From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 5A8DD1FF186 for ; Fri, 1 Aug 2025 17:58:39 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 33D771DE4F; Fri, 1 Aug 2025 18:00:04 +0200 (CEST) Message-ID: <99a6c3dd-9d62-4586-b819-c7be7e084314@proxmox.com> Date: Fri, 1 Aug 2025 18:00:01 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Beta To: Proxmox VE development discussion , "Max R. Carrara" References: <20250801154521.594077-1-m.carrara@proxmox.com> <20250801154521.594077-2-m.carrara@proxmox.com> Content-Language: en-US From: Thomas Lamprecht In-Reply-To: <20250801154521.594077-2-m.carrara@proxmox.com> X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1754063987160 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.032 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [shutdown.target] Subject: Re: [pve-devel] [RFC pve-firewall v1 1/1] pve-firewall.service: update-alternatives to {ip, eb}tables-nft X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" Am 01.08.25 um 17:45 schrieb Max R. Carrara: > Back in c743e671d it was necessary to update-alternative `ebtables` > to `ebtables-legacy` due to some bugs [0][1]. However, these bugs > appear to be fixed now. Oh, what a throwback ^^ Yeah might be good to change this, but we're a bit to late for the next release, still see below for a potential option. > > In Trixie, `ebtables-legacy` seems to cause an enormous amount of audit > message spam in `dmesg` after upgrading from Bookworm--about 5 long > lines every ~10 seconds-- making it very tedious to find anything one > actually cares about. > > Thus, use the -nft variants instead of the -legacy ones as the > aforementioned bugs have since long been fixed and the audit log spam > is silenced that way. > > [0]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929527 > [1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929976 > > Signed-off-by: Max R. Carrara > --- > debian/pve-firewall.service | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/debian/pve-firewall.service b/debian/pve-firewall.service > index f95ce6d..c99db26 100644 > --- a/debian/pve-firewall.service > +++ b/debian/pve-firewall.service > @@ -8,9 +8,9 @@ Before=shutdown.target > Conflicts=shutdown.target > > [Service] > -ExecStartPre=-/usr/bin/update-alternatives --set ebtables /usr/sbin/ebtables-legacy > -ExecStartPre=-/usr/bin/update-alternatives --set iptables /usr/sbin/iptables-legacy > -ExecStartPre=-/usr/bin/update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy > +ExecStartPre=-/usr/bin/update-alternatives --set ebtables /usr/sbin/ebtables-nft > +ExecStartPre=-/usr/bin/update-alternatives --set iptables /usr/sbin/iptables-nft > +ExecStartPre=-/usr/bin/update-alternatives --set ip6tables /usr/sbin/ip6tables-nft Could we make this opt-in? Then we could a. take more time to thoroughly test this while b. still being able to tell willing users that they could enabled the nft variant if they are annoyed by the auditd messages. An implementation option might be using an node-local environment file sourced by the unit file, e.g. Environment="VARIANT=legacy" EnvironmentFile=-/var/lib/pve-firewall/tables-variant ExecStartPre=-/usr/bin/update-alternatives --set ebtables-${VARIANT} ... > ExecStart=/usr/sbin/pve-firewall start > ExecStop=/usr/sbin/pve-firewall stop > ExecReload=/usr/sbin/pve-firewall restart _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel