* [pve-devel] [PATCH proxmox-firewall 0/3] create ipsets with auto-merge option enabled
@ 2025-09-25 16:12 Stefan Hanreich
2025-09-25 16:12 ` [pve-devel] [PATCH proxmox-firewall 1/3] nftables: add support for auto-merge set option Stefan Hanreich
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Stefan Hanreich @ 2025-09-25 16:12 UTC (permalink / raw)
To: pve-devel
nftables interval sets do not merge overlapping / adjacent CIDRs / ranges by
default. Instead, nftables errors out, refusing to insert new set elements. This
was a problem with proxmox-firewall, since ip sets with overlapping entries
could cause the firewall daemon to refuse working.
Since v1.1.0 [1] (and therefore, Debian trixie) the nftables json interface
supports setting the auto-merge options for sets.
[1] https://www.netfilter.org/projects/nftables/files/changes-nftables-1.1.0.txt
proxmox-firewall:
Stefan Hanreich (3):
nftables: add support for auto-merge set option
firewall: set auto-merge flag for ipsets
firewall: tests: regenerate snapshot
proxmox-firewall/src/object.rs | 8 +-
.../integration_tests__firewall.snap | 192 ++++++++++++------
proxmox-nftables/src/types.rs | 9 +
3 files changed, 142 insertions(+), 67 deletions(-)
Summary over all repositories:
3 files changed, 142 insertions(+), 67 deletions(-)
--
Generated by git-murpp 0.8.0
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 4+ messages in thread
* [pve-devel] [PATCH proxmox-firewall 1/3] nftables: add support for auto-merge set option
2025-09-25 16:12 [pve-devel] [PATCH proxmox-firewall 0/3] create ipsets with auto-merge option enabled Stefan Hanreich
@ 2025-09-25 16:12 ` Stefan Hanreich
2025-09-25 16:12 ` [pve-devel] [PATCH proxmox-firewall 2/3] firewall: set auto-merge flag for ipsets Stefan Hanreich
2025-09-25 16:12 ` [pve-devel] [PATCH proxmox-firewall 3/3] firewall: tests: regenerate snapshot Stefan Hanreich
2 siblings, 0 replies; 4+ messages in thread
From: Stefan Hanreich @ 2025-09-25 16:12 UTC (permalink / raw)
To: pve-devel
nftables sets do not support overlapping ranges in ipsets with the
interval flag enabled, unless explicitly enabled via auto-merge. This
option has not yet been exposed by proxmox-nftables, so add it to the
library. This requires at least nftables 1.1.0 to work, which is
available since Debian trixie.
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
proxmox-nftables/src/types.rs | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/proxmox-nftables/src/types.rs b/proxmox-nftables/src/types.rs
index c613e64..c146d9c 100644
--- a/proxmox-nftables/src/types.rs
+++ b/proxmox-nftables/src/types.rs
@@ -500,6 +500,9 @@ pub struct SetConfig {
#[serde(skip_serializing_if = "Option::is_none")]
size: Option<i64>,
+
+ #[serde(skip_serializing_if = "Option::is_none")]
+ auto_merge: Option<bool>,
}
impl SetConfig {
@@ -512,6 +515,7 @@ impl SetConfig {
timeout: None,
gc_interval: None,
size: None,
+ auto_merge: None,
}
}
@@ -523,6 +527,11 @@ impl SetConfig {
self.flags.push(flag);
self
}
+
+ pub fn with_auto_merge(mut self, auto_merge: bool) -> Self {
+ self.auto_merge = Some(auto_merge);
+ self
+ }
}
#[derive(Clone, Debug, Deserialize, Serialize)]
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 4+ messages in thread
* [pve-devel] [PATCH proxmox-firewall 2/3] firewall: set auto-merge flag for ipsets
2025-09-25 16:12 [pve-devel] [PATCH proxmox-firewall 0/3] create ipsets with auto-merge option enabled Stefan Hanreich
2025-09-25 16:12 ` [pve-devel] [PATCH proxmox-firewall 1/3] nftables: add support for auto-merge set option Stefan Hanreich
@ 2025-09-25 16:12 ` Stefan Hanreich
2025-09-25 16:12 ` [pve-devel] [PATCH proxmox-firewall 3/3] firewall: tests: regenerate snapshot Stefan Hanreich
2 siblings, 0 replies; 4+ messages in thread
From: Stefan Hanreich @ 2025-09-25 16:12 UTC (permalink / raw)
To: pve-devel
ipsets that contained overlapping ip ranges caused the firewall to
generate a ruleset rejected by nftables, because nftables interval
sets do not support overlapping ranges by default. By explicitly
enabling the auto-merge flag we prevent the firewall from failing due
to overlapping elements in ipsets. nftables sets then automatically
merge elements that are overlapping / adjacent.
This issue was reported in the forum [1].
[1] https://forum.proxmox.com/threads/proxmox-firewall-nftables-troubleshooting.164560/#post-760973
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
proxmox-firewall/src/object.rs | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/proxmox-firewall/src/object.rs b/proxmox-firewall/src/object.rs
index 5c18708..5dde7c2 100644
--- a/proxmox-firewall/src/object.rs
+++ b/proxmox-firewall/src/object.rs
@@ -124,8 +124,9 @@ impl ToNftObjects for Ipset {
SetName::ipset_name(family, self.name(), env.vmid, false),
);
- let set_config =
- SetConfig::new(set_name.clone(), vec![element_type]).with_flag(SetFlag::Interval);
+ let set_config = SetConfig::new(set_name.clone(), vec![element_type])
+ .with_flag(SetFlag::Interval)
+ .with_auto_merge(true);
let nomatch_name = SetName::new(
env.table.clone(),
@@ -133,7 +134,8 @@ impl ToNftObjects for Ipset {
);
let nomatch_config = SetConfig::new(nomatch_name.clone(), vec![element_type])
- .with_flag(SetFlag::Interval);
+ .with_flag(SetFlag::Interval)
+ .with_auto_merge(true);
commands.append(&mut vec![
Add::set(set_config),
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 4+ messages in thread
* [pve-devel] [PATCH proxmox-firewall 3/3] firewall: tests: regenerate snapshot
2025-09-25 16:12 [pve-devel] [PATCH proxmox-firewall 0/3] create ipsets with auto-merge option enabled Stefan Hanreich
2025-09-25 16:12 ` [pve-devel] [PATCH proxmox-firewall 1/3] nftables: add support for auto-merge set option Stefan Hanreich
2025-09-25 16:12 ` [pve-devel] [PATCH proxmox-firewall 2/3] firewall: set auto-merge flag for ipsets Stefan Hanreich
@ 2025-09-25 16:12 ` Stefan Hanreich
2 siblings, 0 replies; 4+ messages in thread
From: Stefan Hanreich @ 2025-09-25 16:12 UTC (permalink / raw)
To: pve-devel
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
.../integration_tests__firewall.snap | 192 ++++++++++++------
1 file changed, 128 insertions(+), 64 deletions(-)
diff --git a/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap b/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap
index 1a19ea7..94e69ca 100644
--- a/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap
+++ b/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap
@@ -265,7 +265,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -287,7 +288,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -326,7 +328,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -348,7 +351,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -387,7 +391,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -409,7 +414,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -448,7 +454,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -470,7 +477,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -509,7 +517,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -531,7 +540,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -570,7 +580,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -592,7 +603,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -631,7 +643,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -653,7 +666,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -709,7 +723,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -731,7 +746,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -787,7 +803,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -809,7 +826,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -848,7 +866,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -870,7 +889,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -909,7 +929,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -931,7 +952,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -970,7 +992,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -992,7 +1015,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -1031,7 +1055,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -1053,7 +1078,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -1092,7 +1118,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -1114,7 +1141,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -1153,7 +1181,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -1175,7 +1204,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -1231,7 +1261,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -1253,7 +1284,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -1309,7 +1341,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -1331,7 +1364,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -1370,7 +1404,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -1392,7 +1427,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -1431,7 +1467,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -1453,7 +1490,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -1492,7 +1530,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -1514,7 +1553,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -1553,7 +1593,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -1575,7 +1616,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -1614,7 +1656,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -1636,7 +1679,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -1658,7 +1702,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -1680,7 +1725,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -1719,7 +1765,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -1741,7 +1788,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -3860,7 +3908,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -3882,7 +3931,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -3921,7 +3971,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -3943,7 +3994,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -3965,7 +4017,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -3987,7 +4040,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -4026,7 +4080,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -4048,7 +4103,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -4288,7 +4344,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -4310,7 +4367,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -4349,7 +4407,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -4371,7 +4430,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -5596,7 +5656,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -5618,7 +5679,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -5640,7 +5702,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -5662,7 +5725,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2025-09-25 16:13 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-09-25 16:12 [pve-devel] [PATCH proxmox-firewall 0/3] create ipsets with auto-merge option enabled Stefan Hanreich
2025-09-25 16:12 ` [pve-devel] [PATCH proxmox-firewall 1/3] nftables: add support for auto-merge set option Stefan Hanreich
2025-09-25 16:12 ` [pve-devel] [PATCH proxmox-firewall 2/3] firewall: set auto-merge flag for ipsets Stefan Hanreich
2025-09-25 16:12 ` [pve-devel] [PATCH proxmox-firewall 3/3] firewall: tests: regenerate snapshot Stefan Hanreich
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.