From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id B17691FF146 for ; Tue, 12 May 2026 19:33:12 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 15DED1BD57; Tue, 12 May 2026 19:32:32 +0200 (CEST) From: Stefan Hanreich To: pve-devel@lists.proxmox.com Subject: [PATCH pve-network v5 14/29] fabrics: wireguard: add schema definitions for wireguard Date: Tue, 12 May 2026 19:31:29 +0200 Message-ID: <20260512173145.596958-15-s.hanreich@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260512173145.596958-1-s.hanreich@proxmox.com> References: <20260512173145.596958-1-s.hanreich@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1778607003828 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.616 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: M6J7L4WZTKB7JGIDIFP6COQNPG4KFYZK X-Message-ID-Hash: M6J7L4WZTKB7JGIDIFP6COQNPG4KFYZK X-MailFrom: s.hanreich@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Add the newly introduced properties for fabrics / nodes to the existing schema definition. The existing fabric / node endpoints will then work with the new WireGuard entities, without any additional changes. To properly detect changes in the peers property, which is an array, it needs to be added to the encode_value function as well, which is used for comparing the pending configuration to the running configuration. Originally-by: Christoph Heiss Signed-off-by: Stefan Hanreich --- src/PVE/API2/Network/SDN.pm | 2 +- src/PVE/Network/SDN.pm | 2 + src/PVE/Network/SDN/Fabrics.pm | 180 +++++++++++++++++++++++++++++++-- 3 files changed, 177 insertions(+), 7 deletions(-) diff --git a/src/PVE/API2/Network/SDN.pm b/src/PVE/API2/Network/SDN.pm index 03746e8b..6b73af25 100644 --- a/src/PVE/API2/Network/SDN.pm +++ b/src/PVE/API2/Network/SDN.pm @@ -125,7 +125,7 @@ my $create_reload_network_worker = sub { } }, ); - #my $upid = PVE::API2::Network->reload_network_config(node => $nodename}); + #my $upid = PVE::API2::Network->reload_network_config({ node => $nodename }); my $res = PVE::Tools::upid_decode($upid); return $res->{pid}; diff --git a/src/PVE/Network/SDN.pm b/src/PVE/Network/SDN.pm index 53a12c26..74c0edb2 100644 --- a/src/PVE/Network/SDN.pm +++ b/src/PVE/Network/SDN.pm @@ -511,6 +511,8 @@ sub encode_value { || $key eq 'entries' || $key eq 'match' || $key eq 'set' + || $key eq 'peers' + || $key eq 'allowed_ips' ) { if (ref($value) eq 'HASH') { return join(',', sort keys(%$value)); diff --git a/src/PVE/Network/SDN/Fabrics.pm b/src/PVE/Network/SDN/Fabrics.pm index bc295f0f..d98e2e27 100644 --- a/src/PVE/Network/SDN/Fabrics.pm +++ b/src/PVE/Network/SDN/Fabrics.pm @@ -51,7 +51,44 @@ PVE::JSONSchema::register_standard_option( { description => "Type of configuration entry in an SDN Fabric section config", type => 'string', - enum => ['openfabric', 'ospf'], + enum => ['openfabric', 'ospf', 'wireguard'], + }, +); + +PVE::JSONSchema::register_format( + 'pve-sdn-fabric-wireguard-interface', + { + name => { + type => 'string', + format => 'pve-iface', + description => 'Name of the network interface', + }, + public_key => { + type => 'string', + description => 'The public key of this interface', + optional => 1, + }, + ip => { + type => 'string', + format => 'CIDRv4', + description => 'IPv4 address for this node', + optional => 1, + }, + ip6 => { + type => 'string', + format => 'CIDRv6', + description => 'IPv6 address for this node', + optional => 1, + }, + listen_port => { + type => 'number', + 'type-property' => 'protocol', + 'instance-types' => ['wireguard'], + description => 'Port to listen on for WireGuard traffic.', + optional => 1, + minimum => 1, + maximum => 65535, + }, }, ); @@ -202,18 +239,125 @@ sub node_properties { description => 'OSPF network interface', optional => 1, }, + { + type => 'array', + 'instance-types' => ['wireguard'], + items => { + description => + "WireGuard network interface", + type => 'string', + format => 'pve-sdn-fabric-wireguard-interface', + }, + description => 'List of WireGuard network interfaces for this node.', + optional => 1, + }, ], }, - }; - - if ($update) { - $properties->{delete} = { + public_key => { + 'type-property' => 'protocol', + 'instance-types' => ['wireguard'], + description => 'The public key for the external node.', + type => 'string', + optional => 1, + }, + role => { + 'type-property' => 'protocol', + 'instance-types' => ['wireguard'], + description => 'The role of this node in the WireGuard fabric.', + type => 'string', + enum => ['internal', 'external'], + optional => 1, + }, + endpoint => { + 'type-property' => 'protocol', + 'instance-types' => ['wireguard'], + description => 'The endpoint used for connecting to this node.', + optional => 1, + type => 'string', + }, + allowed_ips => { + 'type-property' => 'protocol', + 'instance-types' => ['wireguard'], type => 'array', + optional => 1, + description => + 'A list of IPs that are routable via this node in the WireGuard fabric.', items => { type => 'string', - enum => ['interfaces', 'ip', 'ip6'], + format => 'CIDR', }, + }, + peers => { + 'type-property' => 'protocol', + 'instance-types' => ['wireguard'], optional => 1, + type => 'array', + items => { + type => 'string', + format => { + type => { + type => 'string', + enum => ['internal', 'external'], + }, + node => { + description => + 'The name of the peer (if external) or the name of the node and interface (if internal).', + type => 'string', + }, + node_iface => { + description => + 'The interface of the other node, if it is internal', + type => 'string', + optional => 1, + }, + iface => { + description => + 'The interface of this node that uses this peer definition.', + type => 'string', + }, + endpoint => { + description => + 'Override for the endpoint settings in the node section.', + optional => 1, + type => 'string', + }, + skip_route_generation => { + description => + 'Whether routes for the allowed IPs should be created in the kernel routing table.', + optional => 1, + default => 0, + type => 'boolean', + }, + }, + }, + }, + }; + + if ($update) { + $properties->{delete} = { + # coerce this value into an array before parsing (oneOf workaround) + type => 'array', + 'type-property' => 'protocol', + oneOf => [ + { + type => 'array', + 'instance-types' => ['openfabric', 'ospf'], + items => { + type => 'string', + enum => ['interfaces', 'ip', 'ip6'], + }, + optional => 1, + }, + { + type => 'array', + 'instance-types' => ['wireguard'], + items => { + type => 'string', + enum => ['allowed_ips', 'endpoint', 'interfaces', 'ip', 'ip6', 'peers'], + }, + optional => 1, + }, + ], }; } @@ -275,6 +419,21 @@ sub fabric_properties { 'A prefix list that should be used for filtering routes that are to be installed into the kernel routing table', optional => 1, }, + persistent_keepalive => { + type => 'number', + 'type-property' => 'protocol', + 'instance-types' => ['wireguard'], + description => 'A seconds interval, between 1 and 65535 inclusive, of how often to' + . ' send an authenticated empty packet to the peer for the purpose of keeping a' + . ' stateful firewall or NAT mapping valid persistently. For example, if the' + . ' interface very rarely sends traffic, but it might at anytime receive traffic' + . ' from another node, and it is behind NAT, the interface might benefit from' + . ' having a persistent keepalive interval of 25 seconds. If unset or set to 0, it' + . ' is turned off', + optional => 1, + minimum => 0, + maximum => 65535, + }, }; if ($update) { @@ -301,6 +460,15 @@ sub fabric_properties { }, optional => 1, }, + { + type => 'array', + 'instance-types' => ['wireguard'], + items => { + type => 'string', + enum => ['persistent_keepalive'], + }, + optional => 1, + }, ], }; } -- 2.47.3