From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id C334E1FF153 for ; Mon, 22 Jun 2026 11:07:05 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id A45D93BC6; Mon, 22 Jun 2026 11:07:03 +0200 (CEST) Message-ID: <2c0cfc85-b1c5-4bfc-9f0d-8ce903e8c77e@proxmox.com> Date: Mon, 22 Jun 2026 11:06:28 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [RFC manager/network 0/3] fix #5066: make generated snat rules flushable To: Lukas Sichert , pve-devel@lists.proxmox.com References: <20260605114810.43030-1-l.sichert@proxmox.com> Content-Language: en-US From: Stefan Hanreich In-Reply-To: <20260605114810.43030-1-l.sichert@proxmox.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.595 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: Y73YNQTYRICXO4OQ5NIM3VG3HA2FRUPS X-Message-ID-Hash: Y73YNQTYRICXO4OQ5NIM3VG3HA2FRUPS X-MailFrom: s.hanreich@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: could you rebase this and resend? On 6/5/26 1:48 PM, Lukas Sichert wrote: > When creating a subnet with SNAT enabled and applying the changes, then > afterwards disabling SNAT and applying the changes again, the iptables > POSTROUTING rule still persists. This is because ifreload -a only > executes (post/pre-)down hooks when an interface is removed from > /etc/network/interfaces, while the (post/pre-)up hooks are always > executed [1]. As a result, the SNAT rule is not removed by 'ifreload -a' and > only a restart or 'ifdown' will remove it. > > This series moves generated SDN SNAT rules into a dedicated > 'PROXMOX-SDN' chain in the iptables nat table and adds a jump from > POSTROUTING to that chain. This keeps the generated rules separate from > custom rules added by users or other components. > > The dedicated chain can then be flushed during network reload, removing > stale SDN SNAT rules without touching unrelated POSTROUTING rules. > > As this changes the generated /etc/network/interfaces.d/sdn output, the > expected test output is adjusted accordingly. > > This series applies on top of > https://lore.proxmox.com/all/20260603142921.91174-1-l.sichert@proxmox.com/ > > [1] manpages.debian.org/testing/ifupdown2/ifreload.8.en.html > > > network: > > Lukas Sichert (2): > fix #5066: snat: push evpn snat rules into separate iptables chain > fix #5066: snat: push simplezone snat rules into separate iptables > chain > > src/PVE/Network/SDN/Zones/EvpnPlugin.pm | 15 +++++++++++++-- > src/PVE/Network/SDN/Zones/SimplePlugin.pm | 18 +++++++++++++++--- > .../evpn/exitnode_snat/expected_sdn_interfaces | 16 ++++++++++++---- > .../simple/ipv4snat/expected_sdn_interfaces | 8 ++++++-- > .../simple/ipv6snat/expected_sdn_interfaces | 8 ++++++-- > 5 files changed, 52 insertions(+), 13 deletions(-) > > > manager: > > Lukas Sichert (1): > fix #5066: reload networking: flush PROXMOX-SDN iptables chain at > reload > > .codex | 0 > PVE/API2/Network.pm | 3 +++ > 2 files changed, 3 insertions(+) > create mode 100644 .codex > > > Summary over all repositories: > 7 files changed, 55 insertions(+), 13 deletions(-) >