[pve-devel] [PATCH firewall] Fix #1606 Add nf_conntrack_allow_invalid option

Wolfgang Bumiller w.bumiller at proxmox.com
Fri Feb 1 09:56:36 CET 2019


On Thu, Jan 31, 2019 at 03:26:18PM +0100, Christian Ebner wrote:
> This adds the nf_conntrack_allow_invalid host firewall option to allow to disable
> the dropping of invalid packets from the connection tracker point of view.
> This is needed for some rare setups with asymmetrical multi-path routing.
> 
> Signed-off-by: Christian Ebner <c.ebner at proxmox.com>
> ---
>  src/PVE/Firewall.pm | 20 ++++++++++++++------
>  1 file changed, 14 insertions(+), 6 deletions(-)
> 
> diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
> index 39f79d4..e8ed06f 100644
> --- a/src/PVE/Firewall.pm
> +++ b/src/PVE/Firewall.pm
> @@ -1242,6 +1242,12 @@ our $host_option_properties = {
>  	type => 'boolean',
>  	optional => 1,
>      },
> +    nf_conntrack_allow_invalid => {
> +	description => "Allow invalid packets on connection tracking.",
> +	type => 'boolean',
> +	default => 0,
> +	optional => 1,
> +    },
>  };
>  
>  our $vm_option_properties = {
> @@ -2128,9 +2134,11 @@ sub ruleset_chain_add_ndp {
>  }
>  
>  sub ruleset_chain_add_conn_filters {
> -    my ($ruleset, $chain, $accept) = @_;
> +    my ($ruleset, $chain, $hostfw_options, $accept) = @_;
>  
> -    ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID", "-j DROP");
> +    if (!$hostfw_options->{nf_conntrack_allow_invalid}) {
> +	ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID", "-j DROP");
> +    }
>      ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED", "-j $accept");
>  }
>  
> @@ -2356,7 +2364,7 @@ sub enable_host_firewall {
>  
>      ruleset_addrule($ruleset, $chain, "-i lo", "-j ACCEPT");
>  
> -    ruleset_chain_add_conn_filters($ruleset, $chain, 'ACCEPT');
> +    ruleset_chain_add_conn_filters($ruleset, $chain, $options, 'ACCEPT');

While having the ability to configure this per-host, it should not be
applied to the host's input/output chains, so here we don't want to
allow invalid packets.

>      ruleset_chain_add_ndp($ruleset, $chain, $ipversion, $options, 'IN', '-j RETURN');
>      ruleset_chain_add_input_filters($ruleset, $chain, $ipversion, $options, $cluster_conf, $loglevel);
>  
> @@ -2414,7 +2422,7 @@ sub enable_host_firewall {
>  
>      ruleset_addrule($ruleset, $chain, "-o lo", "-j ACCEPT");
>  
> -    ruleset_chain_add_conn_filters($ruleset, $chain, 'ACCEPT');
> +    ruleset_chain_add_conn_filters($ruleset, $chain, $options, 'ACCEPT');

Same here.

>  
>      # we use RETURN because we may want to check other thigs later
>      $accept_action = 'RETURN';
> @@ -2638,7 +2646,7 @@ sub parse_hostfw_option {
>  
>      my $loglevels = "emerg|alert|crit|err|warning|notice|info|debug|nolog";
>  
> -    if ($line =~ m/^(enable|nosmurfs|tcpflags|ndp|log_nf_conntrack):\s*(0|1)\s*$/i) {
> +    if ($line =~ m/^(enable|nosmurfs|tcpflags|ndp|log_nf_conntrack|nf_conntrack_allow_invalid):\s*(0|1)\s*$/i) {
>  	$opt = lc($1);
>  	$value = int($2);
>      } elsif ($line =~ m/^(log_level_in|log_level_out|tcp_flags_log_level|smurf_log_level):\s*(($loglevels)\s*)?$/i) {
> @@ -3461,7 +3469,7 @@ sub compile_iptables_filter {
>      # fixme: what log level should we use here?
>      my $loglevel = get_option_log_level($hostfw_options, "log_level_out");
>  
> -    ruleset_chain_add_conn_filters($ruleset, "PVEFW-FORWARD", "ACCEPT");
> +    ruleset_chain_add_conn_filters($ruleset, "PVEFW-FORWARD", $hostfw_options, "ACCEPT");

This is the only place where it really makes sense to drop the rule.
Since all calls refer to the same options hash it's probably easier to
pass just the one option instead of the entire hash (since passing the
options in 1 place but an empty hash in the the other places feels a bit
weird).

>  
>      ruleset_create_chain($ruleset, "PVEFW-FWBR-IN");
>      ruleset_chain_add_input_filters($ruleset, "PVEFW-FWBR-IN", $ipversion, $hostfw_options, $cluster_conf, $loglevel);
> -- 
> 2.11.0



More information about the pve-devel mailing list