From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9])
	by lore.proxmox.com (Postfix) with ESMTPS id BEA051FF136
	for <inbox@lore.proxmox.com>; Mon, 20 Apr 2026 16:35:50 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id AF1F74A9F;
	Mon, 20 Apr 2026 16:35:49 +0200 (CEST)
From: Lukas Sichert <l.sichert@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [PATCH network] SNAT: handle interface lookup failures gracefully
Date: Mon, 20 Apr 2026 16:35:28 +0200
Message-ID: <20260420143530.91158-1-l.sichert@proxmox.com>
X-Mailer: git-send-email 2.47.3
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2
X-Bm-Transport-Timestamp: 1776695661643
X-SPAM-LEVEL: Spam detection results:  0
	AWL                     0.985 Adjusted score from AWL reputation of From:
 address
	BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
	DMARC_MISSING             0.1 Missing DMARC policy
	KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict
 Alignment
	SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
	SPF_PASS               -0.001 SPF: sender matches SPF record
Message-ID-Hash: OALEQNQIVOLJ4KDTGN3CSDDHSW4KWAWY
X-Message-ID-Hash: OALEQNQIVOLJ4KDTGN3CSDDHSW4KWAWY
X-MailFrom: l.sichert@proxmox.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
CC: Lukas Sichert <l.sichert@proxmox.com>
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Owner: <mailto:pve-devel-owner@lists.proxmox.com>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Subscribe: <mailto:pve-devel-join@lists.proxmox.com>
List-Unsubscribe: <mailto:pve-devel-leave@lists.proxmox.com>

When an IPv6 subnet is created in a Simple or EVPN zone, the setup code
runs `ip route get 2001:4860:4860::8888` to determine the outgoing
interface. If the host has no IPv6 address configured, this command
fails and aborts the loop that iterates over the plugin's subnets.
Since the error is only handled at a higher layer, any subnets that
would be processed later in the loop are skipped.

Wrap the function that performs the route lookup in an eval block. If
the lookup fails, write the error to the system log and continue
processing the remaining subnets in the loop.

Signed-off-by: Lukas Sichert <l.sichert@proxmox.com>
---
 src/PVE/Network/SDN/Zones/EvpnPlugin.pm   | 12 ++++++++++--
 src/PVE/Network/SDN/Zones/SimplePlugin.pm | 12 ++++++++++--
 2 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/src/PVE/Network/SDN/Zones/EvpnPlugin.pm b/src/PVE/Network/SDN/Zones/EvpnPlugin.pm
index 8e7ddfd..a12922b 100644
--- a/src/PVE/Network/SDN/Zones/EvpnPlugin.pm
+++ b/src/PVE/Network/SDN/Zones/EvpnPlugin.pm
@@ -11,6 +11,7 @@ use PVE::INotify;
 use PVE::Cluster;
 use PVE::Tools;
 use Net::IP;
+use PVE::SafeSyslog;
 
 use PVE::Network::SDN::Controllers::EvpnPlugin;
 
@@ -252,8 +253,15 @@ sub generate_sdn_config {
         if ($subnet->{snat}) {
 
             #find outgoing interface
-            my ($outip, $outiface) =
-                PVE::Network::SDN::Zones::Plugin::get_local_route_ip($checkrouteip);
+            my ($outip, $outiface);
+            eval {
+                ($outip, $outiface) =
+                    PVE::Network::SDN::Zones::Plugin::get_local_route_ip($checkrouteip);
+            };
+            if ($@) {
+                syslog("warn", "interface for SNAT could not be resolved: $@");
+                next;
+            }
             if ($outip && $outiface && $is_evpn_gateway) {
                 #use snat, faster than masquerade
                 push @iface_config,
diff --git a/src/PVE/Network/SDN/Zones/SimplePlugin.pm b/src/PVE/Network/SDN/Zones/SimplePlugin.pm
index f5cd18e..8ae7630 100644
--- a/src/PVE/Network/SDN/Zones/SimplePlugin.pm
+++ b/src/PVE/Network/SDN/Zones/SimplePlugin.pm
@@ -7,6 +7,7 @@ use PVE::Network::SDN::Dhcp;
 use PVE::Exception qw(raise raise_param_exc);
 use PVE::Cluster;
 use PVE::Tools;
+use PVE::SafeSyslog;
 
 use base('PVE::Network::SDN::Zones::Plugin');
 
@@ -112,8 +113,15 @@ sub generate_sdn_config {
         push @iface_config, "up ip route add $cidr dev $vnetid" if $mask == 32 && $ipversion == 4;
         if ($subnet->{snat}) {
             #find outgoing interface
-            my ($outip, $outiface) =
-                PVE::Network::SDN::Zones::Plugin::get_local_route_ip($checkrouteip);
+            my ($outip, $outiface);
+            eval {
+                ($outip, $outiface) =
+                    PVE::Network::SDN::Zones::Plugin::get_local_route_ip($checkrouteip);
+            };
+            if ($@) {
+                syslog("warn", "interface for SNAT could not be resolved: $@");
+                next;
+            }
             if ($outip && $outiface) {
                 #use snat, faster than masquerade
                 push @iface_config,
-- 
2.47.3