From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 3DAEB1FF13C for ; Thu, 25 Jun 2026 17:44:38 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 73C8714FBE; Thu, 25 Jun 2026 17:44:36 +0200 (CEST) Message-ID: <4c57df22-f070-4da4-970a-b79c7c65bb13@proxmox.com> Date: Thu, 25 Jun 2026 17:44:01 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [RFC manager/network v2 0/3] fix #5066: make generated snat rules flushable To: pve-devel@lists.proxmox.com References: <20260623133721.29483-1-l.sichert@proxmox.com> Content-Language: en-US From: Stefan Hanreich In-Reply-To: <20260623133721.29483-1-l.sichert@proxmox.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.594 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [simpleplugin.pm,evpnplugin.pm,network.pm,proxmox.com] Message-ID-Hash: T2XKYSIHKTMV3SGOH6WS7SRD26TE44YR X-Message-ID-Hash: T2XKYSIHKTMV3SGOH6WS7SRD26TE44YR X-MailFrom: s.hanreich@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Some things I noticed while testing: Existing SDN SNAT rules are left untouched and the jump to the PROXMOX-SDN chain is inserted at the bottom of the POSTROUTING chain in the NAT table. Not sure how we'd approach this though since it's basically impossible to tell for us which NAT rules are managed by us and which NAT rules are not. Maybe we could try to detect this on applying and print a warning at the very least? Maybe inserting the jump at the top, rather than at the bottom would be better for that reason? Although that might interfere with custom rules... When applying the network configuration, there is now a small window where no SNAT rule is active. This causes connections initiated during that window to fail. It's easy to reproduce by adding a post-up sleep 5 to any interface block before the SDN blocks get executed. Trying to initiate a outside connection then fails during that 5 second window. Existing connections are unaffected though, since there's a conntrack table entry and that's sufficient for NAT to work. The only way to work around this I can think of is by creating a new chain with a different name (PROXMOX-SDN-new) and create the ruleset there. Afterwards, insert the jump to the new chain before the old chain in the NAT table and finally delete the rule jumping to the old chain. Afterwards, rename the PROXMOX-SDN-new chain to PROXMOX-SDN via the -E option of iptables. nftables would easily allow for an atomic change in NAT rules. Mixing nftables and iptables should *theoretically* be possible although I'd refrain from it - it's discouraged and asking for trouble imo. Potentially something we should switch over to in PVE 10? Reloading via `ifreload -a` still leaves us with duplicated rules - but that should be fine imo since our SNAT rules can only change on applying the SDN configuration and then they'd get rewritten anyway. If there's no pre-existing PROXMOX-SDN chain, then an error will be printed in the task log (albeit status is shown as OK): ip6tables: No chain/target/match by that name. On 6/23/26 3:37 PM, Lukas Sichert wrote: > When creating a subnet with SNAT enabled and applying the changes, then > afterwards disabling SNAT and applying the changes again, the iptables > POSTROUTING rule still persists. This is because ifreload -a only > executes (post/pre-)down hooks when an interface is removed from > /etc/network/interfaces, while the (post/pre-)up hooks are always > executed [1]. As a result, the SNAT rule is not removed by 'ifreload -a' and > only a restart or 'ifdown' will remove it. > > This series moves generated SDN SNAT rules into a dedicated > 'PROXMOX-SDN' chain in the iptables nat table and adds a jump from > POSTROUTING to that chain. This keeps the generated rules separate from > custom rules added by users or other components. > > The dedicated chain can then be flushed during network reload, removing > stale SDN SNAT rules without touching unrelated POSTROUTING rules. > > As this changes the generated /etc/network/interfaces.d/sdn output, the > expected test output is adjusted accordingly. > > [1] manpages.debian.org/testing/ifupdown2/ifreload.8.en.html > Link: https://bugzilla.proxmox.com/show_bug.cgi?id=5066 > > changes from v1 to v2 (thanks @Stefan): > - rebase on top of master > - create chain only when '$is_evpn_gateway' is true > - add Links to commits > > > network: > > Lukas Sichert (2): > fix #5066: snat: push evpn snat rules into separate iptables chain > fix #5066: snat: push simplezone snat rules into separate iptables > chain > > src/PVE/Network/SDN/Zones/EvpnPlugin.pm | 11 +++++++++-- > src/PVE/Network/SDN/Zones/SimplePlugin.pm | 15 ++++++++++++--- > .../evpn/exitnode_snat/expected_sdn_interfaces | 16 ++++++++++++---- > .../simple/ipv4snat/expected_sdn_interfaces | 8 ++++++-- > .../simple/ipv6snat/expected_sdn_interfaces | 8 ++++++-- > 5 files changed, 45 insertions(+), 13 deletions(-) > > > manager: > > Lukas Sichert (1): > fix #5066: reload networking: flush PROXMOX-SDN iptables chain at > reload > > PVE/API2/Network.pm | 3 +++ > 1 file changed, 3 insertions(+) > > > Summary over all repositories: > 6 files changed, 48 insertions(+), 13 deletions(-) >