From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 4DD931FF15F for ; Mon, 16 Dec 2024 11:36:45 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id C88929E79; Mon, 16 Dec 2024 11:36:53 +0100 (CET) To: pve-devel@lists.proxmox.com Date: Mon, 16 Dec 2024 11:36:46 +0100 MIME-Version: 1.0 Message-ID: List-Id: Proxmox VE development discussion List-Post: From: Alexandre Derumier via pve-devel Precedence: list Cc: Alexandre Derumier X-Mailman-Version: 2.1.29 X-BeenThere: pve-devel@lists.proxmox.com List-Subscribe: , List-Unsubscribe: , List-Archive: Reply-To: Proxmox VE development discussion List-Help: Subject: [pve-devel] [PATCH pve-firewall] rename sysctl.d/pve-firewall.conf to 10-pve-firewall.conf Content-Type: multipart/mixed; boundary="===============2370475186640517373==" Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" --===============2370475186640517373== Content-Type: message/rfc822 Content-Disposition: inline Return-Path: X-Original-To: pve-devel@lists.proxmox.com Delivered-To: pve-devel@lists.proxmox.com Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 0B5F8C3530 for ; Mon, 16 Dec 2024 11:36:52 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id DEFA19EA1 for ; Mon, 16 Dec 2024 11:36:51 +0100 (CET) Received: from bastiontest.odiso.net (unknown [185.151.190.228]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Mon, 16 Dec 2024 11:36:50 +0100 (CET) Received: from formationkvm1.odiso.net (unknown [10.11.201.57]) by bastiontest.odiso.net (Postfix) with ESMTP id EAE5A860F15; Mon, 16 Dec 2024 11:36:49 +0100 (CET) Received: by formationkvm1.odiso.net (Postfix, from userid 0) id 2A0D511A3EF7; Mon, 16 Dec 2024 11:36:49 +0100 (CET) From: Alexandre Derumier To: pve-devel@lists.proxmox.com Subject: [PATCH pve-firewall] rename sysctl.d/pve-firewall.conf to 10-pve-firewall.conf Date: Mon, 16 Dec 2024 11:36:46 +0100 Message-Id: <20241216103646.3180538-1-alexandre.derumier@groupe-cyllene.com> X-Mailer: git-send-email 2.39.5 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.001 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_NONE 0.1 DMARC none policy HEADER_FROM_DIFFERENT_DOMAINS 0.248 From and EnvelopeFrom 2nd level mail domains are different KAM_DMARC_NONE 0.25 DKIM has Failed or SPF has failed on the message and the domain has no DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record Currently, It's not possible to override the values in sysctl.conf because pve-firewall.conf is exected after. * Applying /usr/lib/sysctl.d/10-pve-ct-inotify-limits.conf ... * Applying /usr/lib/sysctl.d/10-pve.conf ... * Applying /etc/sysctl.d/30-ceph-osd.conf ... * Applying /usr/lib/sysctl.d/50-pid-max.conf ... * Applying /usr/lib/sysctl.d/99-protect-links.conf ... * Applying /etc/sysctl.d/99-sysctl.conf ... * Applying /usr/lib/sysctl.d/pve-firewall.conf ... * Applying /etc/sysctl.conf ... (For evpn with multiple exit nodes, we need to allow asymetric routing with disabling rp_filter) reported on the forum: https://forum.proxmox.com/threads/evpn-vpls-with-multi-exit-nodes-firewall-drop-packet-with-asymetric-routing.158225/#post-729042 Signed-off-by: Alexandre Derumier --- src/Makefile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/Makefile b/src/Makefile index aaece5a..06a1da6 100644 --- a/src/Makefile +++ b/src/Makefile @@ -39,8 +39,7 @@ install: pve-firewall pve-firewall.8 pve-firewall.bash-completion pve-firewall.z install -m 0644 -D pve-firewall.bash-completion $(BASHCOMPLDIR)/pve-firewall install -m 0644 -D pve-firewall.zsh-completion $(ZSHCOMPLDIR)/_pve-firewall install -d -m 0755 $(DESTDIR)/usr/lib/sysctl.d/ - install -m 0644 pve-firewall-sysctl.conf $(DESTDIR)/usr/lib/sysctl.d/pve-firewall.conf - + install -m 0644 pve-firewall-sysctl.conf $(DESTDIR)/usr/lib/sysctl.d/10-pve-firewall.conf .PHONY: clean clean: make -C PVE clean -- 2.39.5 --===============2370475186640517373== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel --===============2370475186640517373==--