[pve-devel] [PATCH proxmox-firewall 3/4] security groups: skip in forward chain when interface is specified
Hannes Dürr
h.duerr at proxmox.com
Fri Jan 24 15:35:03 CET 2025
Tested this:
* enable nftables firewall
* create a security group
* insert the security group to host firewall with interface vmbr0
* enable vm firewall
* insert the security group to vm firewall with interface net0
* check for errors with journalctl -f
no more errors occur, please consider this
Tested-by: Hannes Duerr <h.duerr at proxmox.com>
On 1/23/25 11:12, Stefan Hanreich wrote:
> Security groups can be bound to a specific interface. The notion of
> this breaks down when considering the forward direction, since there
> are two interfaces involved: incoming and outgoing, which can be
> different depending on the kind of traffic.
>
> With the current implementation, the firewall refuses to generate
> rulesets with security groups that are bound to specific interfaces.
> Check for this case explicitly and skip creating rules in the forward
> chain when a security group bound to a specific interface is
> encountered.
>
> Signed-off-by: Stefan Hanreich <s.hanreich at proxmox.com>
> ---
> proxmox-firewall/src/rule.rs | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/proxmox-firewall/src/rule.rs b/proxmox-firewall/src/rule.rs
> index b20a9c5..14ee544 100644
> --- a/proxmox-firewall/src/rule.rs
> +++ b/proxmox-firewall/src/rule.rs
> @@ -201,6 +201,10 @@ fn handle_iface(rules: &mut [NftRule], env: &NftRuleEnv, name: &str) -> Result<(
>
> impl ToNftRules for RuleGroup {
> fn to_nft_rules(&self, rules: &mut Vec<NftRule>, env: &NftRuleEnv) -> Result<(), Error> {
> + if env.direction == Direction::Forward && self.iface().is_some() {
> + return Ok(());
> + }
> +
> let chain_name = format!("group-{}-{}", self.group(), env.direction);
>
> rules.push(NftRule::new(Statement::jump(chain_name)));
More information about the pve-devel
mailing list