use PVE::CGroup;
use PVE::CpuSet;
use PVE::Exception qw(raise_perm_exc);
+use PVE::Firewall;
use PVE::GuestHelpers qw(check_vnet_access safe_string_ne safe_num_ne safe_boolean_ne);
use PVE::INotify;
use PVE::JSONSchema qw(get_standard_option);
return;
}
- my ($bridge, $tag, $firewall, $trunks, $rate, $hwaddr) =
- $net->@{'bridge', 'tag', 'firewall', 'trunks', 'rate', 'hwaddr'};
+ my ($bridge, $tag, $trunks, $rate, $hwaddr) =
+ $net->@{'bridge', 'tag', 'trunks', 'rate', 'hwaddr'};
+
+ # The nftable-based implementation from the newer proxmox-firewall does not requires FW bridges
+ my $create_firewall_bridges = $net->{firewall} && !PVE::Firewall::is_nftables();
if ($have_sdn) {
- PVE::Network::SDN::Zones::tap_plug($iface, $bridge, $tag, $firewall, $trunks, $rate);
+ PVE::Network::SDN::Zones::tap_plug($iface, $bridge, $tag, $create_firewall_bridges, $trunks, $rate);
PVE::Network::SDN::Zones::add_bridge_fdb($iface, $hwaddr, $bridge);
} else {
- PVE::Network::tap_plug($iface, $bridge, $tag, $firewall, $trunks, $rate, { mac => $hwaddr });
+ PVE::Network::tap_plug($iface, $bridge, $tag, $create_firewall_bridges, $trunks, $rate, { mac => $hwaddr });
}
PVE::Tools::run_command(['/sbin/ip', 'link', 'set', 'dev', $iface, 'up']);
if ($acl) {
push @$optlist, 'acl';
- } elsif (defined($acl) && $storage) { # acl is explicitly set to false
- # Since kernel 6.1 the noacl mount option got removed for ext4, which is used for all raw volumes
- # FIXME: just ignore and log_warn with acl=0 in Proxmox VE 9 (warn also in pve8to9!)
- my $format = (PVE::Storage::parse_volname($storage_cfg, $volid))[6];
- push @$optlist, 'noacl' if $format ne 'raw';
+ # NOTE: the else branch is handled below
}
my $optstring = join(',', @$optlist);
my ($vtype, undef, undef, undef, undef, $isBase, $format) =
PVE::Storage::parse_volname($storage_cfg, $volid);
+ if (defined($acl) && !$acl) {
+ # Does having this really makes sense or should we drop it with a future major release?
+ # Kernel 6.1 removed the noacl mount option for ext4, which is used for all raw volumes.
+ push @$optlist, 'noacl' if $format ne 'raw';
+ }
+
$format = 'iso' if $vtype eq 'iso'; # allow to handle iso files
if ($format eq 'subvol') {