[pve-devel] [PATCH proxmox-firewall 2/2] firewall: improve conntrack handling
Stefan Hanreich
s.hanreich at proxmox.com
Wed May 15 15:37:19 CEST 2024
The output chain did not have any conntrack rules, which lead to
issues when the default output policy is not accept. Also, move the
conntrack rules to the beginning of all chains.
Signed-off-by: Stefan Hanreich <s.hanreich at proxmox.com>
Originally-by: Laurent Guerby <laurent at guerby.net>
---
Based this on the earlier patch in order to avoid conflicts when
applying both patches.
.../resources/proxmox-firewall.nft | 9 ++----
proxmox-firewall/src/firewall.rs | 7 ----
.../integration_tests__firewall.snap | 32 -------------------
3 files changed, 2 insertions(+), 46 deletions(-)
diff --git a/proxmox-firewall/resources/proxmox-firewall.nft b/proxmox-firewall/resources/proxmox-firewall.nft
index 90b5d5a..411e143 100644
--- a/proxmox-firewall/resources/proxmox-firewall.nft
+++ b/proxmox-firewall/resources/proxmox-firewall.nft
@@ -32,7 +32,6 @@ add chain bridge proxmox-firewall-guests allow-ndp-out
add chain bridge proxmox-firewall-guests block-ndp-out
add chain bridge proxmox-firewall-guests allow-ra-out
add chain bridge proxmox-firewall-guests block-ra-out
-add chain bridge proxmox-firewall-guests after-vm-in
add chain bridge proxmox-firewall-guests do-reject
add chain bridge proxmox-firewall-guests vm-out {type filter hook prerouting priority 0; policy accept;}
add chain bridge proxmox-firewall-guests vm-in {type filter hook postrouting priority 0; policy accept;}
@@ -64,7 +63,6 @@ flush chain bridge proxmox-firewall-guests allow-ndp-out
flush chain bridge proxmox-firewall-guests block-ndp-out
flush chain bridge proxmox-firewall-guests allow-ra-out
flush chain bridge proxmox-firewall-guests block-ra-out
-flush chain bridge proxmox-firewall-guests after-vm-in
flush chain bridge proxmox-firewall-guests do-reject
flush chain bridge proxmox-firewall-guests vm-out
flush chain bridge proxmox-firewall-guests vm-in
@@ -293,18 +291,15 @@ table bridge proxmox-firewall-guests {
reject with icmp type host-prohibited
}
- chain after-vm-in {
- ct state established,related accept
- ether type != arp ct state invalid drop
- }
-
chain vm-out {
type filter hook prerouting priority 0; policy accept;
+ ether type != arp ct state vmap { established : accept, related : accept, invalid : drop }
iifname vmap @vm-map-out
}
chain vm-in {
type filter hook postrouting priority 0; policy accept;
+ ether type != arp ct state vmap { established : accept, related : accept, invalid : drop }
ether type arp accept
oifname vmap @vm-map-in
}
diff --git a/proxmox-firewall/src/firewall.rs b/proxmox-firewall/src/firewall.rs
index 0da3ab7..4c85ea2 100644
--- a/proxmox-firewall/src/firewall.rs
+++ b/proxmox-firewall/src/firewall.rs
@@ -810,13 +810,6 @@ impl Firewall {
)));
}
- if direction == Direction::In {
- commands.push(Add::rule(AddRule::from_statement(
- chain.clone(),
- Statement::jump("after-vm-in"),
- )));
- }
-
self.create_log_rule(
commands,
config.log_level(direction),
diff --git a/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap b/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap
index 2ca151f..669bad9 100644
--- a/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap
+++ b/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap
@@ -3181,22 +3181,6 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
}
}
},
- {
- "add": {
- "rule": {
- "family": "bridge",
- "table": "proxmox-firewall-guests",
- "chain": "guest-100-in",
- "expr": [
- {
- "jump": {
- "target": "after-vm-in"
- }
- }
- ]
- }
- }
- },
{
"add": {
"rule": {
@@ -3638,22 +3622,6 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
}
}
},
- {
- "add": {
- "rule": {
- "family": "bridge",
- "table": "proxmox-firewall-guests",
- "chain": "guest-101-in",
- "expr": [
- {
- "jump": {
- "target": "after-vm-in"
- }
- }
- ]
- }
- }
- },
{
"add": {
"rule": {
--
2.39.2
More information about the pve-devel
mailing list