ($endpoint_idx, $endpoint, $role, $in_wg_node); + my $flush = sub { - if (defined($endpoint_idx) && defined($listen_port)) { - $host = "[$host]" if defined(inet_pton(AF_INET6, $host)); - $lines[$endpoint_idx] =~ s/\S+$/$host:$listen_port/; + if (defined($endpoint_idx) && defined($role) && $role eq 'internal') { + if ($endpoint =~ /^\[(\S+)\]:\d+$/) { + $endpoint = $1 if defined(inet_pton(AF_INET6, $1)); + } elsif ($endpoint =~ /^(\S+):\d+$/) { + $endpoint = $1 if defined(inet_pton(AF_INET, $1)); + } + + $lines[$endpoint_idx] =~ s/\S+$/$endpoint/; } - ($endpoint_idx, $host, $listen_port) = (undef, undef, undef); + + ($endpoint_idx, $endpoint, $role, $in_wg_node) = (undef, undef, undef); }; for my $i (0 .. $#lines) { @@ -157,19 +158,11 @@ sub migrate_legacy_wireguard_endpoints { $in_wg_node = $lines[$i] =~ /^wireguard_node:/; } elsif (!$in_wg_node) { next; + } elsif ($lines[$i] =~ /^\s+role\s+(\S+)$/) { + $role = $1; } elsif ($lines[$i] =~ /^\s+endpoint\s+(\S+)$/) { - my $value = $1; - ($endpoint_idx, $host) = ($i, $value) if $is_portless->($value); - } elsif ($lines[$i] =~ /^(\s+peers\s+)(\S.*)$/) { - my ($prefix, $props) = ($1, $2); - if (my ($value) = $props =~ /(?:^|,)endpoint=([^,]+)/) { - $props = join(',', grep { $_ ne "endpoint=$value" } split(/,/, $props)) - if $is_portless->($value); - $lines[$i] = "$prefix$props"; - } - } elsif ($lines[$i] =~ /^\s+interfaces\s+\S/) { - my ($port) = $lines[$i] =~ /(?:^|,)listen_port=(\d+)/; - $listen_port //= $port; + $endpoint_idx = $i; + $endpoint = $1; } } $flush->(); -- 2.47.3