[pve-devel] applied-series: [PATCH proxmox-firewall 1/2] firewall: improve handling of ARP traffic for guests
Thomas Lamprecht
t.lamprecht at proxmox.com
Tue May 21 15:57:56 CEST 2024
Am 15/05/2024 um 15:37 schrieb Stefan Hanreich:
> In order to be able to send outgoing ARP packets when the default
> policy is set to drop or reject, we need to explicitly allow ARP
> traffic in the outgoing chain of guests. We need to do this in the
> guest chain itself in order to be able to filter spoofed packets via
> the MAC filter.
>
> Contrary to the out direction we can simply accept all incoming ARP
> traffic, since we do not do any MAC filtering for incoming traffic.
> Since we create fdb entries for every NIC, guests should only see ARP
> traffic for their MAC addresses anyway.
>
> Signed-off-by: Stefan Hanreich <s.hanreich at proxmox.com>
> Originally-by: Laurent Guerby <laurent at guerby.net>
> ---
> proxmox-firewall/resources/proxmox-firewall.nft | 1 +
> proxmox-firewall/src/firewall.rs | 8 ++++----
> .../tests/snapshots/integration_tests__firewall.snap | 4 ++--
> 3 files changed, 7 insertions(+), 6 deletions(-)
>
>
applied both patches, thanks!
I reworded the subject here too and re-ordered the git trailers, as they
should have a causal order where possible. I.e., if someone else made a
patch, or helped you to do so, their co-authored-by or originally-by is
normally before your signed-off-by, as your "signature" shows that all
above it is (to your best knowledge) correct w.r.t patch ownership and
description, and like on "real" documents that signature goes at the
bottom.
More information about the pve-devel
mailing list