From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
	by lore.proxmox.com (Postfix) with ESMTPS id A7BA51FF179
	for <inbox@lore.proxmox.com>; Wed,  1 Oct 2025 18:46:33 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 0A37525B49;
	Wed,  1 Oct 2025 18:46:40 +0200 (CEST)
Message-ID: <0d1a852c-876e-4484-bf19-35d616c7542a@proxmox.com>
Date: Wed, 1 Oct 2025 18:46:36 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
 Gabriel Goller <g.goller@proxmox.com>
References: <20250916093116.114942-1-g.goller@proxmox.com>
 <20250916093116.114942-2-g.goller@proxmox.com>
Content-Language: en-US
From: Stefan Hanreich <s.hanreich@proxmox.com>
In-Reply-To: <20250916093116.114942-2-g.goller@proxmox.com>
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.714 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
Subject: Re: [pve-devel] [PATCH ve-rs 1/2] fix: firewall: introduce iptables
 to nftables mapping for icmpv6-types
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pve-devel-bounces@lists.proxmox.com
Sender: "pve-devel" <pve-devel-bounces@lists.proxmox.com>

On 9/16/25 11:32 AM, Gabriel Goller wrote:
> nftables changed the names of the icmpv6-types and they don't overlap
> completely with the old iptables names. Introduce a mapping that
> converts old names into the new ones. A few of these are not supported,
> see here for more info:
> https://wiki.nftables.org/wiki-nftables/index.php/Supported_features_compared_to_xtables#icmp6

Did you find a reasoning for that? Are they not in use anymore /
deprecated? Then I guess we should not make that a hard error, but
possibly a warning and soft failure? In the other case (still in use), I
think we should still try to generate rules for them.

Since those are configurations that users can have pre-existing, we
should handle them gracefully instead of just erroring out on
encountering them.

There are even other possible values that are still not considered here
like 'TOS-network-unreachable'. Since they are all mappable to a numeric
type/code combo - we should take all possible values for the field [1]
[2] to preserve compatibility with existing configurations?

Not sure if they're accurate, but pve-manager seems to have the
respective information on type / code combinations [3]. Can take a
closer look at it and send a follow-up.

Not sure if this is a blocker, it might be a bit too obscure / niche to
prevent this series from getting merged... - can always just do a follow-up.

[1]
https://git.proxmox.com/?p=pve-firewall.git;a=blob;f=src/PVE/Firewall.pm;h=49430b174bb2fdd56ce586f90bf929c5648f9060;hb=HEAD#l785
[2]
https://git.proxmox.com/?p=pve-firewall.git;a=blob;f=src/PVE/Firewall.pm;h=49430b174bb2fdd56ce586f90bf929c5648f9060;hb=HEAD#l826
[3]
https://git.proxmox.com/?p=pve-manager.git;a=blob;f=www/manager6/grid/FirewallRules.js;h=0db817ebce0e9254d18f172a6e02a7a12e7a481c;hb=HEAD#l83

> Signed-off-by: Gabriel Goller <g.goller@proxmox.com>
> ---
>  .../src/firewall/types/rule_match.rs          | 33 +++++++++++++++++++
>  1 file changed, 33 insertions(+)
> 
> diff --git a/proxmox-ve-config/src/firewall/types/rule_match.rs b/proxmox-ve-config/src/firewall/types/rule_match.rs
> index 7fcd35c80d86..8202cda57895 100644
> --- a/proxmox-ve-config/src/firewall/types/rule_match.rs
> +++ b/proxmox-ve-config/src/firewall/types/rule_match.rs
> @@ -697,6 +697,31 @@ const ICMPV6_TYPES: [(&str, u8); 19] = sorted!([
>      ("time-exceeded", 3),
>  ]);
>  
> +/// Some icmp_types are not supported by nftables. See:
> +/// https://wiki.nftables.org/wiki-nftables/index.php/Supported_features_compared_to_xtables#icmp6
> +#[sortable]
> +const IPTABLES_ICMP_TYPES_MAPPING: [(&str, Option<&str>); 19] = sorted!([
> +    ("no-route", None),
> +    ("communication-prohibited", None),
> +    ("beyond-scope", None),
> +    ("address-unreachable", None),
> +    ("port-unreachable", None),
> +    ("failed-policy", None),
> +    ("reject-route'", None),
> +    ("ttl-zero-during-transit", None),
> +    ("ttl-zero-during-reassembly", None),
> +    ("bad-header", None),
> +    ("unknown-header-type", None),
> +    ("unknown-option", None),
> +    ("router-solicitation", Some("nd-router-solicit")),
> +    ("router-advertisement", Some("nd-router-advert")),
> +    ("neighbor-solicitation", Some("nd-neighbor-solicit")),
> +    ("neighbour-solicitation", Some("nd-neighbor-solicit")),
> +    ("neighbor-advertisement", Some("nd-neighbor-advert")),
> +    ("neighbour-advertisement", Some("nd-neighbor-advert")),
> +    ("redirect", Some("nd-redirect")),
> +]);
> +
>  impl std::str::FromStr for Icmpv6Type {
>      type Err = Error;
>  
> @@ -713,6 +738,14 @@ impl std::str::FromStr for Icmpv6Type {
>              return Ok(Self::Named(ICMPV6_TYPES[index].0));
>          }
>  
> +        if let Ok(index) = IPTABLES_ICMP_TYPES_MAPPING.binary_search_by(|v| v.0.cmp(s)) {
> +            if let Some(mapped_nftables_type) = IPTABLES_ICMP_TYPES_MAPPING[index].1 {
> +                return Ok(Self::Named(mapped_nftables_type));
> +            } else {
> +                bail!("icmp_type {s:?} is unsupported in nftables");
> +            }
> +        }
> +
>          bail!("{s:?} is not a valid icmpv6 type");
>      }
>  }



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel