From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 2304D1FF17C for ; Wed, 9 Jul 2025 21:45:24 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id C026014A41; Wed, 9 Jul 2025 21:46:04 +0200 (CEST) From: Stefan Hanreich To: pve-devel@lists.proxmox.com Date: Wed, 9 Jul 2025 21:45:19 +0200 Message-Id: <20250709194526.560709-1-s.hanreich@proxmox.com> X-Mailer: git-send-email 2.39.5 MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.222 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [isisplugin.pm, config.rs, pveeth.pm, network.rs, network.pm, pullmetric.pm, mod.rs, rule.rs, firewall.pm] Subject: [pve-devel] [RFC common/firewall/manager/network/proxmox{-ve-rs, -firewall} 0/7] NIC renaming mitigations X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" This patch series contains the following features: * transparent altname support for {pve, proxmox}-firewall and pve-network * pveeth tool for pinning NIC names Both are features aimed at mitigating the fallout caused from changing network interface names. Sending it as an RFC, since I will be gone for a few days and wanted to publish my current state to start some discussion on the approaches I've taken with the tools and possible additions / changes. Nothing in here is final or particularly polished. Both patch series only received rudimentary testing and are work in progress, so use at your own risk, I am not responsible for any broken hosts / VMs. For more information on the pveeth tool, see the respective commit. TODO: * possibly change wakeonlan setting in node config * decide on how to handle host.fw / cluster.fw: cluster.fw cannot be automatically updated, since the generated mapping might differ from the one generated on other nodes. One possibility would be to generate the mapping for the NICs one-by-one on each host, thus ensuring a consistent name on all nodes. Then add a flag that overwrites cluster.fw. cluster/host.fw is the only configuration file that gets applied immediately when updating it, since the firewall continously polls this file and applies the settings. We could add the new name as altname via ip link, ensuring that the firewall rules still work before *and* after reboot. Shouldn't be too hard to add (possibly with a flag). This is possible because of the new altname support {pve, proxmox}-firewall. * update detection of physical NICs We currently rely on the PHYSICAL_NIC_RE to detect physical network interfaces. We could instead use the ip link output for determining whether an interface is physical or not. This works in every case, except for PullMetric.pm. For this we could introduce another variable and fall back on the old logic depending on its existence. Maybe some one with more knowledge on the metrics system can chime in here. I have patches for this on my staff repo in case you are interested: pve-manager:physical-nic-re pve-common:physical-nic-re pve-common: Stefan Hanreich (2): network: add ip link and altname helpers network: add nic prefix to physical nic regex src/PVE/Network.pm | 47 +++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 46 insertions(+), 1 deletion(-) proxmox-ve-rs: Stefan Hanreich (1): config: ip link struct proxmox-ve-config/src/host/mod.rs | 1 + proxmox-ve-config/src/host/network.rs | 35 +++++++++++++++++++++++++++ 2 files changed, 36 insertions(+) create mode 100644 proxmox-ve-config/src/host/network.rs proxmox-firewall: Stefan Hanreich (1): firewall: add altname support for firewall rules proxmox-firewall/src/config.rs | 29 +++++++++++++++++++++ proxmox-firewall/src/rule.rs | 6 ++++- proxmox-firewall/tests/integration_tests.rs | 7 +++++ 3 files changed, 41 insertions(+), 1 deletion(-) pve-firewall: Stefan Hanreich (1): firewall: add altname support src/PVE/Firewall.pm | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) pve-network: Stefan Hanreich (1): controllers: isis: add altname support src/PVE/Network/SDN/Controllers/IsisPlugin.pm | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) pve-manager: Stefan Hanreich (1): cli: add pveeth PVE/CLI/Makefile | 1 + PVE/CLI/pveeth.pm | 538 ++++++++++++++++++++++++++++++++++++++++++++++ bin/Makefile | 5 + bin/pveeth | 8 + 4 files changed, 552 insertions(+) create mode 100644 PVE/CLI/pveeth.pm create mode 100644 bin/pveeth Summary over all repositories: 12 files changed, 684 insertions(+), 5 deletions(-) -- Generated by git-murpp 0.8.0 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel