Re: [PATCH network] fix #6255: SNAT: fix incorrect IP collection for sdn config

[Stefan Hanreich <s.hanreich@proxmox.com>]

Thanks for looking at this! Some comments inline

On 3/9/26 10:14 AM, Lukas Sichert wrote:

[snip]

> @@ -296,6 +297,24 @@ sub get_local_route_ip {
>  
>          },
>      );
> +    my $interface_in_config  = $interfaces_config->{ifaces}->{$interface};
> +    my $ip_address_in_config = $interface_in_config->{address};
> +    my $gateway_in_config    = $interface_in_config->{gateway};
> +
> +# if the device currently used for routing still has a valid description in /network/interfaces/, use it
> +    if ($interface_in_config && $gateway_in_config) {

This only checks for the IPv4 case. But $targetip could be an IPv6
address as well, in which case we would have to check for address6 /
gateway6 respectively.

E.g. the following configuration on a test host:

auto vmbr0
iface vmbr0 inet static
        address 192.0.2.10/24
        gateway 192.0.2.1
        bridge-ports nic0
        bridge-stp off
        bridge-fd 0

iface vmbr0 inet6 static
        address 2001:db8::1234/64

with the following SDN config:

subnet: simplez-fc80::-60
        vnet simplnet
        gateway fc80::1
        snat 1

Results in an error, because the plugin tries to create an IPv6 NAT rule
with an IPv4 source:

simplnet : warning: simplnet: post-up cmd 'ip6tables -t nat -A
POSTROUTING -s 'fc80::/60' -o vmbr0 -j SNAT --to-source 192.0.2.10'
failed: returned 2 (ip6tables v1.8.11 (legacy): Bad IP address "192.0.2.10"

-------------------------------

There's also the case of users announcing a default GW via a dynamic
routing protocol. Usually it is advisable to configure a default gateway
in this case as a fallback, but with this change we'd always utilize the
fallback gateway instead of the *actual* gateway.

I can see this happening in some setups where the gateways announce
routes for 0.0.0.0/1 and 128.0.0.0/1 - effectively making them the
default routes.

> +        if ($ip_address_in_config ne $ip) {

whilst probably a bit niche - for IPv6, if we want to be super correct,
we cannot do a simple comparison, since it is possible to express the
same IP address in a multitude of ways. This is actually an issue in
find_local_ip_interface_peers as well.

Technically this holds true for IPv4 as well, so if we want to be really
correct we'd always need to parse the address and use the canonicalized
form there as well.

> +            syslog( "warning",
> +"ip address $ip_address_in_config of interface $interface in /etc/network/interfaces does not match with it ip address reported by ip route: $ip, switching to $ip_address_in_config for SNAT"
> +            );
> +        }
> +        return ($ip_address_in_config, $interface);
> +    }
> +
> +    if (!$interface_in_config) {
> +        syslog( "warning", "current SNAT networking interface $interface is not listed in /etc/network/interfaces anymore");
> +    } elsif (!$gateway_in_config && $ip_address_in_config) {
> +        syslog( "warning", "currently used networking interface $interface does not have a gateway configured in /etc/network/interfaces"); }

I know we talked about this already, but I'm not so sure anymore that
printing a warning here is such a good idea, because it can trigger in
quite a few scenarios that are completely legitimate and might confuse
users more than they help:

* Changing a network interface name (which would be only once at least)
* Configuring a gateway via post-up commands in the interfaces config
* Moving the default gateway to another interface


[snip]