* [pve-devel] [PATCH proxmox-firewall 0/3] create ipsets with auto-merge option enabled
@ 2025-09-25 16:12 Stefan Hanreich
2025-09-25 16:12 ` [pve-devel] [PATCH proxmox-firewall 1/3] nftables: add support for auto-merge set option Stefan Hanreich
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Stefan Hanreich @ 2025-09-25 16:12 UTC (permalink / raw)
To: pve-devel
nftables interval sets do not merge overlapping / adjacent CIDRs / ranges by
default. Instead, nftables errors out, refusing to insert new set elements. This
was a problem with proxmox-firewall, since ip sets with overlapping entries
could cause the firewall daemon to refuse working.
Since v1.1.0 [1] (and therefore, Debian trixie) the nftables json interface
supports setting the auto-merge options for sets.
[1] https://www.netfilter.org/projects/nftables/files/changes-nftables-1.1.0.txt
proxmox-firewall:
Stefan Hanreich (3):
nftables: add support for auto-merge set option
firewall: set auto-merge flag for ipsets
firewall: tests: regenerate snapshot
proxmox-firewall/src/object.rs | 8 +-
.../integration_tests__firewall.snap | 192 ++++++++++++------
proxmox-nftables/src/types.rs | 9 +
3 files changed, 142 insertions(+), 67 deletions(-)
Summary over all repositories:
3 files changed, 142 insertions(+), 67 deletions(-)
--
Generated by git-murpp 0.8.0
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 4+ messages in thread
* [pve-devel] [PATCH proxmox-firewall 1/3] nftables: add support for auto-merge set option
2025-09-25 16:12 [pve-devel] [PATCH proxmox-firewall 0/3] create ipsets with auto-merge option enabled Stefan Hanreich
@ 2025-09-25 16:12 ` Stefan Hanreich
2025-09-25 16:12 ` [pve-devel] [PATCH proxmox-firewall 2/3] firewall: set auto-merge flag for ipsets Stefan Hanreich
2025-09-25 16:12 ` [pve-devel] [PATCH proxmox-firewall 3/3] firewall: tests: regenerate snapshot Stefan Hanreich
2 siblings, 0 replies; 4+ messages in thread
From: Stefan Hanreich @ 2025-09-25 16:12 UTC (permalink / raw)
To: pve-devel
nftables sets do not support overlapping ranges in ipsets with the
interval flag enabled, unless explicitly enabled via auto-merge. This
option has not yet been exposed by proxmox-nftables, so add it to the
library. This requires at least nftables 1.1.0 to work, which is
available since Debian trixie.
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
proxmox-nftables/src/types.rs | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/proxmox-nftables/src/types.rs b/proxmox-nftables/src/types.rs
index c613e64..c146d9c 100644
--- a/proxmox-nftables/src/types.rs
+++ b/proxmox-nftables/src/types.rs
@@ -500,6 +500,9 @@ pub struct SetConfig {
#[serde(skip_serializing_if = "Option::is_none")]
size: Option<i64>,
+
+ #[serde(skip_serializing_if = "Option::is_none")]
+ auto_merge: Option<bool>,
}
impl SetConfig {
@@ -512,6 +515,7 @@ impl SetConfig {
timeout: None,
gc_interval: None,
size: None,
+ auto_merge: None,
}
}
@@ -523,6 +527,11 @@ impl SetConfig {
self.flags.push(flag);
self
}
+
+ pub fn with_auto_merge(mut self, auto_merge: bool) -> Self {
+ self.auto_merge = Some(auto_merge);
+ self
+ }
}
#[derive(Clone, Debug, Deserialize, Serialize)]
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 4+ messages in thread
* [pve-devel] [PATCH proxmox-firewall 2/3] firewall: set auto-merge flag for ipsets
2025-09-25 16:12 [pve-devel] [PATCH proxmox-firewall 0/3] create ipsets with auto-merge option enabled Stefan Hanreich
2025-09-25 16:12 ` [pve-devel] [PATCH proxmox-firewall 1/3] nftables: add support for auto-merge set option Stefan Hanreich
@ 2025-09-25 16:12 ` Stefan Hanreich
2025-09-25 16:12 ` [pve-devel] [PATCH proxmox-firewall 3/3] firewall: tests: regenerate snapshot Stefan Hanreich
2 siblings, 0 replies; 4+ messages in thread
From: Stefan Hanreich @ 2025-09-25 16:12 UTC (permalink / raw)
To: pve-devel
ipsets that contained overlapping ip ranges caused the firewall to
generate a ruleset rejected by nftables, because nftables interval
sets do not support overlapping ranges by default. By explicitly
enabling the auto-merge flag we prevent the firewall from failing due
to overlapping elements in ipsets. nftables sets then automatically
merge elements that are overlapping / adjacent.
This issue was reported in the forum [1].
[1] https://forum.proxmox.com/threads/proxmox-firewall-nftables-troubleshooting.164560/#post-760973
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
proxmox-firewall/src/object.rs | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/proxmox-firewall/src/object.rs b/proxmox-firewall/src/object.rs
index 5c18708..5dde7c2 100644
--- a/proxmox-firewall/src/object.rs
+++ b/proxmox-firewall/src/object.rs
@@ -124,8 +124,9 @@ impl ToNftObjects for Ipset {
SetName::ipset_name(family, self.name(), env.vmid, false),
);
- let set_config =
- SetConfig::new(set_name.clone(), vec![element_type]).with_flag(SetFlag::Interval);
+ let set_config = SetConfig::new(set_name.clone(), vec![element_type])
+ .with_flag(SetFlag::Interval)
+ .with_auto_merge(true);
let nomatch_name = SetName::new(
env.table.clone(),
@@ -133,7 +134,8 @@ impl ToNftObjects for Ipset {
);
let nomatch_config = SetConfig::new(nomatch_name.clone(), vec![element_type])
- .with_flag(SetFlag::Interval);
+ .with_flag(SetFlag::Interval)
+ .with_auto_merge(true);
commands.append(&mut vec![
Add::set(set_config),
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 4+ messages in thread
* [pve-devel] [PATCH proxmox-firewall 3/3] firewall: tests: regenerate snapshot
2025-09-25 16:12 [pve-devel] [PATCH proxmox-firewall 0/3] create ipsets with auto-merge option enabled Stefan Hanreich
2025-09-25 16:12 ` [pve-devel] [PATCH proxmox-firewall 1/3] nftables: add support for auto-merge set option Stefan Hanreich
2025-09-25 16:12 ` [pve-devel] [PATCH proxmox-firewall 2/3] firewall: set auto-merge flag for ipsets Stefan Hanreich
@ 2025-09-25 16:12 ` Stefan Hanreich
2 siblings, 0 replies; 4+ messages in thread
From: Stefan Hanreich @ 2025-09-25 16:12 UTC (permalink / raw)
To: pve-devel
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
.../integration_tests__firewall.snap | 192 ++++++++++++------
1 file changed, 128 insertions(+), 64 deletions(-)
diff --git a/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap b/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap
index 1a19ea7..94e69ca 100644
--- a/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap
+++ b/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap
@@ -265,7 +265,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -287,7 +288,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -326,7 +328,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -348,7 +351,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -387,7 +391,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -409,7 +414,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -448,7 +454,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -470,7 +477,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -509,7 +517,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -531,7 +540,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -570,7 +580,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -592,7 +603,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -631,7 +643,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -653,7 +666,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -709,7 +723,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -731,7 +746,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -787,7 +803,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -809,7 +826,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -848,7 +866,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -870,7 +889,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -909,7 +929,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -931,7 +952,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -970,7 +992,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -992,7 +1015,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -1031,7 +1055,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -1053,7 +1078,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -1092,7 +1118,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -1114,7 +1141,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -1153,7 +1181,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -1175,7 +1204,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -1231,7 +1261,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -1253,7 +1284,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -1309,7 +1341,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -1331,7 +1364,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -1370,7 +1404,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -1392,7 +1427,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -1431,7 +1467,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -1453,7 +1490,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -1492,7 +1530,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -1514,7 +1553,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -1553,7 +1593,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -1575,7 +1616,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -1614,7 +1656,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -1636,7 +1679,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -1658,7 +1702,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -1680,7 +1725,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -1719,7 +1765,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -1741,7 +1788,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -3860,7 +3908,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -3882,7 +3931,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -3921,7 +3971,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -3943,7 +3994,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -3965,7 +4017,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -3987,7 +4040,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -4026,7 +4080,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -4048,7 +4103,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -4288,7 +4344,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -4310,7 +4367,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -4349,7 +4407,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -4371,7 +4430,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -5596,7 +5656,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -5618,7 +5679,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv4_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -5640,7 +5702,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
@@ -5662,7 +5725,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
"type": "ipv6_addr",
"flags": [
"interval"
- ]
+ ],
+ "auto-merge": true
}
}
},
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2025-09-25 16:13 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-09-25 16:12 [pve-devel] [PATCH proxmox-firewall 0/3] create ipsets with auto-merge option enabled Stefan Hanreich
2025-09-25 16:12 ` [pve-devel] [PATCH proxmox-firewall 1/3] nftables: add support for auto-merge set option Stefan Hanreich
2025-09-25 16:12 ` [pve-devel] [PATCH proxmox-firewall 2/3] firewall: set auto-merge flag for ipsets Stefan Hanreich
2025-09-25 16:12 ` [pve-devel] [PATCH proxmox-firewall 3/3] firewall: tests: regenerate snapshot Stefan Hanreich
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox