[PVE-User] Datacenter firewall rules vs Subnet Router Anycast Adress ping

Gilles Pietri contact+dev at gilouweb.com
Thu Apr 2 04:10:29 CEST 2020


We stumbled upon an issue with IPv6, Subnet router anycast addresses,
and Proxmox firewall. We fought to get to the bottom of it.

Situation: we have a router, configured with a subnet router anycast
address, let's say the router is A::1/64 and the anycast address is A::/64

We have a VM in a bridge, connected to that router, address A::2.

We want A::2 to ping A::, and in return, A::1 will reply, with that
source address. We get:
A::2 echo request to A::
A::1 echo reply to A::2

If we enable the Datacenter firewall, this rule:
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP

will kill that packet, as the source address does not match the original
destination, and that's to be expected.

We can ask the router to reply using the anycast address, but if we do
that, we loose the information we'd like to keep: the source IP on the
router's side.

The VM or CT itself has the firewall disabled, and so has the host
hosting them.

So questions!

A) Is it expected that such a rule be enabled for VM bridges, when
firewall is disabled for the VM?

It is so now, and it's not exactly a happy situation: enabling the
firewall on the datacenter/hosts is not exactly supposed to have an
impact on the VMs, is it? My guess is it's not easy to distinguish that
path from any other, but that's not clear in the doc.

B) Can we plug ourself in somewhere to have a rule like:
-I PVEFW-FORWARD -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
included BEFORE the --ctstate INVALID one?

I don't see any way to do that in the chain, but I may be missing something.

C) Or can we have a specific option for IPv6 ICMP echo reply, but that
seems a bit specific.



More information about the pve-user mailing list