[pve-devel] [PATCH] firewall: resources: accept invalid ct state by default
Stefan Hanreich
s.hanreich at proxmox.com
Fri Nov 15 14:43:00 CET 2024
On 11/15/24 14:13, Stefan Hanreich wrote:
> I see two ways of solving this problem:
>
> * We introduce a knob at VM level that lets you decide whether to drop
> ct invalid traffic or not. (Invalid traffic would then still be
> evaluated by the firewall rules if it's allowed in principle, as is the
> case on host-level)
>
> * We apply the host-level setting to VMs as well.
The old firewall does it like this - so maybe we should do it here as well:
* drop invalid traffic in PVEFW-HOST-IN (= INPUT chain) irregardless
of the setting
* drop invalid traffic on PVEFW-FORWARD (= FORWARD chain) if
allow_invalid is 0 (= default)
It's important not to accept it immediately, because then the rest of
the ruleset still gets evaluated, mitigating the blast radius of this
setting considerably.
More information about the pve-devel
mailing list