From: Thomas Lamprecht <t.lamprecht@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
Stefan Lendl <s.lendl@proxmox.com>
Subject: Re: [pve-devel] [PATCH pve-network 2/2] Create a cluster-wide firewall for SDN subnets
Date: Wed, 8 Nov 2023 15:36:29 +0100 [thread overview]
Message-ID: <645e7f47-318d-4d23-95a1-feb3fb8fb1ee@proxmox.com> (raw)
In-Reply-To: <20231108113535.3905405-3-s.lendl@proxmox.com>
Am 08/11/2023 um 12:35 schrieb Stefan Lendl:
> Upon creation of a subnet, we create a cluster-wide firewall alias.
>
> Signed-off-by: Stefan Lendl <s.lendl@proxmox.com>
> ---
>
> Notes:
> Creates the alias directly when the Subnet is created.
>
> Other SDN objects are created upon 'Apply': commit_config().
> Although, IPAM creates the subnet right away as well.
> This should not be an issue but is inconsistent.
>
> src/PVE/Network/SDN/Subnets.pm | 18 ++++++++++++++++++
> 1 file changed, 18 insertions(+)
>
> diff --git a/src/PVE/Network/SDN/Subnets.pm b/src/PVE/Network/SDN/Subnets.pm
> index 6bb42e5..fe67abd 100644
> --- a/src/PVE/Network/SDN/Subnets.pm
> +++ b/src/PVE/Network/SDN/Subnets.pm
> @@ -6,6 +6,7 @@ use warnings;
> use Net::Subnet qw(subnet_matcher);
> use Net::IP;
> use NetAddr::IP qw(:lower);
> +use PVE::API2::Firewall::Aliases;
This would need pve-firewall to get added to the dependency list in the
debian/control file, otherwise it will only work by luck but break, e.g.,
bootstrapping.
>
> use PVE::Cluster qw(cfs_read_file cfs_write_file cfs_lock_file);
> use PVE::Network::SDN::Dns;
> @@ -161,6 +162,13 @@ sub del_dns_ptr_record {
> $plugin->del_ptr_record($plugin_config, $reversezone, $ip);
> }
>
> +sub get_fw_alias_name {
> + my ($subnet) = @_;
> + my $cidr = $subnet->{cidr};
> + $cidr =~ tr/.\//-/;
> + return "$subnet->{zone}_$subnet->{vnet}_$cidr";
> +}
this can easily clash with existing aliases, that then are deleted or addition
fails below.
wouldn't it be nicer if firewall gets the SDN subnets and manages those aliases
in a separate namespaces, i.e., such that they cannot clash with the explicit
aliases from the config?
prev parent reply other threads:[~2023-11-08 14:36 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-08 11:35 [pve-devel] [PATCH firewall/network 0/2] SDN: Create firewall aliases " Stefan Lendl
2023-11-08 11:35 ` [pve-devel] [PATCH pve-firewall 1/2] Manually construct guest config path Stefan Lendl
2023-11-08 14:31 ` Thomas Lamprecht
2023-11-10 13:26 ` Stefan Lendl
2023-11-12 17:44 ` Thomas Lamprecht
2023-11-08 11:35 ` [pve-devel] [PATCH pve-network 2/2] Create a cluster-wide firewall for SDN subnets Stefan Lendl
2023-11-08 14:36 ` Thomas Lamprecht [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=645e7f47-318d-4d23-95a1-feb3fb8fb1ee@proxmox.com \
--to=t.lamprecht@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
--cc=s.lendl@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.