* [PATCH proxmox-firewall 0/2] Fix auto-generated IPAM ipsets in firewall
@ 2026-02-12 8:48 Stefan Hanreich
2026-02-12 8:48 ` [PATCH proxmox-firewall 1/2] firewall: chore: autoformat imports Stefan Hanreich
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Stefan Hanreich @ 2026-02-12 8:48 UTC (permalink / raw)
To: pve-devel
proxmox-firewall did not include the auto-generated IPAM ipsets when looking up
ipsets in the firewall rule generation logic. This would cause proxmox-firewall
to fail generating a ruleset when those IPAM ipsets were included in the
ruleset. This is a regression introduced in the patch series that added support
for legacy ipset / alias names [1].
This issue was reported in the forum by a user [2].
[1] https://lore.proxmox.com/all/20250925122403.230867-1-s.hanreich@proxmox.com/
[2] https://forum.proxmox.com/threads/sdn-aliases-not-found-by-firewall.180549/
proxmox-firewall:
Stefan Hanreich (2):
firewall: chore: autoformat imports
firewall: fix ipset lookup for auto-generated ipam ipsets
proxmox-firewall/src/config.rs | 48 +++-
proxmox-firewall/src/firewall.rs | 11 +-
proxmox-firewall/tests/input/host.fw | 2 +
.../integration_tests__firewall.snap | 250 +++++++++++++++++-
4 files changed, 293 insertions(+), 18 deletions(-)
Summary over all repositories:
4 files changed, 293 insertions(+), 18 deletions(-)
--
Generated by git-murpp 0.8.0
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH proxmox-firewall 1/2] firewall: chore: autoformat imports
2026-02-12 8:48 [PATCH proxmox-firewall 0/2] Fix auto-generated IPAM ipsets in firewall Stefan Hanreich
@ 2026-02-12 8:48 ` Stefan Hanreich
2026-02-12 8:48 ` [PATCH proxmox-firewall 2/2] firewall: fix ipset lookup for auto-generated ipam ipsets Stefan Hanreich
2026-02-16 19:22 ` applied: [PATCH proxmox-firewall 0/2] Fix auto-generated IPAM ipsets in firewall Thomas Lamprecht
2 siblings, 0 replies; 4+ messages in thread
From: Stefan Hanreich @ 2026-02-12 8:48 UTC (permalink / raw)
To: pve-devel
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
proxmox-firewall/src/config.rs | 8 ++++----
proxmox-firewall/src/firewall.rs | 6 +++---
2 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/proxmox-firewall/src/config.rs b/proxmox-firewall/src/config.rs
index 9d82c60..3854f71 100644
--- a/proxmox-firewall/src/config.rs
+++ b/proxmox-firewall/src/config.rs
@@ -3,7 +3,7 @@ use std::default::Default;
use std::fs::{self, DirEntry, File, ReadDir};
use std::io::{self, BufReader};
-use anyhow::{Context, Error, bail, format_err};
+use anyhow::{bail, format_err, Context, Error};
use proxmox_log as log;
@@ -13,16 +13,16 @@ use proxmox_ve_config::firewall::guest::Config as GuestConfig;
use proxmox_ve_config::firewall::host::Config as HostConfig;
use proxmox_ve_config::firewall::types::alias::{Alias, AliasScope, RuleAliasName};
-use proxmox_ve_config::firewall::types::Ipset;
use proxmox_ve_config::firewall::types::ipset::{IpsetScope, RuleIpsetName};
+use proxmox_ve_config::firewall::types::Ipset;
use proxmox_ve_config::guest::types::Vmid;
use proxmox_ve_config::guest::{GuestEntry, GuestMap};
use proxmox_ve_config::host::types::BridgeName;
-use proxmox_network_api::{AltnameMapping, get_network_interfaces};
-use proxmox_nftables::NftClient;
+use proxmox_network_api::{get_network_interfaces, AltnameMapping};
use proxmox_nftables::command::{CommandOutput, Commands, List, ListOutput};
use proxmox_nftables::types::ListChain;
+use proxmox_nftables::NftClient;
use proxmox_ve_config::sdn::{
config::{RunningConfig, SdnConfig},
ipam::{Ipam, IpamJson},
diff --git a/proxmox-firewall/src/firewall.rs b/proxmox-firewall/src/firewall.rs
index 2dbfef7..58f4aec 100644
--- a/proxmox-firewall/src/firewall.rs
+++ b/proxmox-firewall/src/firewall.rs
@@ -1,7 +1,7 @@
use std::collections::BTreeMap;
use std::fs;
-use anyhow::{Error, bail};
+use anyhow::{bail, Error};
use proxmox_log as log;
@@ -25,17 +25,17 @@ use proxmox_ve_config::firewall::guest::Config as GuestConfig;
use proxmox_ve_config::firewall::host::Config as HostConfig;
use proxmox_network_types::ip_address::{Cidr, Ipv4Cidr, Ipv6Cidr};
-use proxmox_ve_config::firewall::types::Group;
use proxmox_ve_config::firewall::types::ipset::{
Ipfilter, Ipset, IpsetEntry, IpsetName, IpsetScope,
};
use proxmox_ve_config::firewall::types::log::{LogLevel as ConfigLogLevel, LogRateLimit};
use proxmox_ve_config::firewall::types::rule::{Direction, Verdict as ConfigVerdict};
+use proxmox_ve_config::firewall::types::Group;
use proxmox_ve_config::guest::types::Vmid;
use crate::config::FirewallConfig;
use crate::object::{NftObjectEnv, ToNftObjects};
-use crate::rule::{NftRule, NftRuleEnv, generate_verdict};
+use crate::rule::{generate_verdict, NftRule, NftRuleEnv};
static CLUSTER_TABLE_NAME: &str = "proxmox-firewall";
static HOST_TABLE_NAME: &str = "proxmox-firewall";
--
2.47.3
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH proxmox-firewall 2/2] firewall: fix ipset lookup for auto-generated ipam ipsets
2026-02-12 8:48 [PATCH proxmox-firewall 0/2] Fix auto-generated IPAM ipsets in firewall Stefan Hanreich
2026-02-12 8:48 ` [PATCH proxmox-firewall 1/2] firewall: chore: autoformat imports Stefan Hanreich
@ 2026-02-12 8:48 ` Stefan Hanreich
2026-02-16 19:22 ` applied: [PATCH proxmox-firewall 0/2] Fix auto-generated IPAM ipsets in firewall Thomas Lamprecht
2 siblings, 0 replies; 4+ messages in thread
From: Stefan Hanreich @ 2026-02-12 8:48 UTC (permalink / raw)
To: pve-devel
In commit 1a917517 the ipset lookup function was adapted such that it
can support both legacy ipset names as well as the new format that
includes scopes. During this change, the function that performs the
lookup for the SDN scope only included ipsets from the SDN
configuration, but not the IPAM configuration. While the IPAM ipsets
were correctly generated, the firewall refused to generate rules that
included the IPAM ipsets, since they were not found in the lookup
function. Adapt the lookup function to consider the IPAM ipsets as
well to fix this issue.
Also add respective rules to the integration tests, which would have
caught this issue.
Reported in the forum by a user [1]
[1] https://forum.proxmox.com/threads/sdn-aliases-not-found-by-firewall.180549/
Fixes: 1a917517
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
proxmox-firewall/src/config.rs | 40 ++-
proxmox-firewall/src/firewall.rs | 5 +-
proxmox-firewall/tests/input/host.fw | 2 +
.../integration_tests__firewall.snap | 250 +++++++++++++++++-
4 files changed, 286 insertions(+), 11 deletions(-)
diff --git a/proxmox-firewall/src/config.rs b/proxmox-firewall/src/config.rs
index 3854f71..11d9119 100644
--- a/proxmox-firewall/src/config.rs
+++ b/proxmox-firewall/src/config.rs
@@ -274,6 +274,21 @@ impl FirewallSdnConfig {
}
}
+pub struct FirewallIpamConfig {
+ _config: Ipam,
+ ipsets: BTreeMap<String, Ipset>,
+}
+
+impl FirewallIpamConfig {
+ pub fn ipsets(&self) -> &BTreeMap<String, Ipset> {
+ &self.ipsets
+ }
+
+ pub fn ipset(&self, name: &str) -> Option<&Ipset> {
+ self.ipsets.get(name)
+ }
+}
+
pub struct FirewallConfig {
cluster_config: ClusterConfig,
host_config: HostConfig,
@@ -281,7 +296,7 @@ pub struct FirewallConfig {
bridge_config: BTreeMap<BridgeName, BridgeConfig>,
nft_config: BTreeMap<String, ListChain>,
sdn_config: Option<FirewallSdnConfig>,
- ipam_config: Option<Ipam>,
+ ipam_config: Option<FirewallIpamConfig>,
interface_mapping: AltnameMapping,
}
@@ -362,11 +377,23 @@ impl FirewallConfig {
})
}
- pub fn parse_ipam(firewall_loader: &dyn FirewallConfigLoader) -> Result<Option<Ipam>, Error> {
+ pub fn parse_ipam(
+ firewall_loader: &dyn FirewallConfigLoader,
+ ) -> Result<Option<FirewallIpamConfig>, Error> {
Ok(match firewall_loader.ipam()? {
Some(data) => {
let raw_ipam: IpamJson = serde_json::from_reader(data)?;
- Some(Ipam::try_from(raw_ipam)?)
+ let ipam = Ipam::try_from(raw_ipam)?;
+
+ let ipsets = ipam
+ .ipsets(None)
+ .map(|ipset| (ipset.name().name().to_string(), ipset))
+ .collect();
+
+ Some(FirewallIpamConfig {
+ _config: ipam,
+ ipsets,
+ })
}
_ => None,
})
@@ -446,7 +473,7 @@ impl FirewallConfig {
self.sdn_config.as_ref()
}
- pub fn ipam(&self) -> Option<&Ipam> {
+ pub fn ipam(&self) -> Option<&FirewallIpamConfig> {
self.ipam_config.as_ref()
}
@@ -497,7 +524,10 @@ impl FirewallConfig {
match name {
RuleIpsetName::Scoped(ipset_name) => match ipset_name.scope() {
- IpsetScope::Sdn => self.sdn()?.ipset(ipset_name.name()),
+ IpsetScope::Sdn => self
+ .sdn()?
+ .ipset(ipset_name.name())
+ .or_else(|| self.ipam()?.ipset(ipset_name.name())),
IpsetScope::Datacenter => self.cluster().ipset(ipset_name.name()),
IpsetScope::Guest => {
vmid.and_then(|vmid| self.guest_ipset(ipset_name.name(), vmid))
diff --git a/proxmox-firewall/src/firewall.rs b/proxmox-firewall/src/firewall.rs
index 58f4aec..65da889 100644
--- a/proxmox-firewall/src/firewall.rs
+++ b/proxmox-firewall/src/firewall.rs
@@ -249,10 +249,7 @@ impl Firewall {
}
if let Some(ipam_config) = self.config.ipam() {
- let ipsets = ipam_config
- .ipsets(None)
- .map(|ipset| (ipset.name().to_string(), ipset))
- .collect();
+ let ipsets = ipam_config.ipsets();
self.create_ipsets(&mut commands, &ipsets, &cluster_host_table, None)?;
self.create_ipsets(&mut commands, &ipsets, &guest_table, None)?;
diff --git a/proxmox-firewall/tests/input/host.fw b/proxmox-firewall/tests/input/host.fw
index 7b89aad..6b117f6 100644
--- a/proxmox-firewall/tests/input/host.fw
+++ b/proxmox-firewall/tests/input/host.fw
@@ -24,4 +24,6 @@ IN ACCEPT --icmp-type neighbor-solicitation --proto ipv6-icmp --log info
IN Ping(REJECT)
IN REJECT -p udp --dport 443
OUT REJECT -p udp --dport 443
+FORWARD DROP --source +sdn/guest-ipam-101 --dest +sdn/guest-ipam-101
+FORWARD DROP --source +sdn/public-all --dest +sdn/public-gateway
diff --git a/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap b/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap
index 79cb882..3157473 100644
--- a/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap
+++ b/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap
@@ -1,8 +1,6 @@
---
source: proxmox-firewall/tests/integration_tests.rs
-assertion_line: 127
expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
-snapshot_kind: text
---
{
"nftables": [
@@ -4073,6 +4071,254 @@ snapshot_kind: text
}
}
},
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "host-forward",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ "right": "@v4-sdn/guest-ipam-101"
+ }
+ },
+ {
+ "match": {
+ "op": "!=",
+ "left": {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ "right": "@v4-sdn/guest-ipam-101-nomatch"
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "ip",
+ "field": "daddr"
+ }
+ },
+ "right": "@v4-sdn/guest-ipam-101"
+ }
+ },
+ {
+ "match": {
+ "op": "!=",
+ "left": {
+ "payload": {
+ "protocol": "ip",
+ "field": "daddr"
+ }
+ },
+ "right": "@v4-sdn/guest-ipam-101-nomatch"
+ }
+ },
+ {
+ "drop": null
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "host-forward",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "ip6",
+ "field": "saddr"
+ }
+ },
+ "right": "@v6-sdn/guest-ipam-101"
+ }
+ },
+ {
+ "match": {
+ "op": "!=",
+ "left": {
+ "payload": {
+ "protocol": "ip6",
+ "field": "saddr"
+ }
+ },
+ "right": "@v6-sdn/guest-ipam-101-nomatch"
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "ip6",
+ "field": "daddr"
+ }
+ },
+ "right": "@v6-sdn/guest-ipam-101"
+ }
+ },
+ {
+ "match": {
+ "op": "!=",
+ "left": {
+ "payload": {
+ "protocol": "ip6",
+ "field": "daddr"
+ }
+ },
+ "right": "@v6-sdn/guest-ipam-101-nomatch"
+ }
+ },
+ {
+ "drop": null
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "host-forward",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ "right": "@v4-sdn/public-all"
+ }
+ },
+ {
+ "match": {
+ "op": "!=",
+ "left": {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ "right": "@v4-sdn/public-all-nomatch"
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "ip",
+ "field": "daddr"
+ }
+ },
+ "right": "@v4-sdn/public-gateway"
+ }
+ },
+ {
+ "match": {
+ "op": "!=",
+ "left": {
+ "payload": {
+ "protocol": "ip",
+ "field": "daddr"
+ }
+ },
+ "right": "@v4-sdn/public-gateway-nomatch"
+ }
+ },
+ {
+ "drop": null
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "host-forward",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "ip6",
+ "field": "saddr"
+ }
+ },
+ "right": "@v6-sdn/public-all"
+ }
+ },
+ {
+ "match": {
+ "op": "!=",
+ "left": {
+ "payload": {
+ "protocol": "ip6",
+ "field": "saddr"
+ }
+ },
+ "right": "@v6-sdn/public-all-nomatch"
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "ip6",
+ "field": "daddr"
+ }
+ },
+ "right": "@v6-sdn/public-gateway"
+ }
+ },
+ {
+ "match": {
+ "op": "!=",
+ "left": {
+ "payload": {
+ "protocol": "ip6",
+ "field": "daddr"
+ }
+ },
+ "right": "@v6-sdn/public-gateway-nomatch"
+ }
+ },
+ {
+ "drop": null
+ }
+ ]
+ }
+ }
+ },
{
"add": {
"set": {
--
2.47.3
^ permalink raw reply [flat|nested] 4+ messages in thread
* applied: [PATCH proxmox-firewall 0/2] Fix auto-generated IPAM ipsets in firewall
2026-02-12 8:48 [PATCH proxmox-firewall 0/2] Fix auto-generated IPAM ipsets in firewall Stefan Hanreich
2026-02-12 8:48 ` [PATCH proxmox-firewall 1/2] firewall: chore: autoformat imports Stefan Hanreich
2026-02-12 8:48 ` [PATCH proxmox-firewall 2/2] firewall: fix ipset lookup for auto-generated ipam ipsets Stefan Hanreich
@ 2026-02-16 19:22 ` Thomas Lamprecht
2 siblings, 0 replies; 4+ messages in thread
From: Thomas Lamprecht @ 2026-02-16 19:22 UTC (permalink / raw)
To: pve-devel, Stefan Hanreich
On Thu, 12 Feb 2026 09:48:28 +0100, Stefan Hanreich wrote:
> proxmox-firewall did not include the auto-generated IPAM ipsets when looking up
> ipsets in the firewall rule generation logic. This would cause proxmox-firewall
> to fail generating a ruleset when those IPAM ipsets were included in the
> ruleset. This is a regression introduced in the patch series that added support
> for legacy ipset / alias names [1].
>
> This issue was reported in the forum by a user [2].
>
> [...]
Applied, thanks!
[1/2] firewall: chore: autoformat imports
commit: 163ec5a4d449315bca38d04df96274562402462f
[2/2] firewall: fix ipset lookup for auto-generated ipam ipsets
commit: e5f75702c8c6753849f375b71c6b93a6cbeb55a2
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-02-16 19:21 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-02-12 8:48 [PATCH proxmox-firewall 0/2] Fix auto-generated IPAM ipsets in firewall Stefan Hanreich
2026-02-12 8:48 ` [PATCH proxmox-firewall 1/2] firewall: chore: autoformat imports Stefan Hanreich
2026-02-12 8:48 ` [PATCH proxmox-firewall 2/2] firewall: fix ipset lookup for auto-generated ipam ipsets Stefan Hanreich
2026-02-16 19:22 ` applied: [PATCH proxmox-firewall 0/2] Fix auto-generated IPAM ipsets in firewall Thomas Lamprecht
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox