From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
	by lore.proxmox.com (Postfix) with ESMTPS id DBA0F1FF14C
	for <inbox@lore.proxmox.com>; Fri, 26 Jun 2026 14:21:02 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id BD0A110453;
	Fri, 26 Jun 2026 14:21:00 +0200 (CEST)
From: Stefan Hanreich <s.hanreich@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [PATCH pve-firewall 1/1] rules: verify no interface is set for rules
 with direction forward
Date: Fri, 26 Jun 2026 14:20:17 +0200
Message-ID: <20260626122019.175700-1-s.hanreich@proxmox.com>
X-Mailer: git-send-email 2.47.3
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2
X-Bm-Transport-Timestamp: 1782476419931
X-SPAM-LEVEL: Spam detection results:  0
	AWL                     0.593 Adjusted score from AWL reputation of From:
 address
	BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
	DMARC_MISSING             0.1 Missing DMARC policy
	KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict
 Alignment
	SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
	SPF_PASS               -0.001 SPF: sender matches SPF record
Message-ID-Hash: YV4D7G63RX4HXQ7RST4VGJAHKE24Z5OJ
X-Message-ID-Hash: YV4D7G63RX4HXQ7RST4VGJAHKE24Z5OJ
X-MailFrom: s.hanreich@proxmox.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Owner: <mailto:pve-devel-owner@lists.proxmox.com>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Subscribe: <mailto:pve-devel-join@lists.proxmox.com>
List-Unsubscribe: <mailto:pve-devel-leave@lists.proxmox.com>

It is not possible to specify the iface option for rules with
direction forward. This has not been verified by the backend, which
made it very easy to accidentally create invalid FORWARD chain rules.

Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
 src/PVE/Firewall.pm | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 93f8c34..3fc692f 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1842,6 +1842,9 @@ sub verify_rule {
             $add_error->('iface', "value does not match the regex pattern 'net\\d+'")
                 if $rule->{iface} !~ m/^net(\d+)$/;
         }
+
+        $add_error->('iface', "cannot define an interface on rules with direction FORWARD")
+            if $type eq 'forward';
     }
 
     if ($rule->{macro}) {
-- 
2.47.3