[pve-devel] [PATCH proxmox-firewall 0/3] create ipsets with auto-merge option enabled
Stefan Hanreich
s.hanreich at proxmox.com
Thu Sep 25 18:12:44 CEST 2025
nftables interval sets do not merge overlapping / adjacent CIDRs / ranges by
default. Instead, nftables errors out, refusing to insert new set elements. This
was a problem with proxmox-firewall, since ip sets with overlapping entries
could cause the firewall daemon to refuse working.
Since v1.1.0 [1] (and therefore, Debian trixie) the nftables json interface
supports setting the auto-merge options for sets.
[1] https://www.netfilter.org/projects/nftables/files/changes-nftables-1.1.0.txt
proxmox-firewall:
Stefan Hanreich (3):
nftables: add support for auto-merge set option
firewall: set auto-merge flag for ipsets
firewall: tests: regenerate snapshot
proxmox-firewall/src/object.rs | 8 +-
.../integration_tests__firewall.snap | 192 ++++++++++++------
proxmox-nftables/src/types.rs | 9 +
3 files changed, 142 insertions(+), 67 deletions(-)
Summary over all repositories:
3 files changed, 142 insertions(+), 67 deletions(-)
--
Generated by git-murpp 0.8.0
More information about the pve-devel
mailing list