From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id D3F791FF187 for ; Mon, 6 Oct 2025 12:14:27 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 0C97427CE4; Mon, 6 Oct 2025 12:14:31 +0200 (CEST) Date: Mon, 6 Oct 2025 12:14:28 +0200 From: Gabriel Goller To: Stefan Hanreich Message-ID: Mail-Followup-To: Stefan Hanreich , Proxmox VE development discussion References: <20250916093116.114942-1-g.goller@proxmox.com> <20250916093116.114942-2-g.goller@proxmox.com> <0d1a852c-876e-4484-bf19-35d616c7542a@proxmox.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <0d1a852c-876e-4484-bf19-35d616c7542a@proxmox.com> User-Agent: NeoMutt/20241002-35-39f9a6 X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1759745639980 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.003 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pve-devel] [PATCH ve-rs 1/2] fix: firewall: introduce iptables to nftables mapping for icmpv6-types X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Cc: Proxmox VE development discussion Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" On 01.10.2025 18:46, Stefan Hanreich wrote: >On 9/16/25 11:32 AM, Gabriel Goller wrote: >> nftables changed the names of the icmpv6-types and they don't overlap >> completely with the old iptables names. Introduce a mapping that >> converts old names into the new ones. A few of these are not supported, >> see here for more info: >> https://wiki.nftables.org/wiki-nftables/index.php/Supported_features_compared_to_xtables#icmp6 > >Did you find a reasoning for that? Are they not in use anymore / >deprecated? Then I guess we should not make that a hard error, but >possibly a warning and soft failure? In the other case (still in use), I >think we should still try to generate rules for them. > >Since those are configurations that users can have pre-existing, we >should handle them gracefully instead of just erroring out on >encountering them. You're right I forgot erroring here in the firewall is not good. >There are even other possible values that are still not considered here >like 'TOS-network-unreachable'. Since they are all mappable to a numeric >type/code combo - we should take all possible values for the field [1] >[2] to preserve compatibility with existing configurations? > >Not sure if they're accurate, but pve-manager seems to have the >respective information on type / code combinations [3]. Can take a >closer look at it and send a follow-up. Yep, I introced a mapping to type/code for icmpv6 and icmp types as well! >Not sure if this is a blocker, it might be a bit too obscure / niche to >prevent this series from getting merged... - can always just do a follow-up. > >[1] >https://git.proxmox.com/?p=pve-firewall.git;a=blob;f=src/PVE/Firewall.pm;h=49430b174bb2fdd56ce586f90bf929c5648f9060;hb=HEAD#l785 >[2] >https://git.proxmox.com/?p=pve-firewall.git;a=blob;f=src/PVE/Firewall.pm;h=49430b174bb2fdd56ce586f90bf929c5648f9060;hb=HEAD#l826 >[3] >https://git.proxmox.com/?p=pve-manager.git;a=blob;f=www/manager6/grid/FirewallRules.js;h=0db817ebce0e9254d18f172a6e02a7a12e7a481c;hb=HEAD#l83 > Thanks for the review! _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel