[pve-devel] [PATCH proxmox-firewall 1/1] service: flush firewall rules on force disable

[pve-devel] [PATCH proxmox-firewall 1/1] service: flush firewall rules on force disable

[Stefan Hanreich]

When disabling the nftables firewall again, there is a race condition
where the nftables ruleset never gets flushed and persists after
disabling. In practice this almost never happens due to pve-firewall
running every 10 seconds, and proxmox-firewall running every 5
seconds, so the proxmox-firewall main loop almost always runs at least
once before the force disable file gets created and flushes the
ruleset.

Reported-by: Hannes Laimer <h.laimer@proxmox.com>
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
 proxmox-firewall/src/bin/proxmox-firewall.rs | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/proxmox-firewall/src/bin/proxmox-firewall.rs b/proxmox-firewall/src/bin/proxmox-firewall.rs
index f7e816e..5133cbf 100644
--- a/proxmox-firewall/src/bin/proxmox-firewall.rs
+++ b/proxmox-firewall/src/bin/proxmox-firewall.rs
@@ -91,6 +91,10 @@ fn main() -> Result<(), std::io::Error> {
 
     while !term.load(Ordering::Relaxed) {
         if force_disable_flag.exists() {
+            if let Err(error) = remove_firewall() {
+                log::error!("unable to disable firewall: {error:#}");
+            }
+
             std::thread::sleep(Duration::from_secs(5));
             continue;
         }
-- 
2.39.2


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [PATCH proxmox-firewall 1/1] service: flush firewall rules on force disable

[Fabian Grünbichler]

Quoting Stefan Hanreich (2024-05-29 15:25:26)
> When disabling the nftables firewall again, there is a race condition
> where the nftables ruleset never gets flushed and persists after
> disabling. In practice this almost never happens due to pve-firewall
> running every 10 seconds, and proxmox-firewall running every 5
> seconds, so the proxmox-firewall main loop almost always runs at least
> once before the force disable file gets created and flushes the
> ruleset.

so if I understand this correctly, it should handle the following case:

proxmox-firewall runs and sets up NFT rules
user disables NFT
pve-firewall runs and sets up legacy rules and force disable file
proxmox-firewall runs and disables NFT rules

as opposed to the following sequence

proxmox-firewall runs and sets up NFT rules
user disables NFT
proxmox-firewall runs and disables NFT rules
pve-firewall runs and sets up legacy rules and force disable file

which is already handled..

I don't see why the first cast should "almost never happen", just because the
loops have a different period - it all comes down to alignment of the periods
and timing of the user action?

in other words, you have a sequence

0:    N
5:    N
5+X:  L
10:   N
15:   N
15+X: L
20:   N
25:   N
25+X: L

where the gap between N and N is 5 seconds, and the gap between N and L and L
and N together is also 5 seconds. on average (assuming random alignment of the
periods), there's an X=2.5s window (out of 10) that the user action must hit to
trigger the issue (in the gap between L and N, since X can be between 0 and
5s)?

FWIW, the change itself looks good to me, but the commit message might need
some adaptation ;)

> 
> Reported-by: Hannes Laimer <h.laimer@proxmox.com>
> Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
> ---
>  proxmox-firewall/src/bin/proxmox-firewall.rs | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/proxmox-firewall/src/bin/proxmox-firewall.rs b/proxmox-firewall/src/bin/proxmox-firewall.rs
> index f7e816e..5133cbf 100644
> --- a/proxmox-firewall/src/bin/proxmox-firewall.rs
> +++ b/proxmox-firewall/src/bin/proxmox-firewall.rs
> @@ -91,6 +91,10 @@ fn main() -> Result<(), std::io::Error> {
>  
>      while !term.load(Ordering::Relaxed) {
>          if force_disable_flag.exists() {
> +            if let Err(error) = remove_firewall() {
> +                log::error!("unable to disable firewall: {error:#}");
> +            }
> +
>              std::thread::sleep(Duration::from_secs(5));
>              continue;
>          }
> -- 
> 2.39.2
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
>


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [PATCH proxmox-firewall 1/1] service: flush firewall rules on force disable

[Stefan Hanreich]

On 7/4/24 12:49, Fabian Grünbichler wrote:
> so if I understand this correctly, it should handle the following case:
> 
> proxmox-firewall runs and sets up NFT rules
> user disables NFT
> pve-firewall runs and sets up legacy rules and force disable file
> proxmox-firewall runs and disables NFT rules
> 
> as opposed to the following sequence
> 
> proxmox-firewall runs and sets up NFT rules
> user disables NFT
> proxmox-firewall runs and disables NFT rules
> pve-firewall runs and sets up legacy rules and force disable file
> 
> which is already handled..

correct

> I don't see why the first cast should "almost never happen", just because the
> loops have a different period - it all comes down to alignment of the periods
> and timing of the user action?
> 
> in other words, you have a sequence
> 
> 0:    N
> 5:    N
> 5+X:  L
> 10:   N
> 15:   N
> 15+X: L
> 20:   N
> 25:   N
> 25+X: L
> 
> where the gap between N and N is 5 seconds, and the gap between N and L and L
> and N together is also 5 seconds. on average (assuming random alignment of the
> periods), there's an X=2.5s window (out of 10) that the user action must hit to
> trigger the issue (in the gap between L and N, since X can be between 0 and
> 5s)?
> 
> FWIW, the change itself looks good to me, but the commit message might need
> some adaptation ;)

You're correct, the reasoning in the commit message is wrong or at least
badly worded and I'll try to improve upon that in a v2. I guess it might
even be unnecessary to mention how often / rarely this can happen and
focus more on describing the race condition itself.


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [PATCH proxmox-firewall 1/1] service: flush firewall rules on force disable

[Stefan Hanreich]

superseded by:
https://lists.proxmox.com/pipermail/pve-devel/2024-July/064439.html

On 5/29/24 15:25, Stefan Hanreich wrote:
> When disabling the nftables firewall again, there is a race condition
> where the nftables ruleset never gets flushed and persists after
> disabling. In practice this almost never happens due to pve-firewall
> running every 10 seconds, and proxmox-firewall running every 5
> seconds, so the proxmox-firewall main loop almost always runs at least
> once before the force disable file gets created and flushes the
> ruleset.
> 
> Reported-by: Hannes Laimer <h.laimer@proxmox.com>
> Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
> ---
>  proxmox-firewall/src/bin/proxmox-firewall.rs | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/proxmox-firewall/src/bin/proxmox-firewall.rs b/proxmox-firewall/src/bin/proxmox-firewall.rs
> index f7e816e..5133cbf 100644
> --- a/proxmox-firewall/src/bin/proxmox-firewall.rs
> +++ b/proxmox-firewall/src/bin/proxmox-firewall.rs
> @@ -91,6 +91,10 @@ fn main() -> Result<(), std::io::Error> {
>  
>      while !term.load(Ordering::Relaxed) {
>          if force_disable_flag.exists() {
> +            if let Err(error) = remove_firewall() {
> +                log::error!("unable to disable firewall: {error:#}");
> +            }
> +
>              std::thread::sleep(Duration::from_secs(5));
>              continue;
>          }


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel