[pve-devel] [PATCH] firewall: resources: accept invalid ct state by default

Stefan Hanreich s.hanreich at proxmox.com
Fri Nov 15 14:13:26 CET 2024 


On 11/15/24 13:33, Hannes Laimer wrote:
> We only add a `block-conntrack-invalid` jump to the in chain, if
> the `nf_conntrack_allow_invalid` option is not set in the config. But we
> already drop connections with an invalid ct state by default. So we have
> to either allow connections with an invalid ct state by default, or explicitly
> allow them when checking for the option and keeping them blocked by default.
> I chose to change the 'default' as it has the same result but is
> simpler a change.
> 
> Signed-off-by: Hannes Laimer <h.laimer at proxmox.com>
> ---
> relevant code[1]
> ```
>         if self.config.host().block_invalid_conntrack() {
>             log::debug!("set block_invalid_conntrack");
> 
>             commands.push(Add::rule(AddRule::from_statement(
>                 chain_in,
>                 Statement::jump("block-conntrack-invalid"),
>             )));
>         }
> ```

This setting is for toggling invalid traffic on host level and works
because in the host default-in chain we have:

  ct state established,related accept

and then insert in the option-in chain

  jump block-conntrack-invalid

depending on the `nf_conntrack_allow_invalid` setting.


For VMs this isn't configurable, we always drop conntrack invalid traffic:
>  
>      chain pre-vm-out {
> -        meta protocol != arp ct state vmap { established : accept, related : accept, invalid : drop }
> +        meta protocol != arp ct state vmap { established : accept, related : accept, invalid : accept }
>      }
>  
>      chain vm-out {
> @@ -326,7 +326,7 @@ table bridge proxmox-firewall-guests {
>      }
>  
>      chain pre-vm-in {
> -        meta protocol != arp ct state vmap { established : accept, related : accept, invalid : drop }
> +        meta protocol != arp ct state vmap { established : accept, related : accept, invalid : accept }
>          meta protocol arp accept
>      }
>  

This change has a problem though: It would *always* allow traffic with
ct state invalid for VMs.

I see two ways of solving this problem:

* We introduce a knob at VM level that lets you decide whether to drop
ct invalid traffic or not. (Invalid traffic would then still be
evaluated by the firewall rules if it's allowed in principle, as is the
case on host-level)

* We apply the host-level setting to VMs as well.

More information about the pve-devel mailing list