IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Introduce a new 'scope' field in the return values for the /ref
endpoints. Also add the 'ref' field in the VM endpoint, since it has
been missing up until now.
Signed-off-by: Leo Nunner <l.nunner@proxmox.com>
in the cluster class, we save the cluster config into the 'fw_conf'
variable, and not into 'cluster_conf', which in turns is set to 'undef'
instead.
Signed-off-by: Leo Nunner <l.nunner@proxmox.com>
since they had the same issue as IPSets, detailed in #4556. The format
works the same as for IPSets:
dc/alias
Looks for the alias on the Datacenter level.
vm/alias
Looks for the alias on the VM level.
alias
Uses the previous method of scoping, where it first looks at the
VM level and then at the Datacenter level.
Signed-off-by: Leo Nunner <l.nunner@proxmox.com>
to differentiate whether they should be taken from the datacenter config
or from the local config. The parser now accepts IPSets in the following
format:
+dc/ipset
Looks for the IPSet on the Datacenter level.
+vm/ipset
Looks for the IPSet on the VM level.
+ipset
Uses the previous method of scoping, where it first looks at the
VM level and then at the Datacenter level.
Signed-off-by: Leo Nunner <l.nunner@proxmox.com>
and only call lintian for the dsc target, as otherwise sbuild already
takes care of that (avoid duplicate work)
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
The DEB_BUILD_ARCH is the one from the build host, the DEB_HOST_ARCH
is the one the package is build for, so the latter is the correct one
here.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
The NOVIEW variable is useless now anyway, and the cleanup-docgen
target is a bit dangerous (removes _all_ *.adoc files) and it's just
a single line, so avoid complexity.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
without this additional conditions, it's possible to break the firewall by
setting an ICMP-type value as dport for non-ICMP protocols, e.g. 'any' for
'tcp'.
by rejecting the invalid rule/parameter, the rest of the ruleset is still
applied properly, and the error messages are a lot more informative as well.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
as that can trigger hard to reproduce/debug bugs; as with such
statements the variable won't be necessarily undef if the post-if
evaluates to false, but rather will hold the (now bogus) value from
the last time it evaluated to true.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
The optional unix epoch timestamps parameters `since` and `until` are introduced
in order to filter firewall logs files. If one of these flags is set, also
rotated logfiles are included. This is handled in the `dump_fw_logfile` helper
function. Filtering is now performed based on a callback function passed to
`dump_fw_logfile`.
This patch depends on the corresponding patch in the pve-common repository.
Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
[w.bumiller@proxmox.com: fixup 'continue' -> 'next']
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
They can already be set directly via the cluster.fw file. Net::IP is just a
bit more picky with what it allows:
For example:
error: 192.168.1.155/24
correct: 192.168.1.0/24
This cleans the entered IP and removes the non zero host bits.
Signed-off-by: Stefan Hrdlicka <s.hrdlicka@proxmox.com>
Currently, trying to delete a non-empty IPSet will throw an error.
Manually deleting all members of the set might be a time-consuming
process, which the force parameter allows to bypass.
Signed-off-by: Leo Nunner <l.nunner@proxmox.com>
When renaming a group, the usages didn't get updated automatically. To
get around problems with atomicity, the old rule is first cloned with the
new name, the usages are updated and only when updating has finished, the
old rule is deleted.
The subroutines that lock/update host configs had to be changed so that
it's possible to lock any config, not just the one of the current host.
Signed-off-by: Leo Nunner <l.nunner@proxmox.com>
while I'm still a bit on the edge about the usefulness of this macro,
it should better convey for what it is, as SPICE itself doesn't
really have a direct port (in PVE that is), but all runs through our
spiceproxy, so name the macro that way.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
uses port 3128 (same as squid)
although it's enabled by default for the "management" ipset, it doesn't
hurt to add it in there.
Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
we only ever add rules to the filter table, without this we'd add all
rules from other tables (which might have been manually filled by the
admin) to the filter table as well - adding another copy on every
iteration of the firewall update cycle!
note that ebtables-restore seems to flush tables contained in its input,
but leave those alone which are not referenced at all.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
MAC filter was enabled as long as the VM firewall config existed even
with an invalid config.
With this change the check now matches the one for CTs.
Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
The former is simply new and we can control it, so do so instead of
ignoring it, if it seems worth while we can also expose that as
option or do some fancier auto calculation, maybe depending on ipset
size.
The u32 `initval` is a bit different, its not a config in the exact
traditional sense but would allow to recreate an bit to bit
indentical save/restore - but we do not really do that and we cannot
pre-calculate that our self (or at least I'd rather like to avoid
doing that from perl).. So, ignore it actively for now to avoid
false-postivie detection in pending changes.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
