net: use pve-firewall helper for deciding whether to create fw bridges

pve-firewall introduced a new helper for deciding whether to create a
firewall bridge for a given tap interface. In addition to checking for
nftables, it also checks for the type of the bridge. This fixes an
issue with OVS and the nftables firewall, where firewall bridges are
still required in order for the guest firewall to work and the new
helper in pve-firewall checks for that condition now.

Previously, only the vm network script checked the condition for
creating a firewall bridge properly, but not the function for
hotplugging VM network devices. This caused a firewall bridge to
always get created when hotplugging a network device. The additional
firewall bridge had no influence on the functionality of nftables, but
was unnecessary.

For that matter a helper in qemu-server is introduced that should be
used by all call sites.

Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
Reviewed-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
FG: adapted context slightly
FG: bump versioned dependency
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>

debian/control

@@ -50,7 +50,7 @@ Depends: dbus,
 # TODO: make legacy edk2 optional (suggests) for PVE 9 and warn explicitly about it
          pve-edk2-firmware-legacy | pve-edk2-firmware (<< 4~),
          pve-edk2-firmware-ovmf (>= 4.2025.02-3),
-         pve-firewall (>= 5.0.4),
+         pve-firewall (>= 6.0.1),
          pve-ha-manager (>= 3.0-9),
          pve-qemu-kvm (>= 7.1~),
          socat,

src/PVE/QemuServer.pm

@@ -36,7 +36,6 @@ use PVE::Mapping::Dir;
 use PVE::Mapping::PCI;
 use PVE::Mapping::USB;
 use PVE::Network::SDN::Vnets;
-use PVE::Network::SDN::Zones;
 use PVE::INotify;
 use PVE::JSONSchema qw(get_standard_option parse_property_string);
 use PVE::ProcFSTools;
@@ -5013,7 +5012,7 @@ sub vmconfig_update_net {
                     );
                 }
 
-                PVE::Network::SDN::Zones::tap_plug(
+                PVE::QemuServer::Network::tap_plug(
                     $iface,
                     $newnet->{bridge},
                     $newnet->{tag},

src/PVE/QemuServer/Network.pm

@@ -4,6 +4,7 @@ use strict;
 use warnings;
 
 use PVE::Cluster;
+use PVE::Firewall::Helpers;
 use PVE::JSONSchema qw(get_standard_option parse_property_string);
 use PVE::Network::SDN::Vnets;
 use PVE::Network::SDN::Zones;
@@ -321,4 +322,11 @@ sub delete_ifaces_ipams_ips {
     }
 }
 
+sub tap_plug {
+    my ($iface, $bridge, $tag, $firewall, $trunks, $rate) = @_;
+
+    $firewall = $firewall && PVE::Firewall::Helpers::needs_fwbr($bridge);
+    PVE::Network::SDN::Zones::tap_plug($iface, $bridge, $tag, $firewall, $trunks, $rate);
+}
+
 1;

src/usr/pve-bridge

@@ -40,18 +40,10 @@ die "unable to get network config '$netid'\n"
 my $net = PVE::QemuServer::Network::parse_net($netconf);
 die "unable to parse network config '$netid'\n" if !$net;
 
-# The nftable-based implementation from the newer proxmox-firewall does not requires FW bridges
-my $create_firewall_bridges = $net->{firewall} && !PVE::Firewall::is_nftables();
-
 PVE::Network::SDN::Vnets::add_dhcp_mapping($net->{bridge}, $net->{macaddr}, $vmid, $conf->{name});
 PVE::Network::SDN::Zones::tap_create($iface, $net->{bridge});
-PVE::Network::SDN::Zones::tap_plug(
-    $iface,
-    $net->{bridge},
-    $net->{tag},
-    $create_firewall_bridges,
-    $net->{trunks},
-    $net->{rate},
+PVE::QemuServer::Network::tap_plug(
+    $iface, $net->{bridge}, $net->{tag}, $net->{firewall}, $net->{trunks}, $net->{rate},
 );
 
 exit 0;