[pve-devel] superseded: [RFC common/firewall/manager/network/proxmox{-ve-rs, -firewall} 0/7] NIC renaming mitigations

Stefan Hanreich s.hanreich at proxmox.com
Wed Jul 16 17:19:14 CEST 2025 

https://lore.proxmox.com/pve-devel/20250716151815.348161-1-s.hanreich@proxmox.com/

On 7/9/25 21:45, Stefan Hanreich wrote:
> This patch series contains the following features:
> * transparent altname support for {pve, proxmox}-firewall and pve-network
> * pveeth tool for pinning NIC names
> 
> Both are features aimed at mitigating the fallout caused from changing network
> interface names. Sending it as an RFC, since I will be gone for a few days and
> wanted to publish my current state to start some discussion on the approaches
> I've taken with the tools and possible additions / changes. Nothing in here is
> final or particularly polished.
> 
> Both patch series only received rudimentary testing and are work in progress, so
> use at your own risk, I am not responsible for any broken hosts / VMs.
> 
> For more information on the pveeth tool, see the respective commit.
> 
> TODO:
> * possibly change wakeonlan setting in node config
> * decide on how to handle host.fw / cluster.fw:
> 
> cluster.fw cannot be automatically updated, since the generated mapping might
> differ from the one generated on other nodes. One possibility would be to
> generate the mapping for the NICs one-by-one on each host, thus ensuring a
> consistent name on all nodes. Then add a flag that overwrites cluster.fw.
> 
> cluster/host.fw is the only configuration file that gets applied immediately
> when updating it, since the firewall continously polls this file and applies the
> settings. We could add the new name as altname via ip link, ensuring that the
> firewall rules still work before *and* after reboot. Shouldn't be too hard to
> add (possibly with a flag). This is possible because of the new altname support
> {pve, proxmox}-firewall.
> 
> * update detection of physical NICs
> 
> We currently rely on the PHYSICAL_NIC_RE to detect physical network interfaces.
> We could instead use the ip link output for determining whether an interface is
> physical or not. This works in every case, except for PullMetric.pm. For this we
> could introduce another variable and fall back on the old logic depending on its
> existence. Maybe some one with more knowledge on the metrics system can chime in
> here. I have patches for this on my staff repo in case you are interested:
> 
> pve-manager:physical-nic-re
> pve-common:physical-nic-re
> 
> pve-common:
> 
> Stefan Hanreich (2):
>   network: add ip link and altname helpers
>   network: add nic prefix to physical nic regex
> 
>  src/PVE/Network.pm | 47 +++++++++++++++++++++++++++++++++++++++++++++-
>  1 file changed, 46 insertions(+), 1 deletion(-)
> 
> 
> proxmox-ve-rs:
> 
> Stefan Hanreich (1):
>   config: ip link struct
> 
>  proxmox-ve-config/src/host/mod.rs     |  1 +
>  proxmox-ve-config/src/host/network.rs | 35 +++++++++++++++++++++++++++
>  2 files changed, 36 insertions(+)
>  create mode 100644 proxmox-ve-config/src/host/network.rs
> 
> 
> proxmox-firewall:
> 
> Stefan Hanreich (1):
>   firewall: add altname support for firewall rules
> 
>  proxmox-firewall/src/config.rs              | 29 +++++++++++++++++++++
>  proxmox-firewall/src/rule.rs                |  6 ++++-
>  proxmox-firewall/tests/integration_tests.rs |  7 +++++
>  3 files changed, 41 insertions(+), 1 deletion(-)
> 
> 
> pve-firewall:
> 
> Stefan Hanreich (1):
>   firewall: add altname support
> 
>  src/PVE/Firewall.pm | 7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)
> 
> 
> pve-network:
> 
> Stefan Hanreich (1):
>   controllers: isis: add altname support
> 
>  src/PVE/Network/SDN/Controllers/IsisPlugin.pm | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> 
> pve-manager:
> 
> Stefan Hanreich (1):
>   cli: add pveeth
> 
>  PVE/CLI/Makefile  |   1 +
>  PVE/CLI/pveeth.pm | 538 ++++++++++++++++++++++++++++++++++++++++++++++
>  bin/Makefile      |   5 +
>  bin/pveeth        |   8 +
>  4 files changed, 552 insertions(+)
>  create mode 100644 PVE/CLI/pveeth.pm
>  create mode 100644 bin/pveeth
> 
> 
> Summary over all repositories:
>   12 files changed, 684 insertions(+), 5 deletions(-)
>

More information about the pve-devel mailing list