[pve-devel] [PATCH pve-firewall 1/3] global -m conntrack --ctstate INVALID : PVEFW-reject instead DROP

Alexandre DERUMIER aderumier at odiso.com
Tue Feb 19 01:54:48 CET 2019


Hi again,

I think I have found the problem with stop/start of firewall and conntrack

It's possible to mitigated it with

echo 1 > /proc/sys/net/netfilter/nf_conntrack_tcp_be_liberal


from conntrack source
https://github.com/torvalds/linux/blob/master/net/netfilter/nf_conntrack_proto_tcp.c

res = false;
		if (sender->flags & IP_CT_TCP_FLAG_BE_LIBERAL ||
		    tn->tcp_be_liberal)
			res = true;
		if (!res) {
			nf_ct_l4proto_log_invalid(skb, ct,
			"%s",
			before(seq, sender->td_maxend + 1) ?
			in_recv_win ?
			before(sack, receiver->td_end + 1) ?
			after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1) ? "BUG"
			: "ACK is under the lower bound (possible overly delayed ACK)"
			: "ACK is over the upper bound (ACKed data not seen yet)"
			: "SEQ is under the lower bound (already ACKed data retransmitted)"
			: "SEQ is over the upper bound (over the window of the receiver)");
		}


I think that when we stop pve-firewall, we remove the conntrack rules,
then conntrack don't track anymore the packets sequences,
and when we reenable firewall, it's dropping packets. (The connection entry it's still present in the conntrack table).


I think we have 3 possiblity:

- flushing conntrack on pve-firewall stop (but maybe it'll break nat if users have defined them manually ?)

- keep conntrack rules somewhere

- use nf_conntrack_tcp_be_liberal as default (I'm using it some years ago with ciscofw randomizing sequences numbers)


What do you think ?





----- Mail original -----
De: "aderumier" <aderumier at odiso.com>
À: "Wolfgang Bumiller" <w.bumiller at proxmox.com>
Cc: "pve-devel" <pve-devel at pve.proxmox.com>
Envoyé: Lundi 18 Février 2019 11:53:26
Objet: Re: [pve-devel] [PATCH pve-firewall 1/3] global -m conntrack --ctstate INVALID : PVEFW-reject instead DROP

>>Rejecting in forward chains is dangerous, we should never do that by 
>>default unless we already know for sure the packet was meant to go down 
>>this path, otherwise we end up rejecting connections for other guests if 
>>the bridge hasn't learned or forgot the neighbor entry for the packet's 
>>mac address. 

Is it more dangerous than DROP ? 
the difference is to send an RST. (this could be bad for spoofed attack) 

In my case, it seem that flushing conntrack after pve-firewall stop, 
fix the problem when pve-firewall start again. 


Maybe could we make it optionnal ? 
I'm seeing that we have a new option "nf_conntrack_allow_invalid" to make ACCEPT. 

maybe could we rename is "nf_conntrack_invalid_action" : DROP(default)/REJECT/ACCEPT ? 



----- Mail original ----- 
De: "Wolfgang Bumiller" <w.bumiller at proxmox.com> 
À: "aderumier" <aderumier at odiso.com> 
Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
Envoyé: Lundi 18 Février 2019 10:56:42 
Objet: Re: [pve-devel] [PATCH pve-firewall 1/3] global -m conntrack --ctstate INVALID : PVEFW-reject instead DROP 

On Fri, Feb 15, 2019 at 10:48:01AM +0100, Alexandre Derumier wrote: 
> --- 
> src/PVE/Firewall.pm | 2 +- 
> 1 file changed, 1 insertion(+), 1 deletion(-) 
> 
> diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm 
> index 2125d3b..61d5599 100644 
> --- a/src/PVE/Firewall.pm 
> +++ b/src/PVE/Firewall.pm 
> @@ -2137,7 +2137,7 @@ sub ruleset_chain_add_conn_filters { 
> my ($ruleset, $chain, $allow_invalid, $accept) = @_; 
> 
> if (!$allow_invalid) { 
> - ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID", "-j DROP"); 
> + ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID", "-j PVEFW-reject"); 

Rejecting in forward chains is dangerous, we should never do that by 
default unless we already know for sure the packet was meant to go down 
this path, otherwise we end up rejecting connections for other guests if 
the bridge hasn't learned or forgot the neighbor entry for the packet's 
mac address. 

_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 



More information about the pve-devel mailing list