From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 34A5E1FF183 for ; Wed, 16 Jul 2025 17:18:43 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 63B5016475; Wed, 16 Jul 2025 17:19:49 +0200 (CEST) Message-ID: <6dd07fe9-a1a0-46b8-a73b-b277f6cf0a83@proxmox.com> Date: Wed, 16 Jul 2025 17:19:14 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: pve-devel@lists.proxmox.com References: <20250709194526.560709-1-s.hanreich@proxmox.com> Content-Language: en-US From: Stefan Hanreich In-Reply-To: <20250709194526.560709-1-s.hanreich@proxmox.com> X-SPAM-LEVEL: Spam detection results: 0 AWL 0.680 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_MSPIKE_H2 0.001 Average reputation (+2) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pve-devel] superseded: [RFC common/firewall/manager/network/proxmox{-ve-rs, -firewall} 0/7] NIC renaming mitigations X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" https://lore.proxmox.com/pve-devel/20250716151815.348161-1-s.hanreich@proxmox.com/ On 7/9/25 21:45, Stefan Hanreich wrote: > This patch series contains the following features: > * transparent altname support for {pve, proxmox}-firewall and pve-network > * pveeth tool for pinning NIC names > > Both are features aimed at mitigating the fallout caused from changing network > interface names. Sending it as an RFC, since I will be gone for a few days and > wanted to publish my current state to start some discussion on the approaches > I've taken with the tools and possible additions / changes. Nothing in here is > final or particularly polished. > > Both patch series only received rudimentary testing and are work in progress, so > use at your own risk, I am not responsible for any broken hosts / VMs. > > For more information on the pveeth tool, see the respective commit. > > TODO: > * possibly change wakeonlan setting in node config > * decide on how to handle host.fw / cluster.fw: > > cluster.fw cannot be automatically updated, since the generated mapping might > differ from the one generated on other nodes. One possibility would be to > generate the mapping for the NICs one-by-one on each host, thus ensuring a > consistent name on all nodes. Then add a flag that overwrites cluster.fw. > > cluster/host.fw is the only configuration file that gets applied immediately > when updating it, since the firewall continously polls this file and applies the > settings. We could add the new name as altname via ip link, ensuring that the > firewall rules still work before *and* after reboot. Shouldn't be too hard to > add (possibly with a flag). This is possible because of the new altname support > {pve, proxmox}-firewall. > > * update detection of physical NICs > > We currently rely on the PHYSICAL_NIC_RE to detect physical network interfaces. > We could instead use the ip link output for determining whether an interface is > physical or not. This works in every case, except for PullMetric.pm. For this we > could introduce another variable and fall back on the old logic depending on its > existence. Maybe some one with more knowledge on the metrics system can chime in > here. I have patches for this on my staff repo in case you are interested: > > pve-manager:physical-nic-re > pve-common:physical-nic-re > > pve-common: > > Stefan Hanreich (2): > network: add ip link and altname helpers > network: add nic prefix to physical nic regex > > src/PVE/Network.pm | 47 +++++++++++++++++++++++++++++++++++++++++++++- > 1 file changed, 46 insertions(+), 1 deletion(-) > > > proxmox-ve-rs: > > Stefan Hanreich (1): > config: ip link struct > > proxmox-ve-config/src/host/mod.rs | 1 + > proxmox-ve-config/src/host/network.rs | 35 +++++++++++++++++++++++++++ > 2 files changed, 36 insertions(+) > create mode 100644 proxmox-ve-config/src/host/network.rs > > > proxmox-firewall: > > Stefan Hanreich (1): > firewall: add altname support for firewall rules > > proxmox-firewall/src/config.rs | 29 +++++++++++++++++++++ > proxmox-firewall/src/rule.rs | 6 ++++- > proxmox-firewall/tests/integration_tests.rs | 7 +++++ > 3 files changed, 41 insertions(+), 1 deletion(-) > > > pve-firewall: > > Stefan Hanreich (1): > firewall: add altname support > > src/PVE/Firewall.pm | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > > pve-network: > > Stefan Hanreich (1): > controllers: isis: add altname support > > src/PVE/Network/SDN/Controllers/IsisPlugin.pm | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > > pve-manager: > > Stefan Hanreich (1): > cli: add pveeth > > PVE/CLI/Makefile | 1 + > PVE/CLI/pveeth.pm | 538 ++++++++++++++++++++++++++++++++++++++++++++++ > bin/Makefile | 5 + > bin/pveeth | 8 + > 4 files changed, 552 insertions(+) > create mode 100644 PVE/CLI/pveeth.pm > create mode 100644 bin/pveeth > > > Summary over all repositories: > 12 files changed, 684 insertions(+), 5 deletions(-) > _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel