Re: [pve-devel] Request for improvement of Network handling regarding LXC

2017-07-20 Thread Tom Weber
Am Donnerstag, den 20.07.2017, 15:00 +0200 schrieb Wolfgang Bumiller: > On Thu, Jul 20, 2017 at 01:22:58PM +0200, Tom Weber wrote: > > > > Hi there, > > > > i'm currently evaluating the PVE environment as a replacement for > > my > > custom KVM+LXC+DRBD set

[pve-devel] Request for improvement of Network handling regarding LXC

2017-07-20 Thread Tom Weber
Hi there, i'm currently evaluating the PVE environment as a replacement for my custom KVM+LXC+DRBD setup I'm running so far. Playing with (privileged) containers I figured that IP configuration is always done from inside the container. My usual setup is setting the (static) IP of the container

Re: [pve-devel] Request for improvement of Network handling regarding LXC

2017-07-20 Thread Tom Weber
Am Donnerstag, den 20.07.2017, 13:31 +0200 schrieb Michael Rasmussen: > On Thu, 20 Jul 2017 13:22:58 +0200 > Tom Weber <p...@junkyard.4t2.com> wrote: > > > > > + if (defined($d->{ip}) and ($d->{ip} ne "dhcp")) { > > + $raw .= &quo

Re: [pve-devel] [PATCH Storage] LVM Striping

2017-07-27 Thread Tom Weber
Am Mittwoch, den 26.07.2017, 20:44 +0200 schrieb Martin Lablans: > Dear all, > > this patch will change the LVM storage plugin to create striped > rather > than linear logical volumes, which can multiply the throughput for  > volume groups backed by several controllers or network paths. > > The

[pve-devel] debian 9.1 LXC unsupported

2017-07-24 Thread Tom Weber
With debian bumping it's stretch Version Number to 9.1, the check in /usr/share/perl5/PVE/LXC/Setup/Debian.pm fails. # lxc-start -F -n 14433 unsupported debian version '9.1' ... I fixed it for me like this: --- /usr/share/perl5/PVE/LXC/Setup/Debian.pm.orig 2017-07-24 11:25:37.601390691

Re: [pve-devel] [PATCH Storage] Newly created LVM volumes are now created with a number of stripes equal to the number of physical volumes in a volume group.

2017-07-31 Thread Tom Weber
Am Sonntag, den 30.07.2017, 10:52 +0200 schrieb Martin Lablans: > Of course it would be preferable to leave this in the admin's hand > via  > system-wide LVM configuration. This would also give Tom the > flexibility  > for his setup. However, I don't know a way to achieve striping in > LVM  >

[pve-devel] [PATCH] Firewall Improvements

2017-09-14 Thread Tom Weber
See mail Firewall Improvements Tom Weber (1):   prepare code for more generic firewall logging  src/PVE/Firewall.pm | 168 +++-  1 file changed, 99 insertions(+), 69 deletions(-) ___ pve-devel mailing

[pve-devel] Firewall Improvements

2017-09-14 Thread Tom Weber
Hi all, last week I reported a problem with firewall logging. After looking deeper into Firewall.pm I have a better understanding of the problems I first had with using the Firewall as a rather fresh PVE User: - the different levels of log_level_in / out don't make sense to me. Firewall.pm uses

Re: [pve-devel] [PATCH] prepare code for more generic firewall logging

2017-09-18 Thread Tom Weber
Am Montag, den 18.09.2017, 13:34 +0200 schrieb Dietmar Maurer: > > > > With that in mind, I have no objections to this patch (or a version > > of > > it, see the inline comments below). > But logging all Dropped package would produce an incredible amount of > logs? That's why I'd like to have a

Re: [pve-devel] [PATCH] prepare code for more generic firewall logging

2017-09-18 Thread Tom Weber
avoid this. if you don't mind i'll send the next version to you directly just to let you verify the cosmetic things before cluttering the list again :)  > On Thu, Sep 14, 2017 at 07:08:54PM +0200, Tom Weber wrote: > > > > making ruleset generation aware of a match and action > > part

[pve-devel] [PATCH] prepare code for more generic firewall logging

2017-09-14 Thread Tom Weber
making ruleset generation aware of a match and action part in iptable rules. code will generate the same iptables as before! (except for a few additional spaces between match and action). ---  src/PVE/Firewall.pm | 168 +++-  1 file changed, 99

Re: [pve-devel] [PATCH container] Fix restore with multiple mountpoints

2017-10-09 Thread Tom Weber
Anyone care about this? I have two cases of containers were i have to manually fix after a restore.   Tom Am Dienstag, den 26.09.2017, 15:29 +0200 schrieb Tom Weber: > If you use mountpoints inside a container, and change ownership of > these, a restore of the CT will reset them to roo

Re: [pve-devel] better firewall logging possible?

2017-09-06 Thread Tom Weber
Hi,  thanks for the quick reply. it doesn't seem to be that easy though. this one compiles: --- Firewall.pm.ORIG2017-09-06 11:27:00.158674622 +0200 +++ Firewall.pm 2017-09-06 11:39:07.801620128 +0200 @@ -2119,8 +2119,13 @@   if ($ipversion == 6 && !$options->{radv}) {  

[pve-devel] better firewall logging possible?

2017-09-05 Thread Tom Weber
Hi there, today I had to figure the hard way that the Firewall Option 'IP filter' (at least in PVE 5.0 for Containers) drops packets silently without any logging at all, even if the log_level_* is set. If I set the log_level, I'd expect to see _all_ dropped packets in the Log. (This gave me a

Re: [pve-devel] better firewall logging possible?

2017-09-06 Thread Tom Weber
Hi, this patch compiles, but it won't work. it still DROPs without logging. Now it logs the packets that don't get dropped. The first DROP stops the evaluation of the chain. Everything else gets logged. Chain veth144010i2-OUT (1 references)  pkts bytes target prot opt in out source 

Re: [pve-devel] better firewall logging possible?

2017-09-06 Thread Tom Weber
Attached patch works for me regarding and tested with ipfilter Option. I also added logging for the 2 other silent DROPs above - untested though. Maybe someone could verify and even commit (no git repository for pve over here - yet)   Tom Am Mittwoch, den 06.09.2017, 16:24 +0200 schrieb Tom

Re: [pve-devel] [PATCH] add log for ipfilter, macfilter && ipv6 router-advertisement

2017-09-07 Thread Tom Weber
Hi Alexandre, i can test it later, thanks. 2 comments though. Am Donnerstag, den 07.09.2017, 03:22 +0200 schrieb Alexandre Derumier: > +my ($ruleset, $chain, $ipversion, $options, $macaddr, > $ipfilter_ipset, $direction, $vmid) = @_; > + > +my $lc_direction = lc($direction); > +my

Re: [pve-devel] [PATCH] add log for ipfilter, macfilter && ipv6 router-advertisement

2017-09-07 Thread Tom Weber
Am Donnerstag, den 07.09.2017, 09:30 +0200 schrieb Alexandre DERUMIER: > > > > > > > > you are aware that $rule is used elsewhere and in a totally > > > different  > > > way? just look in ruleset_add_group_rule. Thats why I named it  > > > $matchrule initially to avoid confusion.  > we already

[pve-devel] [PATCH v2 firewall 4/4] convert string based rule definitions to hashes

2017-09-26 Thread Tom Weber
--- src/PVE/Firewall.pm | 220 1 file changed, 117 insertions(+), 103 deletions(-) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index f8a9300..179617a 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -142,6 +142,20 @@ my

[pve-devel] [PATCH v2 firewall 2/4] prepare code for more generic firewall logging

2017-09-26 Thread Tom Weber
making ruleset generation aware of a match and action part in iptable rules. code will generate the same iptables as before! (except for a few additional spaces between match and action). --- src/PVE/Firewall.pm | 166 ++-

[pve-devel] [PATCH v2 firewall 0/4] Firewall improvements

2017-09-26 Thread Tom Weber
second version, far from finished but trying to reorganize things without breaking what exists. generates the same rules as before. feedback welcome. Tom Weber (4): remove unused $rule_format prepare code for more generic firewall logging integrate logging into ruleset_addrule convert

[pve-devel] [PATCH v2 firewall 3/4] integrate logging into ruleset_addrule

2017-09-26 Thread Tom Weber
--- src/PVE/Firewall.pm | 33 ++--- 1 file changed, 10 insertions(+), 23 deletions(-) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index f1aecef..f8a9300 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -2002,10 +2002,14 @@ sub

[pve-devel] [PATCH v2 firewall 1/4] remove unused $rule_format

2017-09-26 Thread Tom Weber
--- src/PVE/Firewall.pm | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index cc81325..5d78686 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -1648,8 +1648,6 @@ sub enable_bridge_firewall { $bridge_firewall_enabled = 1; } -my

[pve-devel] [PATCH container] remove --skip-old-files from tar restore options

2017-09-26 Thread Tom Weber
this breaks ownership of mountpoints in containers (leaves them at root:root) --- src/PVE/LXC/Create.pm | 5 - 1 file changed, 5 deletions(-) diff --git a/src/PVE/LXC/Create.pm b/src/PVE/LXC/Create.pm index 1f21e06..ac632de 100644 --- a/src/PVE/LXC/Create.pm +++ b/src/PVE/LXC/Create.pm @@

[pve-devel] [PATCH container] Fix restore with multiple mountpoints

2017-09-26 Thread Tom Weber
touch these dirs then. I don't see why one would need --skip-old-files for a restore job (or did I miss something?) Tom Weber (1): remove --skip-old-files from tar restore options src/PVE/LXC/Create.pm | 5 - 1 file changed, 5 deletions(-) -- 2.7.4

Re: [pve-devel] [PATCH v2 firewall 4/4] convert string based rule definitions to hashes

2017-09-27 Thread Tom Weber
temporary ugliness' approaches at places that I intend to replace anyway. Am Mittwoch, den 27.09.2017, 09:53 +0200 schrieb Wolfgang Bumiller: > On Wed, Sep 27, 2017 at 12:02:33AM +0200, Tom Weber wrote: > > > > --- > >  src/PVE/Firewall.pm | 220 ---

Re: [pve-devel] [PATCH v2 firewall 4/4] convert string based rule definitions to hashes

2017-09-27 Thread Tom Weber
Am Mittwoch, den 27.09.2017, 11:53 +0200 schrieb Wolfgang Bumiller: > On Wed, Sep 27, 2017 at 12:02:33AM +0200, Tom Weber wrote: > > > > --- > > +'PVEFW-smurflog' => [ > > + { action => 'DROP', logmsg => 'DROP: ' }, > > +], > > +   

Re: [pve-devel] [PATCH v2 firewall 4/4] convert string based rule definitions to hashes

2017-09-27 Thread Tom Weber
Am Mittwoch, den 27.09.2017, 11:51 +0200 schrieb Wolfgang Bumiller: > On Wed, Sep 27, 2017 at 11:09:29AM +0200, Tom Weber wrote: > > > > My goal are defined structures for rules, chains, macros (which i > > think > > are just arrays of "rule temp

[pve-devel] [PATCH v3 firewall 05/13] make $pve_std_chains a copy of $pve_std_chains_conf

2017-10-09 Thread Tom Weber
create a new $pve_std_chains with $pve_std_chains_conf as template on every compilation of the rules. This avoids persitant changes to the $pve_std_chains and makes it easier to read the std_chains configuration from external config files (later to implement). --- src/PVE/Firewall.pm | 9

[pve-devel] [PATCH v3 firewall 01/13] remove unused $rule_format

2017-10-09 Thread Tom Weber
--- src/PVE/Firewall.pm | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index cc81325..5d78686 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -1648,8 +1648,6 @@ sub enable_bridge_firewall { $bridge_firewall_enabled = 1; } -my

[pve-devel] [PATCH v3 firewall 11/13] cleanup parameters to ruleset_generate_rule

2017-10-09 Thread Tom Weber
remove $actions and $goto - not used anymore --- src/PVE/Firewall.pm | 19 +++ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index d9c2347..d249f7a 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -2050,7

[pve-devel] [PATCH v3 firewall 03/13] integrate logging into ruleset_addrule

2017-10-09 Thread Tom Weber
--- src/PVE/Firewall.pm | 33 ++--- 1 file changed, 10 insertions(+), 23 deletions(-) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index f1aecef..ad59267 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -2002,10 +2002,14 @@ sub

[pve-devel] [PATCH v3 firewall 02/13] prepare code for more generic firewall logging

2017-10-09 Thread Tom Weber
making ruleset generation aware of a match and action part in iptable rules. code will generate the same iptables as before! (except for a few additional spaces between match and action). --- src/PVE/Firewall.pm | 166 ++-

[pve-devel] [PATCH v3 firewall 04/13] convert string based rule definitions to hashes

2017-10-09 Thread Tom Weber
also extending %rule with log,logmsg,match,target --- src/PVE/Firewall.pm | 223 1 file changed, 120 insertions(+), 103 deletions(-) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index ad59267..634ff90 100644 --- a/src/PVE/Firewall.pm

[pve-devel] [PATCH v3 firewall 10/13] rule_substitude_action, remove ruleset_generate_rule_old

2017-10-09 Thread Tom Weber
implement rule_substitude_action eliminate use of ruleset_genereate_rule_old and remove it --- src/PVE/Firewall.pm | 73 ++--- 1 file changed, 24 insertions(+), 49 deletions(-) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index

[pve-devel] [PATCH v3 firewall 09/13] remove unused ruleset_generate_cmdstr

2017-10-09 Thread Tom Weber
--- src/PVE/Firewall.pm | 11 --- 1 file changed, 11 deletions(-) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index b492086..633aa7a 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -2040,17 +2040,6 @@ sub ruleset_generate_action { return scalar(@cmd) ?

[pve-devel] [PATCH v3 firewall 00/13] Firewall code cleanups

2017-10-09 Thread Tom Weber
third version. mostly converting rules into structures. reorganized ruleset_generate_rule and everything around it. please note that some of the stuff implemented in the first patches gets eliminated later. So maybe it's worth reading all patches before flaming me ;-) Tom Weber (13): remove

[pve-devel] [PATCH v3 firewall 06/13] eliminate unused nbdport in pve_std_chains_conf

2017-10-09 Thread Tom Weber
--- src/PVE/Firewall.pm | 20 ++-- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index c7ddd10..f009e58 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -586,10 +586,10 @@ $pve_std_chains_conf->{4} = {

[pve-devel] [PATCH v3 firewall 07/13] iptables address matching in own subroutine

2017-10-09 Thread Tom Weber
put generation of iptables source/destination address matching in own subroutine and use this in ruleset_generate_match --- src/PVE/Firewall.pm | 104 1 file changed, 47 insertions(+), 57 deletions(-) diff --git a/src/PVE/Firewall.pm

[pve-devel] [PATCH v3 firewall 13/13] remove ruleset_generate_match, ruleset_generate_action

2017-10-09 Thread Tom Weber
ruleset_generate_match and ruleset_generate_action not used anymore --- src/PVE/Firewall.pm | 97 - 1 file changed, 97 deletions(-) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 65ea132..9b78acb 100644 --- a/src/PVE/Firewall.pm

[pve-devel] [PATCH v3 firewall 08/13] implement ipt_rule_to_cmds, ruleset_add_ipt_cmd

2017-10-09 Thread Tom Weber
ipt_rule_to_cmds converts a %rule to an array of iptables commands ruleset_add_ipt_cmd adds such an iptables command to a chain ruleset_generate_rule uses these now ruleset_generate_rule_old is an interim workaround --- src/PVE/Firewall.pm | 151

[pve-devel] [PATCH v3 firewall 12/13] remove unused ruleset_generate_rule_insert

2017-10-09 Thread Tom Weber
--- src/PVE/Firewall.pm | 12 1 file changed, 12 deletions(-) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index d249f7a..65ea132 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -2070,18 +2070,6 @@ sub ruleset_generate_rule { } } -sub

Re: [pve-devel] [PATCH v3 firewall 00/13] Firewall code cleanups

2017-10-18 Thread Tom Weber
Am Mittwoch, den 18.10.2017, 12:44 +0200 schrieb Wolfgang Bumiller: > On Mon, Oct 09, 2017 at 12:16:18PM +0200, Tom Weber wrote: > > > > third version. mostly converting rules into structures. > > reorganized ruleset_generate_rule and everything around it. > > please

[pve-devel] [PATCH v4 firewall 06/13] eliminate unused nbdport in pve_std_chains_conf

2017-10-18 Thread Tom Weber
Signed-off-by: Tom Weber <p...@junkyard.4t2.com> --- src/PVE/Firewall.pm | 20 ++-- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index c7ddd10..f009e58 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firew

[pve-devel] [PATCH v4 firewall 10/13] rule_substitude_action, remove ruleset_generate_rule_old

2017-10-18 Thread Tom Weber
implement rule_substitude_action eliminate use of ruleset_genereate_rule_old and remove it Signed-off-by: Tom Weber <p...@junkyard.4t2.com> --- src/PVE/Firewall.pm | 73 ++--- 1 file changed, 24 insertions(+), 49 deletions(-) diff --git a/s

[pve-devel] [PATCH v4 firewall 04/13] convert string based rule definitions to hashes

2017-10-18 Thread Tom Weber
also extending %rule with log,logmsg,match,target Signed-off-by: Tom Weber <p...@junkyard.4t2.com> --- src/PVE/Firewall.pm | 223 1 file changed, 120 insertions(+), 103 deletions(-) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm

[pve-devel] [PATCH v4 firewall 07/13] iptables address matching in own subroutine

2017-10-18 Thread Tom Weber
put generation of iptables source/destination address matching in own subroutine and use this in ruleset_generate_match Signed-off-by: Tom Weber <p...@junkyard.4t2.com> --- src/PVE/Firewall.pm | 104 1 file changed, 47 insertions(

[pve-devel] [PATCH v4 firewall 12/13] remove unused ruleset_generate_rule_insert

2017-10-18 Thread Tom Weber
Signed-off-by: Tom Weber <p...@junkyard.4t2.com> --- src/PVE/Firewall.pm | 12 1 file changed, 12 deletions(-) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 4821759..8d36175 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -2070,18 +2070,6

[pve-devel] [PATCH v4 firewall 11/13] cleanup parameters to ruleset_generate_rule

2017-10-18 Thread Tom Weber
remove $actions and $goto - not used anymore Signed-off-by: Tom Weber <p...@junkyard.4t2.com> --- src/PVE/Firewall.pm | 19 +++ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 95e00bd..4821759 100644 --- a/s

[pve-devel] [PATCH v4 firewall 13/13] remove ruleset_generate_match, ruleset_generate_action

2017-10-18 Thread Tom Weber
ruleset_generate_match and ruleset_generate_action not used anymore Signed-off-by: Tom Weber <p...@junkyard.4t2.com> --- src/PVE/Firewall.pm | 97 - 1 file changed, 97 deletions(-) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm

[pve-devel] [PATCH v4 firewall 00/13] Firewall code cleanups

2017-10-18 Thread Tom Weber
4th version. third version with signed off lines make $pve_std_chains a copy of $pve_std_chains_conf is optional Tom Weber (13): remove unused $rule_format prepare code for more generic firewall logging integrate logging into ruleset_addrule convert string based rule definitions to hashes

[pve-devel] [PATCH v4 firewall 09/13] remove unused ruleset_generate_cmdstr

2017-10-18 Thread Tom Weber
Signed-off-by: Tom Weber <p...@junkyard.4t2.com> --- src/PVE/Firewall.pm | 11 --- 1 file changed, 11 deletions(-) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index b492086..633aa7a 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -2040,17 +2040,6

[pve-devel] [PATCH v4 firewall 01/13] remove unused $rule_format

2017-10-18 Thread Tom Weber
Signed-off-by: Tom Weber <p...@junkyard.4t2.com> --- src/PVE/Firewall.pm | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index cc81325..5d78686 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -1648,8 +1648,6

[pve-devel] [PATCH v4 firewall 02/13] prepare code for more generic firewall logging

2017-10-18 Thread Tom Weber
making ruleset generation aware of a match and action part in iptable rules. code will generate the same iptables as before! (except for a few additional spaces between match and action). Signed-off-by: Tom Weber <p...@junkyard.4t2.com> --- src/PVE/Firewall.pm

[pve-devel] [PATCH v4 firewall 03/13] integrate logging into ruleset_addrule

2017-10-18 Thread Tom Weber
Signed-off-by: Tom Weber <p...@junkyard.4t2.com> --- src/PVE/Firewall.pm | 33 ++--- 1 file changed, 10 insertions(+), 23 deletions(-) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index f1aecef..ad59267 100644 --- a/src/PVE/Firewall.pm +++ b/s

[pve-devel] [PATCH v4 firewall 05/13] make $pve_std_chains a copy of $pve_std_chains_conf

2017-10-18 Thread Tom Weber
create a new $pve_std_chains with $pve_std_chains_conf as template on every compilation of the rules. This avoids persitant changes to the $pve_std_chains and makes it easier to read the std_chains configuration from external config files (later to implement). Signed-off-by: Tom Weber &l

[pve-devel] [PATCH v4 firewall 08/13] implement ipt_rule_to_cmds, ruleset_add_ipt_cmd

2017-10-18 Thread Tom Weber
ipt_rule_to_cmds converts a %rule to an array of iptables commands ruleset_add_ipt_cmd adds such an iptables command to a chain ruleset_generate_rule uses these now ruleset_generate_rule_old is an interim workaround Signed-off-by: Tom Weber <p...@junkyard.4t2.com> --- src/PVE/Firewall.pm

Re: [pve-devel] Firewall hooks

2018-03-23 Thread Tom Weber
Am Donnerstag, den 22.03.2018, 12:28 +0100 schrieb Harald Leithner: > Hi, > > it seams that there are no firewall hooks in pve-firewall is this > correct? IIRC, yes. > I would like to add my own action before, after the firewall  > configuration for a VM is stop,started or reloaded. [..] > Is

Re: [pve-devel] pve-firewall : nftables ?

2018-11-28 Thread Tom Weber
Am Dienstag, den 27.11.2018, 14:55 +0100 schrieb Wolfgang Bumiller: > The pve-firewall code is very iptables-oriented though, and I'm not > sure > if maybe we're not better off splitting the rule-generating part out > and write the nftables variant from scratch... The iptables part > would > be

Re: [pve-devel] pve-firewall : can't have log on drop/reject rules

2018-11-22 Thread Tom Weber
Am Mittwoch, den 21.11.2018, 18:40 +0100 schrieb Alexandre DERUMIER: > Hi, > > I'm not sure it was working before, > > but I can't get any log for a vm rule with a drop/reject. > > It's only works with default vm drop/reject action. Yes. > I found an old patch about adding log by rules  >

Re: [pve-devel] rfc : pve-network : idea to generate and reload config accross the nodes

2019-04-04 Thread Tom Weber
Am Mittwoch, den 03.04.2019, 07:03 +0200 schrieb Dietmar Maurer: > > I think, something easy, is that we could have a copy of each > > /etc/network/interfaces of each node in > > /etc/pve/nodes//interfaces. > > (could be done we a change is done in gui local netowrk, or local > > network daemon

[pve-devel] firewall: Razor Macro broken and opens Firewall

2019-03-30 Thread Tom Weber
Hi, in the middle of a weekend migration i realized that the 'Razor' Macro is broken and basically disables ALL firewalling for a Container, at least when used in a Security Group. Looking at Firewall.pm .. 'RNDC' => [ "BIND remote management protocol", { action => 'PARAM',

Re: [pve-devel] [RFC container] mountpoints: create parent dirs with correct owner

2019-07-24 Thread Tom Weber
it seems like you're working in an area of code that could also be relevant for my (small) problem from: https://pve.proxmox.com/pipermail/pve-devel/2017-September/028814.html https://pve.proxmox.com/pipermail/pve-devel/2017-October/029004.html or maybe this could also be a problem if your mps