[pve-devel] [PATCH v1 pve-firewall] simulator: ignore CONNMARK --set-mark targets to fix broken tests

[pve-devel] [PATCH v1 pve-firewall] simulator: ignore CONNMARK --set-mark targets to fix broken tests

[Robert Obkircher]

These targets mark connections with the VMID. The value can just be
ignored because the simulator doesn't support restoring it later.

Signed-off-by: Robert Obkircher <r.obkircher@proxmox.com>
---
 src/PVE/FirewallSimulator.pm | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/PVE/FirewallSimulator.pm b/src/PVE/FirewallSimulator.pm
index 0a3100b..cc84d0b 100644
--- a/src/PVE/FirewallSimulator.pm
+++ b/src/PVE/FirewallSimulator.pm
@@ -253,6 +253,10 @@ sub rule_match {
             return undef;
         }
 
+        if ($rule =~ s@^-j CONNMARK --set-mark ($NUMBER_RE)(?:/($NUMBER_RE))?\s*$@@) {
+            return undef;
+        }
+
         if ($rule =~ s/^-j (\S+)\s*$//) {
             return (0, $1);
         }
-- 
2.47.3



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [PATCH v1 pve-firewall] simulator: ignore CONNMARK --set-mark targets to fix broken tests

[Stefan Hanreich]

LGTM

Tested-by: Stefan Hanreich <s.hanreich@proxmox.com>
Reviewed-by: Stefan Hanreich <s.hanreich@proxmox.com>

On 12/11/25 3:13 PM, Robert Obkircher wrote:
> These targets mark connections with the VMID. The value can just be
> ignored because the simulator doesn't support restoring it later.
> 
> Signed-off-by: Robert Obkircher <r.obkircher@proxmox.com>
> ---
>  src/PVE/FirewallSimulator.pm | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/src/PVE/FirewallSimulator.pm b/src/PVE/FirewallSimulator.pm
> index 0a3100b..cc84d0b 100644
> --- a/src/PVE/FirewallSimulator.pm
> +++ b/src/PVE/FirewallSimulator.pm
> @@ -253,6 +253,10 @@ sub rule_match {
>              return undef;
>          }
>  
> +        if ($rule =~ s@^-j CONNMARK --set-mark ($NUMBER_RE)(?:/($NUMBER_RE))?\s*$@@) {
> +            return undef;
> +        }
> +
>          if ($rule =~ s/^-j (\S+)\s*$//) {
>              return (0, $1);
>          }



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] applied: [PATCH v1 pve-firewall] simulator: ignore CONNMARK --set-mark targets to fix broken tests

[Fiona Ebner]

On Thu, 11 Dec 2025 15:10:21 +0100, Robert Obkircher wrote:
> These targets mark connections with the VMID. The value can just be
> ignored because the simulator doesn't support restoring it later.

Applied, with Stefan's R-b and T-B trailers, thanks!

[1/1] simulator: ignore CONNMARK --set-mark targets to fix broken tests
      commit: 6f1311f349daee920c7eedcc6e53d7fc5e2cfdbf


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel