[pve-devel] [PATCH proxmox-firewall 0/3] create ipsets with auto-merge option enabled

public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed

* [pve-devel] [PATCH proxmox-firewall 0/3] create ipsets with auto-merge option enabled
@ 2025-09-25 16:12 Stefan Hanreich
  2025-09-25 16:12 ` [pve-devel] [PATCH proxmox-firewall 1/3] nftables: add support for auto-merge set option Stefan Hanreich
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Stefan Hanreich @ 2025-09-25 16:12 UTC (permalink / raw)
  To: pve-devel

nftables interval sets do not merge overlapping / adjacent CIDRs / ranges by
default. Instead, nftables errors out, refusing to insert new set elements. This
was a problem with proxmox-firewall, since ip sets with overlapping entries
could cause the firewall daemon to refuse working.

Since v1.1.0 [1] (and therefore, Debian trixie) the nftables json interface
supports setting the auto-merge options for sets.

[1] https://www.netfilter.org/projects/nftables/files/changes-nftables-1.1.0.txt

proxmox-firewall:

Stefan Hanreich (3):
  nftables: add support for auto-merge set option
  firewall: set auto-merge flag for ipsets
  firewall: tests: regenerate snapshot

 proxmox-firewall/src/object.rs                |   8 +-
 .../integration_tests__firewall.snap          | 192 ++++++++++++------
 proxmox-nftables/src/types.rs                 |   9 +
 3 files changed, 142 insertions(+), 67 deletions(-)


Summary over all repositories:
  3 files changed, 142 insertions(+), 67 deletions(-)

-- 
Generated by git-murpp 0.8.0

_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [pve-devel] [PATCH proxmox-firewall 1/3] nftables: add support for auto-merge set option
  2025-09-25 16:12 [pve-devel] [PATCH proxmox-firewall 0/3] create ipsets with auto-merge option enabled Stefan Hanreich
@ 2025-09-25 16:12 ` Stefan Hanreich
  2025-09-25 16:12 ` [pve-devel] [PATCH proxmox-firewall 2/3] firewall: set auto-merge flag for ipsets Stefan Hanreich
  2025-09-25 16:12 ` [pve-devel] [PATCH proxmox-firewall 3/3] firewall: tests: regenerate snapshot Stefan Hanreich
  2 siblings, 0 replies; 4+ messages in thread
From: Stefan Hanreich @ 2025-09-25 16:12 UTC (permalink / raw)
  To: pve-devel

nftables sets do not support overlapping ranges in ipsets with the
interval flag enabled, unless explicitly enabled via auto-merge. This
option has not yet been exposed by proxmox-nftables, so add it to the
library. This requires at least nftables 1.1.0 to work, which is
available since Debian trixie.

Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
 proxmox-nftables/src/types.rs | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/proxmox-nftables/src/types.rs b/proxmox-nftables/src/types.rs
index c613e64..c146d9c 100644
--- a/proxmox-nftables/src/types.rs
+++ b/proxmox-nftables/src/types.rs
@@ -500,6 +500,9 @@ pub struct SetConfig {
 
     #[serde(skip_serializing_if = "Option::is_none")]
     size: Option<i64>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    auto_merge: Option<bool>,
 }
 
 impl SetConfig {
@@ -512,6 +515,7 @@ impl SetConfig {
             timeout: None,
             gc_interval: None,
             size: None,
+            auto_merge: None,
         }
     }
 
@@ -523,6 +527,11 @@ impl SetConfig {
         self.flags.push(flag);
         self
     }
+
+    pub fn with_auto_merge(mut self, auto_merge: bool) -> Self {
+        self.auto_merge = Some(auto_merge);
+        self
+    }
 }
 
 #[derive(Clone, Debug, Deserialize, Serialize)]
-- 
2.47.3


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [pve-devel] [PATCH proxmox-firewall 2/3] firewall: set auto-merge flag for ipsets
  2025-09-25 16:12 [pve-devel] [PATCH proxmox-firewall 0/3] create ipsets with auto-merge option enabled Stefan Hanreich
  2025-09-25 16:12 ` [pve-devel] [PATCH proxmox-firewall 1/3] nftables: add support for auto-merge set option Stefan Hanreich
@ 2025-09-25 16:12 ` Stefan Hanreich
  2025-09-25 16:12 ` [pve-devel] [PATCH proxmox-firewall 3/3] firewall: tests: regenerate snapshot Stefan Hanreich
  2 siblings, 0 replies; 4+ messages in thread
From: Stefan Hanreich @ 2025-09-25 16:12 UTC (permalink / raw)
  To: pve-devel

ipsets that contained overlapping ip ranges caused the firewall to
generate a ruleset rejected by nftables, because nftables interval
sets do not support overlapping ranges by default. By explicitly
enabling the auto-merge flag we prevent the firewall from failing due
to overlapping elements in ipsets. nftables sets then automatically
merge elements that are overlapping / adjacent.

This issue was reported in the forum [1].

[1] https://forum.proxmox.com/threads/proxmox-firewall-nftables-troubleshooting.164560/#post-760973

Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
 proxmox-firewall/src/object.rs | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/proxmox-firewall/src/object.rs b/proxmox-firewall/src/object.rs
index 5c18708..5dde7c2 100644
--- a/proxmox-firewall/src/object.rs
+++ b/proxmox-firewall/src/object.rs
@@ -124,8 +124,9 @@ impl ToNftObjects for Ipset {
                 SetName::ipset_name(family, self.name(), env.vmid, false),
             );
 
-            let set_config =
-                SetConfig::new(set_name.clone(), vec![element_type]).with_flag(SetFlag::Interval);
+            let set_config = SetConfig::new(set_name.clone(), vec![element_type])
+                .with_flag(SetFlag::Interval)
+                .with_auto_merge(true);
 
             let nomatch_name = SetName::new(
                 env.table.clone(),
@@ -133,7 +134,8 @@ impl ToNftObjects for Ipset {
             );
 
             let nomatch_config = SetConfig::new(nomatch_name.clone(), vec![element_type])
-                .with_flag(SetFlag::Interval);
+                .with_flag(SetFlag::Interval)
+                .with_auto_merge(true);
 
             commands.append(&mut vec![
                 Add::set(set_config),
-- 
2.47.3


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [pve-devel] [PATCH proxmox-firewall 3/3] firewall: tests: regenerate snapshot
  2025-09-25 16:12 [pve-devel] [PATCH proxmox-firewall 0/3] create ipsets with auto-merge option enabled Stefan Hanreich
  2025-09-25 16:12 ` [pve-devel] [PATCH proxmox-firewall 1/3] nftables: add support for auto-merge set option Stefan Hanreich
  2025-09-25 16:12 ` [pve-devel] [PATCH proxmox-firewall 2/3] firewall: set auto-merge flag for ipsets Stefan Hanreich
@ 2025-09-25 16:12 ` Stefan Hanreich
  2 siblings, 0 replies; 4+ messages in thread
From: Stefan Hanreich @ 2025-09-25 16:12 UTC (permalink / raw)
  To: pve-devel

Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
 .../integration_tests__firewall.snap          | 192 ++++++++++++------
 1 file changed, 128 insertions(+), 64 deletions(-)

diff --git a/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap b/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap
index 1a19ea7..94e69ca 100644
--- a/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap
+++ b/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap
@@ -265,7 +265,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv4_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -287,7 +288,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv4_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -326,7 +328,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv6_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -348,7 +351,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv6_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -387,7 +391,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv4_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -409,7 +414,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv4_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -448,7 +454,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv6_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -470,7 +477,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv6_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -509,7 +517,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv4_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -531,7 +540,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv4_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -570,7 +580,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv6_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -592,7 +603,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv6_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -631,7 +643,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv4_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -653,7 +666,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv4_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -709,7 +723,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv6_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -731,7 +746,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv6_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -787,7 +803,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv4_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -809,7 +826,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv4_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -848,7 +866,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv6_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -870,7 +889,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv6_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -909,7 +929,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv4_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -931,7 +952,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv4_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -970,7 +992,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv6_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -992,7 +1015,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv6_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -1031,7 +1055,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv4_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -1053,7 +1078,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv4_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -1092,7 +1118,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv6_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -1114,7 +1141,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv6_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -1153,7 +1181,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv4_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -1175,7 +1204,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv4_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -1231,7 +1261,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv6_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -1253,7 +1284,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv6_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -1309,7 +1341,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv4_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -1331,7 +1364,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv4_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -1370,7 +1404,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv6_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -1392,7 +1427,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv6_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -1431,7 +1467,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv4_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -1453,7 +1490,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv4_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -1492,7 +1530,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv6_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -1514,7 +1553,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv6_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -1553,7 +1593,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv4_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -1575,7 +1616,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv4_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -1614,7 +1656,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv6_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -1636,7 +1679,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv6_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -1658,7 +1702,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv4_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -1680,7 +1725,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv4_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -1719,7 +1765,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv6_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -1741,7 +1788,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv6_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -3860,7 +3908,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv4_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -3882,7 +3931,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv4_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -3921,7 +3971,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv6_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -3943,7 +3994,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv6_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -3965,7 +4017,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv4_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -3987,7 +4040,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv4_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -4026,7 +4080,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv6_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -4048,7 +4103,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv6_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -4288,7 +4344,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv4_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -4310,7 +4367,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv4_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -4349,7 +4407,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv6_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -4371,7 +4430,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv6_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -5596,7 +5656,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv4_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -5618,7 +5679,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv4_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -5640,7 +5702,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv6_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
@@ -5662,7 +5725,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
           "type": "ipv6_addr",
           "flags": [
             "interval"
-          ]
+          ],
+          "auto-merge": true
         }
       }
     },
-- 
2.47.3


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2025-09-25 16:13 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-09-25 16:12 [pve-devel] [PATCH proxmox-firewall 0/3] create ipsets with auto-merge option enabled Stefan Hanreich
2025-09-25 16:12 ` [pve-devel] [PATCH proxmox-firewall 1/3] nftables: add support for auto-merge set option Stefan Hanreich
2025-09-25 16:12 ` [pve-devel] [PATCH proxmox-firewall 2/3] firewall: set auto-merge flag for ipsets Stefan Hanreich
2025-09-25 16:12 ` [pve-devel] [PATCH proxmox-firewall 3/3] firewall: tests: regenerate snapshot Stefan Hanreich

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox

Service provided by Proxmox Server Solutions GmbH | Privacy | Legal