[pve-devel] pve-firewall : -m conntrack --ctstate INVALID -j DROP is dropping connections on firewall restart

[Alexandre DERUMIER]

Hi,

I have notice a bug with current firewall implementation,

with a simple test like:


1)
host fw:
--------
iptables -F
iptables -X
iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

iptables-save > rules.dump

2)start vm, an established a connection. (like ssh for example)

3) iptables -F.  (like pve-firewall stop)

4) restore the rules  (iptables-restore -n < rules.dump), (like pve-firewall start)



Then, 
the connection is dropped with 
iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP

This is critical for some protocol like cephfs, where this hang the mds connection for 15min by default. (client think it's still connected,)


By reverting the 2 rules order, it's working fine

iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP


I'm not expert enough with conntrack, but I have see a lot of documentation about this order (ufw firewall, archlinux wiki,....)

Does somebody have an idea what should be the correct order ?


(Note that running iptables INPUT inside the vm, is working fine with INVALID first, so maybe it's specific to forwarding)