From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id B3DE91FF133 for ; Mon, 11 May 2026 15:40:57 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id ABBBE19ECD; Mon, 11 May 2026 15:40:55 +0200 (CEST) Date: Mon, 11 May 2026 15:38:11 +0200 From: Arthur Bied-Charreton To: Stefan Hanreich Subject: Re: [PATCH pve-network v4 18/31] fabrics: wireguard: add schema definitions for wireguard Message-ID: References: <20260507124008.417223-1-s.hanreich@proxmox.com> <20260507124008.417223-19-s.hanreich@proxmox.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20260507124008.417223-19-s.hanreich@proxmox.com> X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1778506580893 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.777 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: S4G5SPB5HTFPSVZZCAH6VSFVJJUQT3EB X-Message-ID-Hash: S4G5SPB5HTFPSVZZCAH6VSFVJJUQT3EB X-MailFrom: a.bied-charreton@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: pve-devel@lists.proxmox.com X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Thu, May 07, 2026 at 02:39:53PM +0200, Stefan Hanreich wrote: > Add the newly introduced properties for fabrics / nodes to the > existing schema definition. The existing fabric / node endpoints will > then work with the new WireGuard entities, without any additional > changes. To properly detect changes in the peers property, which is an > array, it needs to be added to the encode_value function as well, > which is used for comparing the pending configuration to the running > configuration. > > Originally-by: Christoph Heiss > Signed-off-by: Stefan Hanreich > --- > src/PVE/API2/Network/SDN.pm | 2 +- > src/PVE/Network/SDN.pm | 2 + > src/PVE/Network/SDN/Fabrics.pm | 173 +++++++++++++++++++++++++++++++-- > 3 files changed, 170 insertions(+), 7 deletions(-) > > diff --git a/src/PVE/API2/Network/SDN.pm b/src/PVE/API2/Network/SDN.pm > index 03746e8..6b73af2 100644 > --- a/src/PVE/API2/Network/SDN.pm > +++ b/src/PVE/API2/Network/SDN.pm > @@ -125,7 +125,7 @@ my $create_reload_network_worker = sub { > } > }, > ); > - #my $upid = PVE::API2::Network->reload_network_config(node => $nodename}); > + #my $upid = PVE::API2::Network->reload_network_config({ node => $nodename }); > my $res = PVE::Tools::upid_decode($upid); > > return $res->{pid}; > diff --git a/src/PVE/Network/SDN.pm b/src/PVE/Network/SDN.pm > index 53a12c2..74c0edb 100644 > --- a/src/PVE/Network/SDN.pm > +++ b/src/PVE/Network/SDN.pm > @@ -511,6 +511,8 @@ sub encode_value { > || $key eq 'entries' > || $key eq 'match' > || $key eq 'set' > + || $key eq 'peers' > + || $key eq 'allowed_ips' > ) { > if (ref($value) eq 'HASH') { > return join(',', sort keys(%$value)); > diff --git a/src/PVE/Network/SDN/Fabrics.pm b/src/PVE/Network/SDN/Fabrics.pm > index bc295f0..98e9c90 100644 > --- a/src/PVE/Network/SDN/Fabrics.pm > +++ b/src/PVE/Network/SDN/Fabrics.pm > @@ -51,7 +51,44 @@ PVE::JSONSchema::register_standard_option( > { > description => "Type of configuration entry in an SDN Fabric section config", > type => 'string', > - enum => ['openfabric', 'ospf'], > + enum => ['openfabric', 'ospf', 'wireguard'], > + }, > +); > + > +PVE::JSONSchema::register_format( > + 'pve-sdn-fabric-wireguard-interface', > + { > + name => { > + type => 'string', > + format => 'pve-iface', > + description => 'Name of the network interface', > + }, > + public_key => { > + type => 'string', > + description => 'The public key of this interface', > + optional => 1, > + }, > + ip => { > + type => 'string', > + format => 'CIDRv4', > + description => 'IPv4 address for this node', > + optional => 1, > + }, > + ip6 => { > + type => 'string', > + format => 'CIDRv6', > + description => 'IPv6 address for this node', > + optional => 1, > + }, > + listen_port => { > + type => 'number', > + 'type-property' => 'protocol', > + 'instance-types' => ['wireguard'], > + description => 'Port to listen on for WireGuard traffic.', > + optional => 1, > + minimum => 1, > + maximum => 65535, > + }, > }, > ); > > @@ -202,18 +239,118 @@ sub node_properties { > description => 'OSPF network interface', > optional => 1, > }, > + { > + type => 'array', > + 'instance-types' => ['wireguard'], > + items => { > + description => > + "Type of configuration entry in an SDN Fabric section config", > + type => 'string', > + format => 'pve-sdn-fabric-wireguard-interface', > + }, > + description => 'WireGuard network interface', > + optional => 1, > + }, > ], > }, > - }; > - > - if ($update) { > - $properties->{delete} = { > + public_key => { > + 'type-property' => 'protocol', > + 'instance-types' => ['wireguard'], > + description => 'The role of this node in the WireGuard fabric.', > + type => 'string', > + optional => 1, > + }, The description does not match the key here > + role => { > + 'type-property' => 'protocol', > + 'instance-types' => ['wireguard'], > + description => 'The role of this node in the WireGuard fabric.', > + type => 'string', > + enum => ['internal', 'external'], > + optional => 1, > + }, > + endpoint => { > + 'type-property' => 'protocol', > + 'instance-types' => ['wireguard'], > + description => 'The endpoint used for connecting to this node.', > + optional => 1, > + type => 'string', > + }, > + allowed_ips => { > + 'type-property' => 'protocol', > + 'instance-types' => ['wireguard'], > type => 'array', > + optional => 1, > + description => > + 'A list of IPs that are routable via this node in the WireGuard fabric.', > items => { > type => 'string', > - enum => ['interfaces', 'ip', 'ip6'], > + format => 'CIDR', > }, > + }, > + peers => { > + 'type-property' => 'protocol', > + 'instance-types' => ['wireguard'], > optional => 1, > + type => 'array', > + items => { > + type => 'string', > + format => { > + type => { > + type => 'string', > + enum => ['internal', 'external'], > + }, > + node => { > + description => > + 'The name of the peer (if external) or the name of the node and interface (if internal).', > + type => 'string', > + }, > + node_iface => { > + description => > + 'The interface of the other node, if it is internal', > + type => 'string', > + optional => 1, > + }, > + iface => { > + description => > + 'The interface of this node that uses this peer definition.', > + type => 'string', > + }, > + endpoint => { > + description => > + 'Override for the endpoint settings in the node section.', > + optional => 1, > + type => 'string', > + }, > + }, > + }, > + }, > + }; > + > + if ($update) { > + $properties->{delete} = { > + # coerce this value into an array before parsing (oneOf workaround) > + type => 'array', > + 'type-property' => 'protocol', > + oneOf => [ > + { > + type => 'array', > + 'instance-types' => ['openfabric', 'ospf'], > + items => { > + type => 'string', > + enum => ['interfaces', 'ip', 'ip6'], > + }, > + optional => 1, > + }, > + { > + type => 'array', > + 'instance-types' => ['wireguard'], > + items => { > + type => 'string', > + enum => ['allowed_ips', 'endpoint', 'interfaces', 'ip', 'ip6', 'peers'], > + }, > + optional => 1, > + }, > + ], > }; > } > > @@ -275,6 +412,21 @@ sub fabric_properties { > 'A prefix list that should be used for filtering routes that are to be installed into the kernel routing table', > optional => 1, > }, > + persistent_keepalive => { > + type => 'number', > + 'type-property' => 'protocol', > + 'instance-types' => ['wireguard'], > + description => 'A seconds interval, between 1 and 65535 inclusive, of how often to' > + . ' send an authenticated empty packet to the peer for the purpose of keeping a' > + . ' stateful firewall or NAT mapping valid persistently. For example, if the' > + . ' interface very rarely sends traffic, but it might at anytime receive traffic' > + . ' from another node, and it is behind NAT, the interface might benefit from' > + . ' having a persistent keepalive interval of 25 seconds. If unset or set to 0, it' > + . ' is turned off', > + optional => 1, > + minimum => 0, > + maximum => 65535, > + }, > }; > > if ($update) { > @@ -301,6 +453,15 @@ sub fabric_properties { > }, > optional => 1, > }, > + { > + type => 'array', > + 'instance-types' => ['wireguard'], > + items => { > + type => 'string', > + enum => ['persistent_keepalive'], > + }, > + optional => 1, > + }, > ], > }; > } > -- > 2.47.3 > > > > >