Am Donnerstag, den 20.07.2017, 15:00 +0200 schrieb Wolfgang Bumiller:
> On Thu, Jul 20, 2017 at 01:22:58PM +0200, Tom Weber wrote:
> >
> > Hi there,
> >
> > i'm currently evaluating the PVE environment as a replacement for
> > my
> > custom KVM+LXC+DRBD set
Hi there,
i'm currently evaluating the PVE environment as a replacement for my
custom KVM+LXC+DRBD setup I'm running so far.
Playing with (privileged) containers I figured that IP configuration is
always done from inside the container.
My usual setup is setting the (static) IP of the container
Am Donnerstag, den 20.07.2017, 13:31 +0200 schrieb Michael Rasmussen:
> On Thu, 20 Jul 2017 13:22:58 +0200
> Tom Weber <p...@junkyard.4t2.com> wrote:
>
> >
> > + if (defined($d->{ip}) and ($d->{ip} ne "dhcp")) {
> > + $raw .= &quo
Am Mittwoch, den 26.07.2017, 20:44 +0200 schrieb Martin Lablans:
> Dear all,
>
> this patch will change the LVM storage plugin to create striped
> rather
> than linear logical volumes, which can multiply the throughput for
> volume groups backed by several controllers or network paths.
>
> The
With debian bumping it's stretch Version Number to 9.1, the check in
/usr/share/perl5/PVE/LXC/Setup/Debian.pm
fails.
# lxc-start -F -n 14433
unsupported debian version '9.1'
...
I fixed it for me like this:
--- /usr/share/perl5/PVE/LXC/Setup/Debian.pm.orig 2017-07-24
11:25:37.601390691
Am Sonntag, den 30.07.2017, 10:52 +0200 schrieb Martin Lablans:
> Of course it would be preferable to leave this in the admin's hand
> via
> system-wide LVM configuration. This would also give Tom the
> flexibility
> for his setup. However, I don't know a way to achieve striping in
> LVM
>
See mail Firewall Improvements
Tom Weber (1):
prepare code for more generic firewall logging
src/PVE/Firewall.pm | 168 +++-
1 file changed, 99 insertions(+), 69 deletions(-)
___
pve-devel mailing
Hi all,
last week I reported a problem with firewall logging.
After looking deeper into Firewall.pm I have a better understanding of
the problems I first had with using the Firewall as a rather fresh PVE
User:
- the different levels of log_level_in / out don't make sense to me.
Firewall.pm uses
Am Montag, den 18.09.2017, 13:34 +0200 schrieb Dietmar Maurer:
> >
> > With that in mind, I have no objections to this patch (or a version
> > of
> > it, see the inline comments below).
> But logging all Dropped package would produce an incredible amount of
> logs?
That's why I'd like to have a
avoid this.
if you don't mind i'll send the next version to you directly just to
let you verify the cosmetic things before cluttering the list again :)
> On Thu, Sep 14, 2017 at 07:08:54PM +0200, Tom Weber wrote:
> >
> > making ruleset generation aware of a match and action
> > part
making ruleset generation aware of a match and action
part in iptable rules.
code will generate the same iptables as before! (except for
a few additional spaces between match and action).
---
src/PVE/Firewall.pm | 168 +++-
1 file changed, 99
Anyone care about this?
I have two cases of containers were i have to manually fix after a
restore.
Tom
Am Dienstag, den 26.09.2017, 15:29 +0200 schrieb Tom Weber:
> If you use mountpoints inside a container, and change ownership of
> these, a restore of the CT will reset them to roo
Hi,
thanks for the quick reply.
it doesn't seem to be that easy though.
this one compiles:
--- Firewall.pm.ORIG2017-09-06 11:27:00.158674622 +0200
+++ Firewall.pm 2017-09-06 11:39:07.801620128 +0200
@@ -2119,8 +2119,13 @@
if ($ipversion == 6 && !$options->{radv}) {
Hi there,
today I had to figure the hard way that the Firewall Option 'IP filter'
(at least in PVE 5.0 for Containers) drops packets silently without any
logging at all, even if the log_level_* is set.
If I set the log_level, I'd expect to see _all_ dropped packets in the
Log. (This gave me a
Hi,
this patch compiles, but it won't work.
it still DROPs without logging.
Now it logs the packets that don't get dropped.
The first DROP stops the evaluation of the chain. Everything else gets
logged.
Chain veth144010i2-OUT (1 references)
pkts bytes target prot opt in out source
Attached patch works for me regarding and tested with ipfilter Option.
I also added logging for the 2 other silent DROPs above - untested
though.
Maybe someone could verify and even commit (no git repository for pve
over here - yet)
Tom
Am Mittwoch, den 06.09.2017, 16:24 +0200 schrieb Tom
Hi Alexandre,
i can test it later, thanks. 2 comments though.
Am Donnerstag, den 07.09.2017, 03:22 +0200 schrieb Alexandre Derumier:
> +my ($ruleset, $chain, $ipversion, $options, $macaddr,
> $ipfilter_ipset, $direction, $vmid) = @_;
> +
> +my $lc_direction = lc($direction);
> +my
Am Donnerstag, den 07.09.2017, 09:30 +0200 schrieb Alexandre DERUMIER:
> >
> > >
> > > you are aware that $rule is used elsewhere and in a totally
> > > different
> > > way? just look in ruleset_add_group_rule. Thats why I named it
> > > $matchrule initially to avoid confusion.
> we already
---
src/PVE/Firewall.pm | 220
1 file changed, 117 insertions(+), 103 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index f8a9300..179617a 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -142,6 +142,20 @@ my
making ruleset generation aware of a match and action
part in iptable rules.
code will generate the same iptables as before! (except for
a few additional spaces between match and action).
---
src/PVE/Firewall.pm | 166 ++-
second version, far from finished but trying to reorganize things
without breaking what exists. generates the same rules as before.
feedback welcome.
Tom Weber (4):
remove unused $rule_format
prepare code for more generic firewall logging
integrate logging into ruleset_addrule
convert
---
src/PVE/Firewall.pm | 33 ++---
1 file changed, 10 insertions(+), 23 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index f1aecef..f8a9300 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2002,10 +2002,14 @@ sub
---
src/PVE/Firewall.pm | 2 --
1 file changed, 2 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index cc81325..5d78686 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1648,8 +1648,6 @@ sub enable_bridge_firewall {
$bridge_firewall_enabled = 1;
}
-my
this breaks ownership of mountpoints in containers
(leaves them at root:root)
---
src/PVE/LXC/Create.pm | 5 -
1 file changed, 5 deletions(-)
diff --git a/src/PVE/LXC/Create.pm b/src/PVE/LXC/Create.pm
index 1f21e06..ac632de 100644
--- a/src/PVE/LXC/Create.pm
+++ b/src/PVE/LXC/Create.pm
@@
touch these dirs then.
I don't see why one would need --skip-old-files for a restore job (or
did I miss something?)
Tom Weber (1):
remove --skip-old-files from tar restore options
src/PVE/LXC/Create.pm | 5 -
1 file changed, 5 deletions(-)
--
2.7.4
temporary ugliness' approaches at places that I intend to replace
anyway.
Am Mittwoch, den 27.09.2017, 09:53 +0200 schrieb Wolfgang Bumiller:
> On Wed, Sep 27, 2017 at 12:02:33AM +0200, Tom Weber wrote:
> >
> > ---
> > src/PVE/Firewall.pm | 220 ---
Am Mittwoch, den 27.09.2017, 11:53 +0200 schrieb Wolfgang Bumiller:
> On Wed, Sep 27, 2017 at 12:02:33AM +0200, Tom Weber wrote:
> >
> > ---
> > +'PVEFW-smurflog' => [
> > + { action => 'DROP', logmsg => 'DROP: ' },
> > +],
> > +
Am Mittwoch, den 27.09.2017, 11:51 +0200 schrieb Wolfgang Bumiller:
> On Wed, Sep 27, 2017 at 11:09:29AM +0200, Tom Weber wrote:
> >
> > My goal are defined structures for rules, chains, macros (which i
> > think
> > are just arrays of "rule temp
create a new $pve_std_chains with $pve_std_chains_conf as template on
every compilation of the rules. This avoids persitant changes to the
$pve_std_chains and makes it easier to read the std_chains configuration
from external config files (later to implement).
---
src/PVE/Firewall.pm | 9
---
src/PVE/Firewall.pm | 2 --
1 file changed, 2 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index cc81325..5d78686 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1648,8 +1648,6 @@ sub enable_bridge_firewall {
$bridge_firewall_enabled = 1;
}
-my
remove $actions and $goto - not used anymore
---
src/PVE/Firewall.pm | 19 +++
1 file changed, 7 insertions(+), 12 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index d9c2347..d249f7a 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2050,7
---
src/PVE/Firewall.pm | 33 ++---
1 file changed, 10 insertions(+), 23 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index f1aecef..ad59267 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2002,10 +2002,14 @@ sub
making ruleset generation aware of a match and action
part in iptable rules.
code will generate the same iptables as before! (except for
a few additional spaces between match and action).
---
src/PVE/Firewall.pm | 166 ++-
also extending %rule with log,logmsg,match,target
---
src/PVE/Firewall.pm | 223
1 file changed, 120 insertions(+), 103 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index ad59267..634ff90 100644
--- a/src/PVE/Firewall.pm
implement rule_substitude_action
eliminate use of ruleset_genereate_rule_old and remove it
---
src/PVE/Firewall.pm | 73 ++---
1 file changed, 24 insertions(+), 49 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index
---
src/PVE/Firewall.pm | 11 ---
1 file changed, 11 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index b492086..633aa7a 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2040,17 +2040,6 @@ sub ruleset_generate_action {
return scalar(@cmd) ?
third version. mostly converting rules into structures.
reorganized ruleset_generate_rule and everything around it.
please note that some of the stuff implemented in the first patches
gets eliminated later. So maybe it's worth reading all patches before
flaming me ;-)
Tom Weber (13):
remove
---
src/PVE/Firewall.pm | 20 ++--
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index c7ddd10..f009e58 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -586,10 +586,10 @@ $pve_std_chains_conf->{4} = {
put generation of iptables source/destination address matching
in own subroutine and use this in ruleset_generate_match
---
src/PVE/Firewall.pm | 104
1 file changed, 47 insertions(+), 57 deletions(-)
diff --git a/src/PVE/Firewall.pm
ruleset_generate_match and ruleset_generate_action not used anymore
---
src/PVE/Firewall.pm | 97 -
1 file changed, 97 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 65ea132..9b78acb 100644
--- a/src/PVE/Firewall.pm
ipt_rule_to_cmds converts a %rule to an array of iptables commands
ruleset_add_ipt_cmd adds such an iptables command to a chain
ruleset_generate_rule uses these now
ruleset_generate_rule_old is an interim workaround
---
src/PVE/Firewall.pm | 151
---
src/PVE/Firewall.pm | 12
1 file changed, 12 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index d249f7a..65ea132 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2070,18 +2070,6 @@ sub ruleset_generate_rule {
}
}
-sub
Am Mittwoch, den 18.10.2017, 12:44 +0200 schrieb Wolfgang Bumiller:
> On Mon, Oct 09, 2017 at 12:16:18PM +0200, Tom Weber wrote:
> >
> > third version. mostly converting rules into structures.
> > reorganized ruleset_generate_rule and everything around it.
> > please
Signed-off-by: Tom Weber <p...@junkyard.4t2.com>
---
src/PVE/Firewall.pm | 20 ++--
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index c7ddd10..f009e58 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firew
implement rule_substitude_action
eliminate use of ruleset_genereate_rule_old and remove it
Signed-off-by: Tom Weber <p...@junkyard.4t2.com>
---
src/PVE/Firewall.pm | 73 ++---
1 file changed, 24 insertions(+), 49 deletions(-)
diff --git a/s
also extending %rule with log,logmsg,match,target
Signed-off-by: Tom Weber <p...@junkyard.4t2.com>
---
src/PVE/Firewall.pm | 223
1 file changed, 120 insertions(+), 103 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
put generation of iptables source/destination address matching
in own subroutine and use this in ruleset_generate_match
Signed-off-by: Tom Weber <p...@junkyard.4t2.com>
---
src/PVE/Firewall.pm | 104
1 file changed, 47 insertions(
Signed-off-by: Tom Weber <p...@junkyard.4t2.com>
---
src/PVE/Firewall.pm | 12
1 file changed, 12 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 4821759..8d36175 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2070,18 +2070,6
remove $actions and $goto - not used anymore
Signed-off-by: Tom Weber <p...@junkyard.4t2.com>
---
src/PVE/Firewall.pm | 19 +++
1 file changed, 7 insertions(+), 12 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 95e00bd..4821759 100644
--- a/s
ruleset_generate_match and ruleset_generate_action not used anymore
Signed-off-by: Tom Weber <p...@junkyard.4t2.com>
---
src/PVE/Firewall.pm | 97 -
1 file changed, 97 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
4th version.
third version with signed off lines
make $pve_std_chains a copy of $pve_std_chains_conf is optional
Tom Weber (13):
remove unused $rule_format
prepare code for more generic firewall logging
integrate logging into ruleset_addrule
convert string based rule definitions to hashes
Signed-off-by: Tom Weber <p...@junkyard.4t2.com>
---
src/PVE/Firewall.pm | 11 ---
1 file changed, 11 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index b492086..633aa7a 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2040,17 +2040,6
Signed-off-by: Tom Weber <p...@junkyard.4t2.com>
---
src/PVE/Firewall.pm | 2 --
1 file changed, 2 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index cc81325..5d78686 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1648,8 +1648,6
making ruleset generation aware of a match and action
part in iptable rules.
code will generate the same iptables as before! (except for
a few additional spaces between match and action).
Signed-off-by: Tom Weber <p...@junkyard.4t2.com>
---
src/PVE/Firewall.pm
Signed-off-by: Tom Weber <p...@junkyard.4t2.com>
---
src/PVE/Firewall.pm | 33 ++---
1 file changed, 10 insertions(+), 23 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index f1aecef..ad59267 100644
--- a/src/PVE/Firewall.pm
+++ b/s
create a new $pve_std_chains with $pve_std_chains_conf as template on
every compilation of the rules. This avoids persitant changes to the
$pve_std_chains and makes it easier to read the std_chains configuration
from external config files (later to implement).
Signed-off-by: Tom Weber &l
ipt_rule_to_cmds converts a %rule to an array of iptables commands
ruleset_add_ipt_cmd adds such an iptables command to a chain
ruleset_generate_rule uses these now
ruleset_generate_rule_old is an interim workaround
Signed-off-by: Tom Weber <p...@junkyard.4t2.com>
---
src/PVE/Firewall.pm
Am Donnerstag, den 22.03.2018, 12:28 +0100 schrieb Harald Leithner:
> Hi,
>
> it seams that there are no firewall hooks in pve-firewall is this
> correct?
IIRC, yes.
> I would like to add my own action before, after the firewall
> configuration for a VM is stop,started or reloaded.
[..]
> Is
Am Dienstag, den 27.11.2018, 14:55 +0100 schrieb Wolfgang Bumiller:
> The pve-firewall code is very iptables-oriented though, and I'm not
> sure
> if maybe we're not better off splitting the rule-generating part out
> and write the nftables variant from scratch... The iptables part
> would
> be
Am Mittwoch, den 21.11.2018, 18:40 +0100 schrieb Alexandre DERUMIER:
> Hi,
>
> I'm not sure it was working before,
>
> but I can't get any log for a vm rule with a drop/reject.
>
> It's only works with default vm drop/reject action.
Yes.
> I found an old patch about adding log by rules
>
Am Mittwoch, den 03.04.2019, 07:03 +0200 schrieb Dietmar Maurer:
> > I think, something easy, is that we could have a copy of each
> > /etc/network/interfaces of each node in
> > /etc/pve/nodes//interfaces.
> > (could be done we a change is done in gui local netowrk, or local
> > network daemon
Hi, in the middle of a weekend migration i realized that the 'Razor'
Macro is broken and basically disables ALL firewalling for a Container,
at least when used in a Security Group.
Looking at Firewall.pm
..
'RNDC' => [
"BIND remote management protocol",
{ action => 'PARAM',
it seems like you're working in an area of code that could also be
relevant for my (small) problem from:
https://pve.proxmox.com/pipermail/pve-devel/2017-September/028814.html
https://pve.proxmox.com/pipermail/pve-devel/2017-October/029004.html
or maybe this could also be a problem if your mps
63 matches
Mail list logo