* [pve-devel] [PATCH ve-rs 1/2] fix: firewall: introduce iptables to nftables mapping for icmpv6-types
2025-09-16 9:31 [pve-devel] [PATCH proxmox-firewall/ve-rs 0/3] Fix ICMPv6 types in nftables Gabriel Goller
@ 2025-09-16 9:31 ` Gabriel Goller
2025-09-16 9:31 ` [pve-devel] [PATCH ve-rs 2/2] firewall: correctly return errors when parsing icmpv6 types and codes Gabriel Goller
2025-09-16 9:31 ` [pve-devel] [PATCH proxmox-firewall 1/1] tests: add icmpv6 type mapping test Gabriel Goller
2 siblings, 0 replies; 4+ messages in thread
From: Gabriel Goller @ 2025-09-16 9:31 UTC (permalink / raw)
To: pve-devel
nftables changed the names of the icmpv6-types and they don't overlap
completely with the old iptables names. Introduce a mapping that
converts old names into the new ones. A few of these are not supported,
see here for more info:
https://wiki.nftables.org/wiki-nftables/index.php/Supported_features_compared_to_xtables#icmp6
Signed-off-by: Gabriel Goller <g.goller@proxmox.com>
---
.../src/firewall/types/rule_match.rs | 33 +++++++++++++++++++
1 file changed, 33 insertions(+)
diff --git a/proxmox-ve-config/src/firewall/types/rule_match.rs b/proxmox-ve-config/src/firewall/types/rule_match.rs
index 7fcd35c80d86..8202cda57895 100644
--- a/proxmox-ve-config/src/firewall/types/rule_match.rs
+++ b/proxmox-ve-config/src/firewall/types/rule_match.rs
@@ -697,6 +697,31 @@ const ICMPV6_TYPES: [(&str, u8); 19] = sorted!([
("time-exceeded", 3),
]);
+/// Some icmp_types are not supported by nftables. See:
+/// https://wiki.nftables.org/wiki-nftables/index.php/Supported_features_compared_to_xtables#icmp6
+#[sortable]
+const IPTABLES_ICMP_TYPES_MAPPING: [(&str, Option<&str>); 19] = sorted!([
+ ("no-route", None),
+ ("communication-prohibited", None),
+ ("beyond-scope", None),
+ ("address-unreachable", None),
+ ("port-unreachable", None),
+ ("failed-policy", None),
+ ("reject-route'", None),
+ ("ttl-zero-during-transit", None),
+ ("ttl-zero-during-reassembly", None),
+ ("bad-header", None),
+ ("unknown-header-type", None),
+ ("unknown-option", None),
+ ("router-solicitation", Some("nd-router-solicit")),
+ ("router-advertisement", Some("nd-router-advert")),
+ ("neighbor-solicitation", Some("nd-neighbor-solicit")),
+ ("neighbour-solicitation", Some("nd-neighbor-solicit")),
+ ("neighbor-advertisement", Some("nd-neighbor-advert")),
+ ("neighbour-advertisement", Some("nd-neighbor-advert")),
+ ("redirect", Some("nd-redirect")),
+]);
+
impl std::str::FromStr for Icmpv6Type {
type Err = Error;
@@ -713,6 +738,14 @@ impl std::str::FromStr for Icmpv6Type {
return Ok(Self::Named(ICMPV6_TYPES[index].0));
}
+ if let Ok(index) = IPTABLES_ICMP_TYPES_MAPPING.binary_search_by(|v| v.0.cmp(s)) {
+ if let Some(mapped_nftables_type) = IPTABLES_ICMP_TYPES_MAPPING[index].1 {
+ return Ok(Self::Named(mapped_nftables_type));
+ } else {
+ bail!("icmp_type {s:?} is unsupported in nftables");
+ }
+ }
+
bail!("{s:?} is not a valid icmpv6 type");
}
}
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 4+ messages in thread* [pve-devel] [PATCH ve-rs 2/2] firewall: correctly return errors when parsing icmpv6 types and codes.
2025-09-16 9:31 [pve-devel] [PATCH proxmox-firewall/ve-rs 0/3] Fix ICMPv6 types in nftables Gabriel Goller
2025-09-16 9:31 ` [pve-devel] [PATCH ve-rs 1/2] fix: firewall: introduce iptables to nftables mapping for icmpv6-types Gabriel Goller
@ 2025-09-16 9:31 ` Gabriel Goller
2025-09-16 9:31 ` [pve-devel] [PATCH proxmox-firewall 1/1] tests: add icmpv6 type mapping test Gabriel Goller
2 siblings, 0 replies; 4+ messages in thread
From: Gabriel Goller @ 2025-09-16 9:31 UTC (permalink / raw)
To: pve-devel
Correctly capture and output the error when parsing a icmpv6 type or
code. This makes it easier to debug icmpv6 parsing errors.
Signed-off-by: Gabriel Goller <g.goller@proxmox.com>
---
.../src/firewall/types/rule_match.rs | 56 ++++++++++++-------
1 file changed, 36 insertions(+), 20 deletions(-)
diff --git a/proxmox-ve-config/src/firewall/types/rule_match.rs b/proxmox-ve-config/src/firewall/types/rule_match.rs
index 8202cda57895..28d3e16b27ba 100644
--- a/proxmox-ve-config/src/firewall/types/rule_match.rs
+++ b/proxmox-ve-config/src/firewall/types/rule_match.rs
@@ -493,17 +493,25 @@ impl FromStr for Icmp {
fn from_str(s: &str) -> Result<Self, Self::Err> {
let mut this = Self::default();
- if let Ok(ty) = s.parse() {
- this.ty = Some(ty);
- return Ok(this);
- }
-
- if let Ok(code) = s.parse() {
- this.code = Some(code);
- return Ok(this);
+ match s.parse::<IcmpType>() {
+ Ok(ty) => {
+ this.ty = Some(ty);
+ Ok(this)
+ }
+ Err(type_error) => match s.parse::<IcmpCode>() {
+ Ok(code) => {
+ this.code = Some(code);
+ Ok(this)
+ }
+ Err(code_error) => {
+ bail!(
+ "supplied string is neither a valid icmp type nor code: {:?} - {:?}",
+ type_error,
+ code_error,
+ );
+ }
+ },
}
-
- bail!("supplied string is neither a valid icmp type nor code");
}
}
@@ -652,17 +660,25 @@ impl FromStr for Icmpv6 {
fn from_str(s: &str) -> Result<Self, Self::Err> {
let mut this = Self::default();
- if let Ok(ty) = s.parse() {
- this.ty = Some(ty);
- return Ok(this);
- }
-
- if let Ok(code) = s.parse() {
- this.code = Some(code);
- return Ok(this);
+ match s.parse::<Icmpv6Type>() {
+ Ok(ty) => {
+ this.ty = Some(ty);
+ Ok(this)
+ }
+ Err(type_error) => match s.parse::<Icmpv6Code>() {
+ Ok(code) => {
+ this.code = Some(code);
+ Ok(this)
+ }
+ Err(code_error) => {
+ bail!(
+ "supplied string is neither a valid icmpv6 type nor code: {:?} - {:?}",
+ type_error,
+ code_error,
+ );
+ }
+ },
}
-
- bail!("supplied string is neither a valid icmpv6 type nor code");
}
}
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 4+ messages in thread* [pve-devel] [PATCH proxmox-firewall 1/1] tests: add icmpv6 type mapping test
2025-09-16 9:31 [pve-devel] [PATCH proxmox-firewall/ve-rs 0/3] Fix ICMPv6 types in nftables Gabriel Goller
2025-09-16 9:31 ` [pve-devel] [PATCH ve-rs 1/2] fix: firewall: introduce iptables to nftables mapping for icmpv6-types Gabriel Goller
2025-09-16 9:31 ` [pve-devel] [PATCH ve-rs 2/2] firewall: correctly return errors when parsing icmpv6 types and codes Gabriel Goller
@ 2025-09-16 9:31 ` Gabriel Goller
2 siblings, 0 replies; 4+ messages in thread
From: Gabriel Goller @ 2025-09-16 9:31 UTC (permalink / raw)
To: pve-devel
We now map the iptables icmpv6-types to the nftables icmpv6-types which
have slightly different names. Add a simple test that shows the mapping
between "neighbor-solicitation" and "nd-neighbor-solicit".
Signed-off-by: Gabriel Goller <g.goller@proxmox.com>
---
proxmox-firewall/tests/input/host.fw | 1 +
.../integration_tests__firewall.snap | 63 +++++++++++++++++++
2 files changed, 64 insertions(+)
diff --git a/proxmox-firewall/tests/input/host.fw b/proxmox-firewall/tests/input/host.fw
index ddfcb1c4d2c8..7b89aad86317 100644
--- a/proxmox-firewall/tests/input/host.fw
+++ b/proxmox-firewall/tests/input/host.fw
@@ -20,6 +20,7 @@ nf_conntrack_helpers: amanda,ftp,irc,netbios-ns,pptp,sane,sip,snmp,tftp
IN DNS(ACCEPT) -source dc/network1 -log nolog
IN DHCPv6(ACCEPT) -log nolog
IN DHCPfwd(ACCEPT) -log nolog
+IN ACCEPT --icmp-type neighbor-solicitation --proto ipv6-icmp --log info
IN Ping(REJECT)
IN REJECT -p udp --dport 443
OUT REJECT -p udp --dport 443
diff --git a/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap b/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap
index e3db8ae2db10..e6ba681d8095 100644
--- a/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap
+++ b/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap
@@ -1,6 +1,7 @@
---
source: proxmox-firewall/tests/integration_tests.rs
expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
+snapshot_kind: text
---
{
"nftables": [
@@ -3593,6 +3594,68 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
}
}
},
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "host-in",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "icmpv6",
+ "field": "type"
+ }
+ },
+ "right": "nd-neighbor-solicit"
+ }
+ },
+ {
+ "limit": {
+ "rate": 2,
+ "per": "second",
+ "burst": 12
+ }
+ },
+ {
+ "log": {
+ "prefix": ":0:6:host-in: ACCEPT: ",
+ "group": 0
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "host-in",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "icmpv6",
+ "field": "type"
+ }
+ },
+ "right": "nd-neighbor-solicit"
+ }
+ },
+ {
+ "accept": null
+ }
+ ]
+ }
+ }
+ },
{
"add": {
"rule": {
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 4+ messages in thread