[pve-devel] applied: [PATCH proxmox-firewall] firewall: properly handle REJECT rules

Thomas Lamprecht t.lamprecht at proxmox.com
Tue Apr 23 18:37:33 CEST 2024


Am 23/04/2024 um 18:02 schrieb Stefan Hanreich:
> Currently we generated DROP statements for all rules involving REJECT.
> We only need to generate DROP when in the postrouting chain of tables
> with type bridge, since REJECT is disallowed there. Otherwise we jump
> into the do-reject chain which properly handles rejects for different
> protocol types.
> 
> Signed-off-by: Stefan Hanreich <s.hanreich at proxmox.com>
> ---
> Seems like the proper handling for this got lost somewhere during my
> big refactoring :/
> 
>  .../resources/proxmox-firewall.nft            |   7 +-
>  proxmox-firewall/src/firewall.rs              |   9 +-
>  proxmox-firewall/src/rule.rs                  |  22 ++-
>  proxmox-firewall/tests/input/100.fw           |   2 +
>  proxmox-firewall/tests/input/host.fw          |   2 +
>  .../integration_tests__firewall.snap          | 158 +++++++++++++++++-
>  proxmox-nftables/src/statement.rs             |   6 +-
>  7 files changed, 197 insertions(+), 9 deletions(-)
> 
>

applied, with the Reported-by from Sterz amended in, thanks!




More information about the pve-devel mailing list