From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id D05AD1FF13F for ; Thu, 12 Feb 2026 09:48:22 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 4B4AF8F89; Thu, 12 Feb 2026 09:49:08 +0100 (CET) From: Stefan Hanreich To: pve-devel@lists.proxmox.com Subject: [PATCH proxmox-firewall 0/2] Fix auto-generated IPAM ipsets in firewall Date: Thu, 12 Feb 2026 09:48:28 +0100 Message-ID: <20260212084832.63278-1-s.hanreich@proxmox.com> X-Mailer: git-send-email 2.47.3 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.177 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record Message-ID-Hash: G36Z7CXWHVUKGHIAWJSTJJ6K7UNTEMAM X-Message-ID-Hash: G36Z7CXWHVUKGHIAWJSTJJ6K7UNTEMAM X-MailFrom: hoan@cray.proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: proxmox-firewall did not include the auto-generated IPAM ipsets when looking up ipsets in the firewall rule generation logic. This would cause proxmox-firewall to fail generating a ruleset when those IPAM ipsets were included in the ruleset. This is a regression introduced in the patch series that added support for legacy ipset / alias names [1]. This issue was reported in the forum by a user [2]. [1] https://lore.proxmox.com/all/20250925122403.230867-1-s.hanreich@proxmox.com/ [2] https://forum.proxmox.com/threads/sdn-aliases-not-found-by-firewall.180549/ proxmox-firewall: Stefan Hanreich (2): firewall: chore: autoformat imports firewall: fix ipset lookup for auto-generated ipam ipsets proxmox-firewall/src/config.rs | 48 +++- proxmox-firewall/src/firewall.rs | 11 +- proxmox-firewall/tests/input/host.fw | 2 + .../integration_tests__firewall.snap | 250 +++++++++++++++++- 4 files changed, 293 insertions(+), 18 deletions(-) Summary over all repositories: 4 files changed, 293 insertions(+), 18 deletions(-) -- Generated by git-murpp 0.8.0