This adds the ability to dynamically configure and change the base_url
for the firewall options. This is needed for the SDN firewall dialog,
that updates the firewall components based on the selected vnet. This
avoids having to reinstantiate the component every time the user
selects a new vnet.
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
Tested-by: Hannes Dürr <h.duerr@proxmox.com>
Add the configuration options for vnet-level firewalls to the options
component. Additionally add the new policy_forward configuration
option to the datacenter-level firewall as well.
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
Tested-by: Hannes Dürr <h.duerr@proxmox.com>
There's a new firewall implementation available as `proxmox-firewall`
package, in contrast to the existing `pve-firewall` package it is
using nftables directly, not the legacy iptables, and can thus
leverage a modern stack with atomic updates, avoiding the need for
different tools (e.g., ebtables), and not requiring intermediate
firewall bridges to handle VM flow correctly. Additionally it's
written in rust, making it more efficient and safer to change.
The new implementation is using the same configuration file as source
and should be mostly the same in semantic behavior, it basically is a
drop-in replacement besides one known issue:
There is currently one major issue that we still need to solve:
REJECTing packets from the guest firewalls is currently not possible
for incoming traffic (it will instead be dropped).
This is due to the fact that we are using the postrouting hook of
nftables in a table with type bridge for incoming traffic. In the
bridge table in the postrouting hook we cannot tell whether the packet
has also been sent to other ports in the bridge (e.g. when a MAC has
not yet been learned and the packet then gets flooded to all bridge
ports). If we would then REJECT a packet in the postrouting hook this
can lead to a bug where the firewall rules for one guest REJECT a
packet and send a response (RST for TCP, ICMP port/host-unreachable
otherwise).
While this is being addressed, and the whole stack is better tested in
general, the new FW will be only enabled if the admin enables a
boolean configuration which this patch exposes on the UI.
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
factor out the relevant privilege checks in a variable and reuse that,
also add the check in the run_editor (or wrap it with a check) so that
the edit windows don't open with a double click without those privileges
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Use enableFn to enable/disable the toolbar buttons according to the
existing privileges.
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
[ D: adapted commit subject and added commit message ]
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
This patch relies on the corresponding patch to pve-firewall, adding the user
defined log levels for firewall rules.
By this, the user can select a per-rule log level for self defined rules. These
are independent of the global log level, which is defined in the firewall options.
Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
This warns the user that the datacenter firewall is disabled when editing the
host or the VM/CT firewall status.
Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
when using the 'run_editor' function provided by the ObjectGrid,
we have to make sure the function runs in the context of the grid,
not in that of the button, else we cannot access the
selectionModel/rows/etc. of the grid
this happened with the switch to the widget toolkit
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Tested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
switch add_boolean and add_integer row to a simple wrapper.
We really use it often and can save quite some lines with it so it
does not make sense to remove it completely yet.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Reviewed-by: Dominik Csapak <d.csapak@proxmox.com>
some function are now in Proxmox.Utils instead, so we have to use that
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
there we implemented deleteEmpty, which we can use in some cases.
this also fixes a bug in the ControllerSelector where
an empty field would be allowed (but should not)
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
we always had dhcp enabled by default in the backend, but
showed 'Disabled' on the gui, this patch show 'Enabled' by default
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
this adds a subclass of Ext.form.field.Number with the settings for
Integers (allowDecimals: false and allowExponential: false and default
step size 1)
and use it where we only accept integers
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
The framework value of 100 is not enough for many of our description
fields.
Setting this at the parent component level allow to remove
the end component setting.
listen to 'activate' event is needed because of framework changes,
similar to c0b3df6e34
ext6migrate: listen to 'activate' events for panels inside a tabpanel
