From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 40D7B1FF1A6 for ; Fri, 5 Dec 2025 12:59:48 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 876EB1753F; Fri, 5 Dec 2025 13:00:14 +0100 (CET) Message-ID: <61d8eb9c-2b58-4db2-a4ad-b0b85ec0cc00@proxmox.com> Date: Fri, 5 Dec 2025 12:59:41 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: Proxmox VE development discussion , Robert Obkircher References: <20251201123424.94742-1-r.obkircher@proxmox.com> Content-Language: en-US From: Stefan Hanreich In-Reply-To: <20251201123424.94742-1-r.obkircher@proxmox.com> X-SPAM-LEVEL: Spam detection results: 0 AWL 0.725 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [firewall.pm] Subject: Re: [pve-devel] [PATCH v1 pve-firewall] fix #7068: show rule comments in iptables output X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" Tested this in a similar vein as the nftables one: * "normal" comments * comments that are too long * comments that are too long and do not truncate nicely at the 255 boundary * comments in security groups * emojis in comments afaict the PVECOMMENT: prefix is merely visual? it doesn't serve any functional purpose? At least a quick monkey-patch removing it didn't break anything and judging from the source code it seems fine as well. Imo it would be fine then to completely omit it then (even in the case where rule comments start with PVESIG). mb someone with more experience with perl and utf-8 can chime in on the truncation logic? Tested-by: Stefan Hanreich On 12/1/25 1:33 PM, Robert Obkircher wrote: > Use the iptables comment extension to include comments from the UI. > Prefix them with "PVECOMMENT:" to avoid interfering with the existing > "PVESIG:$sig" comments, which are used to store signatures for change > detection. > > The total length of the (unescaped) comments is limited to 255 utf8 > bytes. According to the man page it could be up to 256 characters, but > the actual implementation seems to zero terminate the buffer before > saving. For example, the following command produces a 255 char comment > ending in 'a': > iptables -A PVEFW-HOST-IN -m comment --comment $(python3 -c "print('ab'*256)") > > Unlike the iptables command, this version truncates to valid utf8. > > Signed-off-by: Robert Obkircher > --- > src/PVE/Firewall.pm | 17 ++++++++++++++++- > 1 file changed, 16 insertions(+), 1 deletion(-) > > diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm > index 93f8c34..688829a 100644 > --- a/src/PVE/Firewall.pm > +++ b/src/PVE/Firewall.pm > @@ -2271,6 +2271,20 @@ sub ipt_gen_src_or_dst_match { > return $match; > } > > +sub print_ipt_comment { > + my ($comment) = @_; > + return "" if !defined($comment) || $comment eq ""; > + $comment = encode("utf8", $comment, Encode::LEAVE_SRC); > + $comment = "PVECOMMENT:$comment"; # avoid any confusion with PVESIG comments > + > + # man iptables-extensions says 256 chars, but the code only saves 255 > + $comment = substr($comment, 0, 255); > + $comment = encode('utf8', decode('utf8', $comment, Encode::FB_QUIET | Encode::LEAVE_SRC)); > + > + $comment =~ s/[\\"']/\\$1/g; # escape logic from xtables_save_string > + return " -m comment --comment \"$comment\""; # never omit quotes because of the colon > +} > + > # convert a %rule to an array of iptables commands > sub ipt_rule_to_cmds { > my ($rule, $chain, $ipversion, $cluster_conf, $fw_conf, $vmid) = @_; > @@ -2375,7 +2389,8 @@ sub ipt_rule_to_cmds { > my $logaction = get_log_rule_base($chain, $vmid, $rule->{logmsg}, $loglevel); > push @iptcmds, "-A $chain $matchstr $logaction"; > } > - push @iptcmds, "-A $chain $matchstr $targetstr"; > + my $comment = print_ipt_comment($rule->{comment}); > + push @iptcmds, "-A $chain $matchstr $targetstr$comment"; > return @iptcmds; > } > _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel