From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9])
	by lore.proxmox.com (Postfix) with ESMTPS id 86A971FF138
	for <inbox@lore.proxmox.com>; Mon, 01 Jun 2026 14:43:09 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id BDCF11CB59;
	Mon,  1 Jun 2026 14:43:08 +0200 (CEST)
From: Lukas Sichert <l.sichert@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [PATCH network v2] snat: handle interface lookup failures gracefully
Date: Mon,  1 Jun 2026 14:42:18 +0200
Message-ID: <20260601124228.77298-1-l.sichert@proxmox.com>
X-Mailer: git-send-email 2.47.3
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2
X-Bm-Transport-Timestamp: 1780317721476
X-SPAM-LEVEL: Spam detection results:  0
	AWL                     0.383 Adjusted score from AWL reputation of From:
 address
	BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
	DMARC_MISSING             0.1 Missing DMARC policy
	KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict
 Alignment
	SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
	T_SPF_PERMERROR          0.01 SPF: test of record failed (permerror)
Message-ID-Hash: IGKYQYA3TVMGEV7UF5OT7VIKU4IBAFFC
X-Message-ID-Hash: IGKYQYA3TVMGEV7UF5OT7VIKU4IBAFFC
X-MailFrom: l.sichert@proxmox.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
CC: Lukas Sichert <l.sichert@proxmox.com>
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Owner: <mailto:pve-devel-owner@lists.proxmox.com>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Subscribe: <mailto:pve-devel-join@lists.proxmox.com>
List-Unsubscribe: <mailto:pve-devel-leave@lists.proxmox.com>

'When an IPv6 subnet is created in a Simple or EVPN zone, the setup code
runs 'ip route get 2001:4860:4860::8888' to determine the outgoing
interface. If the host has no IPv6 address configured, this command
fails and aborts the loop that iterates over the plugin's subnets. This
means that the current and subsequent bridges required for the VNETs are
not instantiated, even though they still appear in the GUI. Starting a
VM connected to such a VNET then fails with: 'TASK ERROR: bridge
'<vnet>' does not exist'.

Wrap the function that performs the route lookup in an eval block. If
the lookup fails, use 'log_warn' to write the error to the system log
and to the GUI and continue processing the remaining subnets in the
loop.

Signed-off-by: Lukas Sichert <l.sichert@proxmox.com>
---

Notes:
    changes from v1 to v2:
    -use log_warn instead of syslog to display the warning in the GUI as
    well
    -change the commit subject to better fit proxmox style

 src/PVE/Network/SDN/Zones/EvpnPlugin.pm   | 13 +++++++++++--
 src/PVE/Network/SDN/Zones/SimplePlugin.pm | 13 +++++++++++--
 2 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/src/PVE/Network/SDN/Zones/EvpnPlugin.pm b/src/PVE/Network/SDN/Zones/EvpnPlugin.pm
index dfbd7e9..0e79707 100644
--- a/src/PVE/Network/SDN/Zones/EvpnPlugin.pm
+++ b/src/PVE/Network/SDN/Zones/EvpnPlugin.pm
@@ -11,6 +11,7 @@ use PVE::INotify;
 use PVE::Cluster;
 use PVE::Tools;
 use Net::IP;
+use PVE::RESTEnvironment qw(log_warn);
 
 use PVE::Network::SDN::Controllers::EvpnPlugin;
 
@@ -269,8 +270,16 @@ sub generate_sdn_config {
         if ($subnet->{snat}) {
 
             #find outgoing interface
-            my ($outip, $outiface) =
-                PVE::Network::SDN::Zones::Plugin::get_local_route_ip($checkrouteip);
+            my ($outip, $outiface);
+            eval {
+                ($outip, $outiface) =
+                    PVE::Network::SDN::Zones::Plugin::get_local_route_ip($checkrouteip);
+            };
+            if ($@) {
+                my $msg = "interface for SNAT could not be resolved: $@";
+                log_warn($msg);
+                next;
+            }
             if ($outip && $outiface && $is_evpn_gateway) {
                 #use snat, faster than masquerade
                 push @iface_config,
diff --git a/src/PVE/Network/SDN/Zones/SimplePlugin.pm b/src/PVE/Network/SDN/Zones/SimplePlugin.pm
index f5cd18e..347eee9 100644
--- a/src/PVE/Network/SDN/Zones/SimplePlugin.pm
+++ b/src/PVE/Network/SDN/Zones/SimplePlugin.pm
@@ -7,6 +7,7 @@ use PVE::Network::SDN::Dhcp;
 use PVE::Exception qw(raise raise_param_exc);
 use PVE::Cluster;
 use PVE::Tools;
+use PVE::RESTEnvironment qw(log_warn);
 
 use base('PVE::Network::SDN::Zones::Plugin');
 
@@ -112,8 +113,16 @@ sub generate_sdn_config {
         push @iface_config, "up ip route add $cidr dev $vnetid" if $mask == 32 && $ipversion == 4;
         if ($subnet->{snat}) {
             #find outgoing interface
-            my ($outip, $outiface) =
-                PVE::Network::SDN::Zones::Plugin::get_local_route_ip($checkrouteip);
+            my ($outip, $outiface);
+            eval {
+                ($outip, $outiface) =
+                    PVE::Network::SDN::Zones::Plugin::get_local_route_ip($checkrouteip);
+            };
+            if ($@) {
+                my $msg = "interface for SNAT could not be resolved: $@";
+                log_warn($msg);
+                next;
+            }
             if ($outip && $outiface) {
                 #use snat, faster than masquerade
                 push @iface_config,
-- 
2.47.3