[pve-devel] [PATCH proxmox-firewall 2/3] firewall: set auto-merge flag for ipsets

[Stefan Hanreich]

ipsets that contained overlapping ip ranges caused the firewall to
generate a ruleset rejected by nftables, because nftables interval
sets do not support overlapping ranges by default. By explicitly
enabling the auto-merge flag we prevent the firewall from failing due
to overlapping elements in ipsets. nftables sets then automatically
merge elements that are overlapping / adjacent.

This issue was reported in the forum [1].

[1] 
https://forum.proxmox.com/threads/proxmox-firewall-nftables-troubleshooting.164560/#post-760973

Signed-off-by: Stefan Hanreich <s.hanre...@proxmox.com>
---
 proxmox-firewall/src/object.rs | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/proxmox-firewall/src/object.rs b/proxmox-firewall/src/object.rs
index 5c18708..5dde7c2 100644
--- a/proxmox-firewall/src/object.rs
+++ b/proxmox-firewall/src/object.rs
@@ -124,8 +124,9 @@ impl ToNftObjects for Ipset {
                 SetName::ipset_name(family, self.name(), env.vmid, false),
             );
 
-            let set_config =
-                SetConfig::new(set_name.clone(), 
vec![element_type]).with_flag(SetFlag::Interval);
+            let set_config = SetConfig::new(set_name.clone(), 
vec![element_type])
+                .with_flag(SetFlag::Interval)
+                .with_auto_merge(true);
 
             let nomatch_name = SetName::new(
                 env.table.clone(),
@@ -133,7 +134,8 @@ impl ToNftObjects for Ipset {
             );
 
             let nomatch_config = SetConfig::new(nomatch_name.clone(), 
vec![element_type])
-                .with_flag(SetFlag::Interval);
+                .with_flag(SetFlag::Interval)
+                .with_auto_merge(true);
 
             commands.append(&mut vec![
                 Add::set(set_config),
-- 
2.47.3


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel