From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9])
	by lore.proxmox.com (Postfix) with ESMTPS id 0AB881FF178
	for <inbox@lore.proxmox.com>; Mon,  1 Dec 2025 13:34:11 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 16A4A1B3DA;
	Mon,  1 Dec 2025 13:34:33 +0100 (CET)
From: Robert Obkircher <r.obkircher@proxmox.com>
To: pve-devel@lists.proxmox.com
Date: Mon,  1 Dec 2025 13:34:21 +0100
Message-ID: <20251201123424.94742-1-r.obkircher@proxmox.com>
X-Mailer: git-send-email 2.47.3
MIME-Version: 1.0
X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2
X-Bm-Transport-Timestamp: 1764592426009
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.075 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
Subject: [pve-devel] [PATCH v1 pve-firewall] fix #7068: show rule comments
 in iptables output
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pve-devel-bounces@lists.proxmox.com
Sender: "pve-devel" <pve-devel-bounces@lists.proxmox.com>

Use the iptables comment extension to include comments from the UI.
Prefix them with "PVECOMMENT:" to avoid interfering with the existing
"PVESIG:$sig" comments, which are used to store signatures for change
detection.

The total length of the (unescaped) comments is limited to 255 utf8
bytes. According to the man page it could be up to 256 characters, but
the actual implementation seems to zero terminate the buffer before
saving. For example, the following command produces a 255 char comment
ending in 'a':
iptables -A PVEFW-HOST-IN -m comment --comment $(python3 -c "print('ab'*256)")

Unlike the iptables command, this version truncates to valid utf8.

Signed-off-by: Robert Obkircher <r.obkircher@proxmox.com>
---
 src/PVE/Firewall.pm | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 93f8c34..688829a 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2271,6 +2271,20 @@ sub ipt_gen_src_or_dst_match {
     return $match;
 }
 
+sub print_ipt_comment {
+    my ($comment) = @_;
+    return "" if !defined($comment) || $comment eq "";
+    $comment = encode("utf8", $comment, Encode::LEAVE_SRC);
+    $comment = "PVECOMMENT:$comment"; # avoid any confusion with PVESIG comments
+
+    # man iptables-extensions says 256 chars, but the code only saves 255
+    $comment = substr($comment, 0, 255);
+    $comment = encode('utf8', decode('utf8', $comment, Encode::FB_QUIET | Encode::LEAVE_SRC));
+
+    $comment =~ s/[\\"']/\\$1/g; # escape logic from xtables_save_string
+    return " -m comment --comment \"$comment\""; # never omit quotes because of the colon
+}
+
 # convert a %rule to an array of iptables commands
 sub ipt_rule_to_cmds {
     my ($rule, $chain, $ipversion, $cluster_conf, $fw_conf, $vmid) = @_;
@@ -2375,7 +2389,8 @@ sub ipt_rule_to_cmds {
         my $logaction = get_log_rule_base($chain, $vmid, $rule->{logmsg}, $loglevel);
         push @iptcmds, "-A $chain $matchstr $logaction";
     }
-    push @iptcmds, "-A $chain $matchstr $targetstr";
+    my $comment = print_ipt_comment($rule->{comment});
+    push @iptcmds, "-A $chain $matchstr $targetstr$comment";
     return @iptcmds;
 }
 
-- 
2.47.3



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel