[pve-devel] [PATCH pve-firewall 1/3] global -m conntrack --ctstate INVALID : PVEFW-reject instead DROP

Mon Feb 18 10:56:42 CET 2019

On Fri, Feb 15, 2019 at 10:48:01AM +0100, Alexandre Derumier wrote:
> ---
>  src/PVE/Firewall.pm | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
> index 2125d3b..61d5599 100644
> --- a/src/PVE/Firewall.pm
> +++ b/src/PVE/Firewall.pm
> @@ -2137,7 +2137,7 @@ sub ruleset_chain_add_conn_filters {
>      my ($ruleset, $chain, $allow_invalid, $accept) = @_;
>  
>      if (!$allow_invalid) {
> -	ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID", "-j DROP");
> +	ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID", "-j PVEFW-reject");

Rejecting in forward chains is dangerous, we should never do that by
default unless we already know for sure the packet was meant to go down
this path, otherwise we end up rejecting connections for other guests if
the bridge hasn't learned or forgot the neighbor entry for the packet's
mac address.