[pve-devel] [PATCH] allow random openvz interface name for non firewalled interface
Signed-off-by: Alexandre Derumier aderum...@odiso.com --- data/PVE/Network.pm |7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/data/PVE/Network.pm b/data/PVE/Network.pm index ff4aa73..b30ec54 100644 --- a/data/PVE/Network.pm +++ b/data/PVE/Network.pm @@ -77,7 +77,8 @@ my $parse_tap_devive_name = sub { $vmid = $1; $devid = $2; } else { - die wrong interface name $iface; + $vmid = undef; + $devid = undef; } return ($vmid, $devid); @@ -87,7 +88,6 @@ my $compute_fwbr_names = sub { my ($vmid, $devid) = @_; my $fwbr = fwbr${vmid}i${devid}; -# Note: the firewall use 'fwln+' to filter traffic to VMs my $vethfw = fwln${vmid}i${devid}; my $vethfwpeer = fwpr${vmid}p${devid}; my $ovsintport = fwln${vmid}o${devid}; @@ -145,6 +145,7 @@ my $create_firewall_bridge_linux = sub { my ($iface, $bridge) = @_; my ($vmid, $devid) = $parse_tap_devive_name($iface); +die can't create firewall bridge for random interface name if !$vmid !$devid; my ($fwbr, $vethfw, $vethfwpeer) = $compute_fwbr_names($vmid, $devid); my $bridgemtu = $read_bridge_mtu($bridge); @@ -173,6 +174,7 @@ my $create_firewall_bridge_ovs = sub { my ($iface, $bridge, $tag) = @_; my ($vmid, $devid) = $parse_tap_devive_name($iface); +die can't create firewall bridge for random interface name if !$vmid !$devid; my ($fwbr, undef, undef, $ovsintport) = $compute_fwbr_names($vmid, $devid); my $bridgemtu = $read_bridge_mtu($bridge); @@ -194,6 +196,7 @@ my $cleanup_firewall_bridge = sub { my ($iface) = @_; my ($vmid, $devid) = $parse_tap_devive_name($iface); +return if !$vmid !$devid; my ($fwbr, $vethfw, $vethfwpeer, $ovsintport) = $compute_fwbr_names($vmid, $devid); # cleanup old port config from any openvswitch bridge -- 1.7.10.4 ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] random openvz veth name question ?
I would like to known if we want to support firewall for random openvz veth name ? not really (no). (by the way, why do we allow to setup random name ?) because it is possible Currently, my openvz patchs hang on tap_plug (cleanup_firewall_bridge)/unplug (create_firewall_bridge_linux), because of parse_tap_devive_name{ if ($iface =~ m/^tap(\d+)i(\d+)$/) { $vmid = $1; $devid = $2; } elsif ($iface =~ m/^veth(\d+)\.(\d+)$/) { $vmid = $1; $devid = $2; } else { die wrong interface name $iface; } } I think I can easily fix it for unfirewalled tap. (so it'll not break current setup). but do we want to allow firewall for random name ? create fwln|fwbr.randomname ? (I'm afraid of too big random name too) no - feel free to remove that feature. ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] [PATCH] allow random openvz interface name for non firewalled interface
I thought you do not want random names? ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] [PATCH] allow random openvz interface name for non firewalled interface
I thought you do not want random names? Sorry - simply ignore me (I just read the patch more carefully). ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] [PATCH] allow random openvz interface name for non firewalled interface
Ok, I applied a slightly different patch - hop that work for you? diff --git a/data/PVE/Network.pm b/data/PVE/Network.pm index ff4aa73..b141d09 100644 --- a/data/PVE/Network.pm +++ b/data/PVE/Network.pm @@ -66,7 +66,7 @@ my $read_bridge_mtu = sub { }; my $parse_tap_devive_name = sub { -my ($iface) = @_; +my ($iface, $noerr) = @_; my ($vmid, $devid); @@ -77,7 +77,8 @@ my $parse_tap_devive_name = sub { $vmid = $1; $devid = $2; } else { - die wrong interface name $iface; + return undef if $noerr; + die can't create firewall bridge for random interface name '$iface'\n; } return ($vmid, $devid); @@ -193,7 +194,8 @@ my $create_firewall_bridge_ovs = sub { my $cleanup_firewall_bridge = sub { my ($iface) = @_; -my ($vmid, $devid) = $parse_tap_devive_name($iface); +my ($vmid, $devid) = $parse_tap_devive_name($iface, 1); +return if !defined($vmid); my ($fwbr, $vethfw, $vethfwpeer, $ovsintport) = $compute_fwbr_names($vmid, $devid); # cleanup old port config from any openvswitch bridge -Original Message- From: pve-devel [mailto:pve-devel-boun...@pve.proxmox.com] On Behalf Of Alexandre Derumier Sent: Freitag, 16. Mai 2014 09:44 To: pve-devel@pve.proxmox.com Subject: [pve-devel] [PATCH] allow random openvz interface name for non firewalled interface ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] [PATCH] allow random openvz interface name for non firewalled interface
Works perfectly. Thanks ! (tested with my openvz patches) - Mail original - De: Dietmar Maurer diet...@proxmox.com À: Alexandre Derumier aderum...@odiso.com, pve-devel@pve.proxmox.com Envoyé: Vendredi 16 Mai 2014 11:19:44 Objet: RE: [pve-devel] [PATCH] allow random openvz interface name for non firewalled interface Ok, I applied a slightly different patch - hop that work for you? diff --git a/data/PVE/Network.pm b/data/PVE/Network.pm index ff4aa73..b141d09 100644 --- a/data/PVE/Network.pm +++ b/data/PVE/Network.pm @@ -66,7 +66,7 @@ my $read_bridge_mtu = sub { }; my $parse_tap_devive_name = sub { - my ($iface) = @_; + my ($iface, $noerr) = @_; my ($vmid, $devid); @@ -77,7 +77,8 @@ my $parse_tap_devive_name = sub { $vmid = $1; $devid = $2; } else { - die wrong interface name $iface; + return undef if $noerr; + die can't create firewall bridge for random interface name '$iface'\n; } return ($vmid, $devid); @@ -193,7 +194,8 @@ my $create_firewall_bridge_ovs = sub { my $cleanup_firewall_bridge = sub { my ($iface) = @_; - my ($vmid, $devid) = $parse_tap_devive_name($iface); + my ($vmid, $devid) = $parse_tap_devive_name($iface, 1); + return if !defined($vmid); my ($fwbr, $vethfw, $vethfwpeer, $ovsintport) = $compute_fwbr_names($vmid, $devid); # cleanup old port config from any openvswitch bridge -Original Message- From: pve-devel [mailto:pve-devel-boun...@pve.proxmox.com] On Behalf Of Alexandre Derumier Sent: Freitag, 16. Mai 2014 09:44 To: pve-devel@pve.proxmox.com Subject: [pve-devel] [PATCH] allow random openvz interface name for non firewalled interface ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] [PATCH] allow random openvz interface name for non firewalled interface
(tested with my openvz patches) I will try to include them next week (on Monday). ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] firewall rules format
We currently use the following format for rules: #TYPE ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT IN ACCEPT(MACRO) net0 192.168.2.0 1.2.3.4 tcp 80 20 This hard to write/read because you need to remember the correct order. So I thought about using something like: in ACCEPT(MACRO) -i net0 -source 192.168.2.0 -dest 1.2.3.4 -p tcp -dport 80 -sport 20 This is a bit harder to parse, but it is easy to add more options in future. What do you think? ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] firewall rules format
#TYPE ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT IN ACCEPT(MACRO) net0 192.168.2.0 1.2.3.4 tcp 80 20 This hard to write/read because you need to remember the correct order. So I thought about using something like: in ACCEPT(MACRO) -i net0 -source 192.168.2.0 -dest 1.2.3.4 -p tcp -dport 80 -sport 20 This is a bit harder to parse, but it is easy to add more options in future. What do you think? Yes, I Agree, better to read indeed ! - Mail original - De: Dietmar Maurer diet...@proxmox.com À: Alexandre DERUMIER (aderum...@odiso.com) aderum...@odiso.com Cc: pve-devel@pve.proxmox.com Envoyé: Vendredi 16 Mai 2014 17:44:52 Objet: firewall rules format We currently use the following format for rules: #TYPE ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT IN ACCEPT(MACRO) net0 192.168.2.0 1.2.3.4 tcp 80 20 This hard to write/read because you need to remember the correct order. So I thought about using something like: in ACCEPT(MACRO) -i net0 -source 192.168.2.0 -dest 1.2.3.4 -p tcp -dport 80 -sport 20 This is a bit harder to parse, but it is easy to add more options in future. What do you think? ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] firewall rules format
On Fri, 16 May 2014 15:44:52 + Dietmar Maurer diet...@proxmox.com wrote: We currently use the following format for rules: #TYPE ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT IN ACCEPT(MACRO) net0 192.168.2.0 1.2.3.4 tcp 80 20 This hard to write/read because you need to remember the correct order. So I thought about using something like: in ACCEPT(MACRO) -i net0 -source 192.168.2.0 -dest 1.2.3.4 -p tcp -dport 80 -sport 20 This is a bit harder to parse, but it is easy to add more options in future. What do you think? Why not stick to the iptables format? in ACCEPT(MACRO) -i net0 -s 192.168.2.0 -d 1.2.3.4 -p tcp -dport 80 -sport 20 -- Hilsen/Regards Michael Rasmussen Get my public GnuPG keys: michael at rasmussen dot cc http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xD3C9A00E mir at datanom dot net http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xE501F51C mir at miras dot org http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xE3E80917 -- /usr/games/fortune -es says: Dime is money. signature.asc Description: PGP signature ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] firewall rules format
Why not stick to the iptables format? in ACCEPT(MACRO) -i net0 -s 192.168.2.0 -d 1.2.3.4 -p tcp -dport 80 -sport 20 beaucse we cannot provide full iptables functionality, and iptables format is really clumsy (for example multiport maches, ipsets, ...). But above syntax is basically iptables format, with some simplifications ;-) Or what would you change exactly? ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] firewall rules format
Why not stick to the iptables format? in ACCEPT(MACRO) -i net0 -s 192.168.2.0 -d 1.2.3.4 -p tcp -dport 80 -sport 20 beaucse we cannot provide full iptables functionality, and iptables format is really clumsy (for example multiport maches, ipsets, ...). For example, we want to write: - dport 80 - dport 135,139,445 instead of: --dport 80 --match multiport --dports 135,139,445 ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] firewall rules format
-Original Message- From: pve-devel [mailto:pve-devel-boun...@pve.proxmox.com] On Behalf Of Dietmar Maurer Sent: Freitag, 16. Mai 2014 19:20 To: Michael Rasmussen; pve-devel@pve.proxmox.com Subject: Re: [pve-devel] firewall rules format Why not stick to the iptables format? Or maybe something similar to nftables (iptables is already dead?) ... saddr 192.168.56.0/24 dport 80 ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] firewall rules format
On Fri, 16 May 2014 17:01:19 + Dietmar Maurer diet...@proxmox.com wrote: beaucse we cannot provide full iptables functionality, and iptables format is really clumsy (for example multiport maches, ipsets, ...). True. But above syntax is basically iptables format, with some simplifications ;-) Or what would you change exactly? -source - -s -dest - -d -- Hilsen/Regards Michael Rasmussen Get my public GnuPG keys: michael at rasmussen dot cc http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xD3C9A00E mir at datanom dot net http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xE501F51C mir at miras dot org http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xE3E80917 -- /usr/games/fortune -es says: Get in touch with your feelings of hostility against the dying light. -- Dylan Thomas [paraphrased periphrastically] signature.asc Description: PGP signature ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] firewall rules format
But above syntax is basically iptables format, with some simplifications ;-) Or what would you change exactly? -source - -s -dest - -d The getopt-long parser usually accept several option format, like: --source -source -s As long as it is unique. But for now I want to keep things simple. We just need to decide if we move from position based arguments to named arguments. ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] firewall rules format
On Fri, 16 May 2014 17:50:22 + Dietmar Maurer diet...@proxmox.com wrote: The getopt-long parser usually accept several option format, like: --source -source -s As long as it is unique. But for now I want to keep things simple. We just need to decide if we move from position based arguments to named arguments. Ok. I agree that position based options is a pain which should be avoided at all cost. -- Hilsen/Regards Michael Rasmussen Get my public GnuPG keys: michael at rasmussen dot cc http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xD3C9A00E mir at datanom dot net http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xE501F51C mir at miras dot org http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xE3E80917 -- /usr/games/fortune -es says: Our way is peace. -- Septimus, the Son Worshiper, Bread and Circuses, stardate 4040.7. signature.asc Description: PGP signature ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] patch to QemuServer.pm
Hi Dietmar, Have you had the time to review my patch to QemuServer.pm? Subject for patch: [PATCH 1/1] add initiator-name to iscsi drives if configured -- Hilsen/Regards Michael Rasmussen Get my public GnuPG keys: michael at rasmussen dot cc http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xD3C9A00E mir at datanom dot net http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xE501F51C mir at miras dot org http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xE3E80917 -- /usr/games/fortune -es says: People who are funny and smart and return phone calls get much better press than people who are just funny and smart. -- Howard Simons, The Washington Post signature.asc Description: PGP signature ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] zfs plugin improvements
On Mon, 12 May 2014 01:09:38 +0200 Michael Rasmussen m...@datanom.net wrote: commit b3a716fa613391dc54244f7a894088de36b6a303: snapshot recent-both I have tested this patch and have discovered a bug. If the user makes a rollback which trigger the patch's test to not allow to make a rollback if a more recent snapshot exists the vm will be left in a locked state effectively blocking all further interaction with vm until running qm unlock from cli. I will provide a patch later this evening. -- Hilsen/Regards Michael Rasmussen Get my public GnuPG keys: michael at rasmussen dot cc http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xD3C9A00E mir at datanom dot net http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xE501F51C mir at miras dot org http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xE3E80917 -- /usr/games/fortune -es says: NOWPRINT. NOWPRINT. Clemclone, back to the shadows again. -- The Firesign Theater signature.asc Description: PGP signature ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] zfs plugin improvements
On Fri, 16 May 2014 20:25:41 +0200 Michael Rasmussen m...@datanom.net wrote: On Mon, 12 May 2014 01:09:38 +0200 Michael Rasmussen m...@datanom.net wrote: commit b3a716fa613391dc54244f7a894088de36b6a303: snapshot recent-both I have tested this patch and have discovered a bug. If the user makes a rollback which trigger the patch's test to not allow to make a rollback if a more recent snapshot exists the vm will be left in a locked state effectively blocking all further interaction with vm until running qm unlock from cli. I will provide a patch later this evening. After considerations I have come to the conclusion that this is intentional since the lock is controlled higher up in the chain of commands (QemuServer.pm). This is therefore no bug. I consider the waiting patches ready for inclusion. -- Hilsen/Regards Michael Rasmussen Get my public GnuPG keys: michael at rasmussen dot cc http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xD3C9A00E mir at datanom dot net http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xE501F51C mir at miras dot org http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xE3E80917 -- /usr/games/fortune -es says: I can't decide whether to commit suicide or go bowling. -- Florence Henderson signature.asc Description: PGP signature ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] firewall rules format
As long as it is unique. But for now I want to keep things simple. We just need to decide if we move from position based arguments to named arguments. Yes, keep it simple in ACCEPT(MACRO) -i net0 -source 192.168.2.0 -dest 1.2.3.4 -p tcp -dport 80 -sport 20 seem to be enough - Mail original - De: Dietmar Maurer diet...@proxmox.com À: Michael Rasmussen m...@datanom.net, pve-devel@pve.proxmox.com Envoyé: Vendredi 16 Mai 2014 19:50:22 Objet: Re: [pve-devel] firewall rules format But above syntax is basically iptables format, with some simplifications ;-) Or what would you change exactly? -source - -s -dest - -d The getopt-long parser usually accept several option format, like: --source -source -s As long as it is unique. But for now I want to keep things simple. We just need to decide if we move from position based arguments to named arguments. ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel