[pve-devel] [RFC pve-firewall v1 1/1] pve-firewall.service: update-alternatives to {ip, eb}tables-nft

Max R. Carrara m.carrara at proxmox.com
Mon Aug 4 09:53:09 CEST 2025


On Fri Aug 1, 2025 at 6:24 PM CEST, Thomas Lamprecht wrote:
> Am 01.08.25 um 18:07 schrieb Max R. Carrara:
> >> An implementation option might be using an node-local environment file
> >> sourced by the unit file, e.g.
> >>
> >> Environment="VARIANT=legacy"
> >> EnvironmentFile=-/var/lib/pve-firewall/tables-variant
> >>
> >> ExecStartPre=-/usr/bin/update-alternatives --set ebtables-${VARIANT}
> >> ...
> > That's a good idea actually! I'll see what I can do on Monday.
>
> And FWIW, we do not have to chase down this road, moving the
> whole update-alternatives into a dedicated script might be also an
> option, as could make us also re-use a node option or the like and
> have the implementation do some error checking before trying to
> execute anything.
> OTOH. if we can really default to the nft based ones in a next
> point release and drop support for switching in PVE 10 or so
> it might not be worth to do much extra work here for something
> that is rather short lived anyway; for me either option is fine
> (if it works naturally ^^), just wanted to avoid that you think
> this is the only acceptable way.

Oh yeah, no worries—I'll see whatever works best, as in, has the best
utility-to-implementation-time ratio :P





More information about the pve-devel mailing list