[pve-devel] [PATCH proxmox-ve-rs 1/3] firewall macros: fix macros using icmp protocol
Stefan Hanreich
s.hanreich at proxmox.com
Tue Feb 4 10:57:31 CET 2025
Macros containing rules for the ICMP protocol used dport instead of
icmp-type for specifying the type of ICMP messages. This is how
pve-firewall used to specify them, but the nftables firewall uses a
separate key for this in the macros. This caused all ICMP types to be
allowed instead of restricting them to the types specified in the
macro.
Signed-off-by: Stefan Hanreich <s.hanreich at proxmox.com>
---
proxmox-ve-config/resources/macros.json | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/proxmox-ve-config/resources/macros.json b/proxmox-ve-config/resources/macros.json
index 2fcc0fb..37032c0 100644
--- a/proxmox-ve-config/resources/macros.json
+++ b/proxmox-ve-config/resources/macros.json
@@ -478,19 +478,19 @@
"NeighborDiscovery": {
"code": [
{
- "dport": "nd-router-solicit",
+ "icmp-type": "nd-router-solicit",
"proto": "icmpv6"
},
{
- "dport": "nd-router-advert",
+ "icmp-type": "nd-router-advert",
"proto": "icmpv6"
},
{
- "dport": "nd-neighbor-solicit",
+ "icmp-type": "nd-neighbor-solicit",
"proto": "icmpv6"
},
{
- "dport": "nd-neighbor-advert",
+ "icmp-type": "nd-neighbor-advert",
"proto": "icmpv6"
}
],
@@ -577,7 +577,7 @@
"Ping": {
"code": [
{
- "dport": "echo-request",
+ "icmp-type": "echo-request",
"proto": "icmp"
}
],
@@ -856,7 +856,7 @@
"proto": "udp"
},
{
- "dport": "echo-request",
+ "icmp-type": "echo-request",
"proto": "icmp"
}
],
--
2.39.5
More information about the pve-devel
mailing list