From: Stefan Hanreich <s.hanreich@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [PATCH proxmox-ve-rs v6 02/24] prefix lists: implement validation for prefix lists
Date: Fri, 8 May 2026 18:31:11 +0200 [thread overview]
Message-ID: <20260508163134.481912-3-s.hanreich@proxmox.com> (raw)
In-Reply-To: <20260508163134.481912-1-s.hanreich@proxmox.com>
Implement validation for prefix list entries, that enforces the
invariants that are required for entries to be valid. Since FRR
rejects invalid prefix lists and refuses to start, it is important
that invalid prefix lists are caught early by the stack to prevent
potentially crashing the FRR daemon.
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
proxmox-ve-config/src/sdn/prefix_list.rs | 246 +++++++++++++++++++++++
1 file changed, 246 insertions(+)
diff --git a/proxmox-ve-config/src/sdn/prefix_list.rs b/proxmox-ve-config/src/sdn/prefix_list.rs
index 0efe81d..672ee88 100644
--- a/proxmox-ve-config/src/sdn/prefix_list.rs
+++ b/proxmox-ve-config/src/sdn/prefix_list.rs
@@ -31,6 +31,8 @@ use proxmox_schema::{
UpdaterType,
};
+use crate::common::valid::Validatable;
+
pub const PREFIX_LIST_ID_REGEX_STR: &str =
r"(?:[a-zA-Z0-9](?:[a-zA-Z0-9\-_]){0,30}(?:[a-zA-Z0-9]){0,1})";
@@ -82,7 +84,26 @@ pub struct PrefixListSection {
pub(crate) entries: Vec<PropertyString<PrefixListEntry>>,
}
+impl Validatable for PrefixListSection {
+ type Error = anyhow::Error;
+
+ fn validate(&self) -> Result<(), Self::Error> {
+ for entry in &self.entries {
+ entry.validate()?
+ }
+
+ Ok(())
+ }
+}
+
impl PrefixListSection {
+ pub fn new(id: PrefixListId) -> Self {
+ Self {
+ id,
+ entries: Vec::new(),
+ }
+ }
+
/// Return the ID of the Prefix List.
pub fn id(&self) -> &PrefixListId {
&self.id
@@ -202,6 +223,8 @@ impl PrefixListSection {
anyhow::bail!("entry with sequence number {} already exists", entry.seq);
}
+ entry.validate()?;
+
self.entries.push(entry.into());
Ok(())
}
@@ -300,6 +323,48 @@ impl PrefixListEntry {
}
}
+impl Validatable for PrefixListEntry {
+ type Error = anyhow::Error;
+
+ fn validate(&self) -> Result<(), Self::Error> {
+ // Ensure that:
+ // prefixmask <= ge <= le
+
+ let (max_mask, current_mask) = match self.prefix {
+ Cidr::Ipv4(ipv4_cidr) => (32, ipv4_cidr.mask() as u32),
+ Cidr::Ipv6(ipv6_cidr) => (128, ipv6_cidr.mask() as u32),
+ };
+
+ if let Some(le) = self.le {
+ if le > max_mask {
+ anyhow::bail!("Prefix <= must not be greater than {max_mask}");
+ }
+
+ if current_mask > le {
+ anyhow::bail!("Prefix <= must not be greater than {current_mask}");
+ }
+
+ if let Some(ge) = self.ge {
+ if ge > le {
+ anyhow::bail!("Prefix >= must not be greater than Prefix <= ({ge})");
+ }
+ }
+ }
+
+ if let Some(ge) = self.ge {
+ if ge > max_mask {
+ anyhow::bail!("Prefix >= must not be greater than {max_mask}");
+ }
+
+ if current_mask > ge {
+ anyhow::bail!("Prefix >= must be greater than {current_mask}");
+ }
+ }
+
+ Ok(())
+ }
+}
+
#[api(
"id-property": "id",
"id-schema": {
@@ -317,6 +382,15 @@ pub enum PrefixList {
PrefixList(PrefixListSection),
}
+impl Validatable for PrefixList {
+ type Error = anyhow::Error;
+
+ fn validate(&self) -> Result<(), Self::Error> {
+ let PrefixList::PrefixList(prefix_list_section) = self;
+ prefix_list_section.validate()
+ }
+}
+
#[cfg(feature = "frr")]
pub mod frr {
use super::*;
@@ -492,4 +566,176 @@ prefix-list: somelist
PrefixList::parse_section_config("prefix-lists.cfg", section_config)?;
Ok(())
}
+
+ #[test]
+ fn test_prefix_list_seq_nr() -> Result<(), anyhow::Error> {
+ let mut prefix_list = PrefixListSection::new(
+ PrefixListId::from_string("test".to_string()).expect("valid prefix list id"),
+ );
+
+ assert_eq!(prefix_list.next_seq_number(), 5);
+
+ prefix_list
+ .try_insert_entry(PrefixListEntry {
+ action: PrefixListAction::Permit,
+ prefix: Cidr::new_v4([192, 0, 2, 0], 24).expect("valid cidr"),
+ le: None,
+ ge: None,
+ seq: 100,
+ })
+ .expect("valid entry");
+
+ assert_eq!(prefix_list.next_seq_number(), 105);
+
+ prefix_list.remove_entry(100).expect("could be removed");
+ assert_eq!(prefix_list.next_seq_number(), 5);
+
+ Ok(())
+ }
+
+ #[test]
+ fn test_prefix_list_entry_update() -> Result<(), anyhow::Error> {
+ let mut prefix_list = PrefixListSection::new(
+ PrefixListId::from_string("test".to_string()).expect("valid prefix list id"),
+ );
+
+ assert_eq!(prefix_list.next_seq_number(), 5);
+
+ prefix_list
+ .try_insert_entry(PrefixListEntry {
+ action: PrefixListAction::Permit,
+ prefix: Cidr::new_v4([192, 0, 2, 0], 24).expect("valid cidr"),
+ le: None,
+ ge: None,
+ seq: 100,
+ })
+ .expect("valid entry");
+
+ prefix_list
+ .try_insert_entry(PrefixListEntry {
+ action: PrefixListAction::Permit,
+ prefix: Cidr::new_v4([192, 0, 2, 0], 24).expect("valid cidr"),
+ le: None,
+ ge: None,
+ seq: 200,
+ })
+ .expect("valid entry");
+
+ prefix_list
+ .try_update_entry(
+ 100,
+ api::PrefixListEntryUpdater {
+ action: None,
+ prefix: None,
+ le: None,
+ ge: None,
+ seq: Some(200),
+ },
+ Vec::new(),
+ )
+ .expect_err("seq nr already exists");
+
+ prefix_list
+ .try_update_entry(
+ 150,
+ api::PrefixListEntryUpdater {
+ action: None,
+ prefix: None,
+ le: None,
+ ge: None,
+ seq: Some(100),
+ },
+ Vec::new(),
+ )
+ .expect_err("old seq nr doesn't exist");
+
+ prefix_list
+ .try_update_entry(
+ 100,
+ api::PrefixListEntryUpdater {
+ action: None,
+ prefix: None,
+ le: None,
+ ge: None,
+ seq: Some(10),
+ },
+ Vec::new(),
+ )
+ .expect("changing sequence number from 100 to 10 works");
+
+ prefix_list
+ .entry(10)
+ .expect("entry has been successfully updated");
+
+ Ok(())
+ }
+
+ #[test]
+ fn test_invalid_prefix_list_entry() -> Result<(), anyhow::Error> {
+ let mut prefix_list = PrefixListSection::new(
+ PrefixListId::from_string("test".to_string()).expect("valid prefix list id"),
+ );
+
+ prefix_list
+ .try_insert_entry(PrefixListEntry {
+ action: PrefixListAction::Permit,
+ prefix: Cidr::new_v4([192, 0, 2, 0], 24).expect("valid cidr"),
+ le: Some(23),
+ ge: None,
+ seq: 100,
+ })
+ .expect_err("le is larger than prefix size");
+
+ prefix_list
+ .try_insert_entry(PrefixListEntry {
+ action: PrefixListAction::Permit,
+ prefix: Cidr::new_v4([192, 0, 2, 0], 24).expect("valid cidr"),
+ le: Some(23),
+ ge: None,
+ seq: 100,
+ })
+ .expect_err("le is larger than prefix size");
+
+ prefix_list
+ .try_insert_entry(PrefixListEntry {
+ action: PrefixListAction::Permit,
+ prefix: Cidr::new_v4([192, 0, 2, 0], 24).expect("valid cidr"),
+ le: None,
+ ge: Some(23),
+ seq: 100,
+ })
+ .expect_err("ge is larger than prefix size");
+
+ prefix_list
+ .try_insert_entry(PrefixListEntry {
+ action: PrefixListAction::Permit,
+ prefix: Cidr::new_v4([192, 0, 2, 0], 24).expect("valid cidr"),
+ le: Some(25),
+ ge: Some(27),
+ seq: 100,
+ })
+ .expect_err("le is larger than ge");
+
+ prefix_list
+ .try_insert_entry(PrefixListEntry {
+ action: PrefixListAction::Permit,
+ prefix: Cidr::new_v4([192, 0, 2, 0], 24).expect("valid cidr"),
+ le: None,
+ ge: None,
+ seq: 100,
+ })
+ .expect("valid entry");
+
+ prefix_list
+ .try_insert_entry(PrefixListEntry {
+ action: PrefixListAction::Permit,
+ prefix: Cidr::new_v4([192, 0, 2, 0], 24).expect("valid cidr"),
+ le: None,
+ ge: None,
+ seq: 100,
+ })
+ .expect_err("entry with seq already exists");
+
+ Ok(())
+ }
}
--
2.47.3
next prev parent reply other threads:[~2026-05-08 16:33 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-08 16:31 [PATCH manager/network/proxmox{-ve-rs,-perl-rs} v6 00/24] Add support for route maps / prefix lists to SDN Stefan Hanreich
2026-05-08 16:31 ` [PATCH proxmox-ve-rs v6 01/24] sdn: prefix lists: refactor section config and api format Stefan Hanreich
2026-05-08 16:31 ` Stefan Hanreich [this message]
2026-05-08 16:31 ` [PATCH proxmox-perl-rs v6 03/24] sdn: prefix lists: refactor existing API endpoint Stefan Hanreich
2026-05-08 16:31 ` [PATCH proxmox-perl-rs v6 04/24] sdn: prefix lists: add crud methods for prefix list entries Stefan Hanreich
2026-05-08 16:31 ` [PATCH proxmox-perl-rs v6 05/24] sdn: prefix lists: validate prefix lists Stefan Hanreich
2026-05-08 16:31 ` [PATCH proxmox-perl-rs v6 06/24] sdn: route maps: add route map list method Stefan Hanreich
2026-05-08 16:31 ` [PATCH pve-network v6 07/24] api: refactor route map api structure Stefan Hanreich
2026-05-08 16:31 ` [PATCH pve-network v6 08/24] api: refactor prefix list " Stefan Hanreich
2026-05-08 16:31 ` [PATCH pve-manager v6 09/24] ui: sdn: add route map selector Stefan Hanreich
2026-05-08 16:31 ` [PATCH pve-manager v6 10/24] ui: sdn: add prefix list selector Stefan Hanreich
2026-05-08 16:31 ` [PATCH pve-manager v6 11/24] ui: sdn: add panel for managing prefix lists Stefan Hanreich
2026-05-08 16:31 ` [PATCH pve-manager v6 12/24] ui: sdn: add panel for managing route map entries Stefan Hanreich
2026-05-08 16:31 ` [PATCH pve-manager v6 13/24] ui: sdn: bgp controller: allow configuring route maps Stefan Hanreich
2026-05-08 16:31 ` [PATCH pve-manager v6 14/24] ui: sdn: evpn " Stefan Hanreich
2026-05-08 16:31 ` [PATCH pve-manager v6 15/24] ui: sdn: openfabric: add route filter Stefan Hanreich
2026-05-08 16:31 ` [PATCH pve-manager v6 16/24] ui: sdn: ospf: add route filter setting Stefan Hanreich
2026-05-08 16:31 ` [PATCH pve-manager v6 17/24] ui: sdn: prefix list: add missing subjects Stefan Hanreich
2026-05-08 16:31 ` [PATCH pve-manager v6 18/24] sdn: do not fail rendering record data if pending property is missing Stefan Hanreich
2026-05-08 16:31 ` [PATCH pve-manager v6 19/24] ui: sdn: prefix list: adapt to changed api structure Stefan Hanreich
2026-05-08 16:31 ` [PATCH pve-manager v6 20/24] ui: sdn: route maps: adapt to new route map " Stefan Hanreich
2026-05-08 16:31 ` [PATCH pve-manager v6 21/24] ui: sdn: prefix lists: route maps: use integerfields for numbers Stefan Hanreich
2026-05-08 16:31 ` [PATCH pve-manager v6 22/24] ui: sdn: prefix list panel: reload data on deleting prefix list entry Stefan Hanreich
2026-05-08 16:31 ` [PATCH pve-manager v6 23/24] ui: prefix list panel: delete empty le and get properties Stefan Hanreich
2026-05-08 16:31 ` [PATCH pve-manager v6 24/24] ui: prefix list entry panel: make prefix required Stefan Hanreich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260508163134.481912-3-s.hanreich@proxmox.com \
--to=s.hanreich@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.