From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id E2C111FF165 for ; Thu, 25 Sep 2025 14:24:04 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id BE9191FEF6; Thu, 25 Sep 2025 14:24:36 +0200 (CEST) From: Stefan Hanreich To: pve-devel@lists.proxmox.com Date: Thu, 25 Sep 2025 14:23:58 +0200 Message-ID: <20250925122403.230867-1-s.hanreich@proxmox.com> X-Mailer: git-send-email 2.47.3 MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.181 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record Subject: [pve-devel] [PATCH proxmox{-ve-rs, -firewall} v2 0/3] Add support for legacy ipset / alias names X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" NOTE: This patch series is based on [1], which is required in order for the ipset name validation introduced in this patch series to work. Otherwise I'd have to include additional code to work around 'virtual' ipsets (such as ip filters) just to throw it away immediately after. # Introduction The introduction of scopes to alias / ipset names in firewall rules in Proxmox VE 8 did not include any automated mechanism for converting firewall rules. Many users still have firewall configurations containing unscoped names. The initial decision to only support the new format with proxmox-firewall led to problems with users trying to migrate to the nftables firewall, since the daemon fails to parse the configuration and generates no nftables ruleset at all. Changes from v1: * Fix rules referencing SDN IPSets * Fix error message when trying to look up a non-existing ipset * rebased on top of IP Filter patch series [1] [1] https://lore.proxmox.com/pve-devel/20250925122142.228719-1-s.hanreich@proxmox.com/T proxmox-ve-rs: Stefan Hanreich (2): config: firewall: add support for legacy alias names config: firewall: add support for legacy ipset names proxmox-ve-config/src/firewall/cluster.rs | 16 ++- proxmox-ve-config/src/firewall/common.rs | 4 + proxmox-ve-config/src/firewall/guest.rs | 10 +- proxmox-ve-config/src/firewall/types/alias.rs | 98 ++++++++++++++++- proxmox-ve-config/src/firewall/types/ipset.rs | 104 +++++++++++++++++- proxmox-ve-config/src/firewall/types/rule.rs | 14 ++- .../src/firewall/types/rule_match.rs | 14 +-- 7 files changed, 232 insertions(+), 28 deletions(-) proxmox-firewall: Stefan Hanreich (1): fix #6107: add support for legacy ipset / alias names proxmox-firewall/src/config.rs | 93 ++++++++-- proxmox-firewall/src/firewall.rs | 11 +- proxmox-firewall/src/object.rs | 4 +- proxmox-firewall/src/rule.rs | 26 ++- proxmox-firewall/tests/input/cluster.fw | 2 + .../integration_tests__firewall.snap | 172 ++++++++++++++++++ 6 files changed, 273 insertions(+), 35 deletions(-) Summary over all repositories: 13 files changed, 505 insertions(+), 63 deletions(-) -- Generated by git-murpp 0.8.0 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel