From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id F21901FF15C for ; Fri, 5 Sep 2025 14:14:08 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id C84F213F17; Fri, 5 Sep 2025 14:14:23 +0200 (CEST) From: Stefan Hanreich To: pve-devel@lists.proxmox.com Date: Fri, 5 Sep 2025 14:13:47 +0200 Message-ID: <20250905121350.156467-1-s.hanreich@proxmox.com> X-Mailer: git-send-email 2.47.2 MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.185 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record Subject: [pve-devel] [PATCH proxmox-firewall 1/1] vnet firewall: create chains in host table only if host fw is enabled X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" If the host firewall is not enabled, but the vnet firewall is enabled for at least one vnet, then the firewall tries to create the chains required for the vnet firewall in the cluster / host table, which is unnecessary. This leads to an error in the generated nftables ruleset, causing the firewall to not get applied. In order to fix this, skip generating the bridge chains in the inet table when the cluster/host firewall is disabled, since they're only required for managing the traffic flowing from host <-> bridge ports. If the host firewall is disabled, then we do not need to create rules for traffic from host <-> bridge port in the first place. Signed-off-by: Stefan Hanreich --- proxmox-firewall/src/firewall.rs | 110 +++++++++++++++++-------------- 1 file changed, 59 insertions(+), 51 deletions(-) diff --git a/proxmox-firewall/src/firewall.rs b/proxmox-firewall/src/firewall.rs index 8cac190..02f31d4 100644 --- a/proxmox-firewall/src/firewall.rs +++ b/proxmox-firewall/src/firewall.rs @@ -355,7 +355,16 @@ impl Firewall { } for (bridge_name, bridge_config) in enabled_bridges { - self.create_bridge_chain(&mut commands, bridge_name, bridge_config)?; + self.create_bridge_chain(&mut commands, &guest_table, bridge_name, bridge_config)?; + + if self.config.host().is_enabled() { + self.create_bridge_chain( + &mut commands, + &cluster_host_table, + bridge_name, + bridge_config, + )?; + } } Ok(commands) @@ -364,70 +373,69 @@ impl Firewall { fn create_bridge_chain( &self, commands: &mut Commands, + table: &TablePart, name: &BridgeName, config: &BridgeConfig, ) -> Result<(), Error> { - for table in [Self::host_table(), Self::guest_table()] { - log::info!("creating bridge chain {name} in table {}", table.table()); + log::info!("creating bridge chain {name} in table {}", table.table()); - let chain = Self::bridge_chain(table.clone(), name); + let chain = Self::bridge_chain(table.clone(), name); - commands.append(&mut vec![ - Add::chain(chain.clone()), - Flush::chain(chain.clone()), - Add::rule(AddRule::from_statement( - chain.clone(), - Statement::jump("before-bridge"), - )), - ]); + commands.append(&mut vec![ + Add::chain(chain.clone()), + Flush::chain(chain.clone()), + Add::rule(AddRule::from_statement( + chain.clone(), + Statement::jump("before-bridge"), + )), + ]); - let env = NftRuleEnv { - chain: chain.clone(), - direction: Direction::Forward, - firewall_config: &self.config, - vmid: None, - }; + let env = NftRuleEnv { + chain: chain.clone(), + direction: Direction::Forward, + firewall_config: &self.config, + vmid: None, + }; - for config_rule in config.rules() { - for rule in NftRule::from_config_rule(config_rule, &env)? { - commands.push(Add::rule(rule.into_add_rule(chain.clone()))); - } + for config_rule in config.rules() { + for rule in NftRule::from_config_rule(config_rule, &env)? { + commands.push(Add::rule(rule.into_add_rule(chain.clone()))); } + } - let default_policy = config.policy_forward(); + let default_policy = config.policy_forward(); - self.create_log_rule( - commands, - config.log_level_forward(), - chain.clone(), - default_policy, - None, - )?; + self.create_log_rule( + commands, + config.log_level_forward(), + chain.clone(), + default_policy, + None, + )?; - commands.push(Add::rule(AddRule::from_statement( - chain.clone(), - default_policy, - ))); + commands.push(Add::rule(AddRule::from_statement( + chain.clone(), + default_policy, + ))); - let key = if table == Self::host_table() { - name.into() - } else { - Expression::concat([name.into(), name.into()]) - }; + let key = if table == &Self::host_table() { + name.into() + } else { + Expression::concat([name.into(), name.into()]) + }; - let map_element = AddElement::map_from_expressions( - Self::bridge_vmap(table), - [( - key, - MapValue::from(Verdict::Jump { - target: chain.name().to_string(), - }), - )] - .to_vec(), - ); + let map_element = AddElement::map_from_expressions( + Self::bridge_vmap(table.clone()), + [( + key, + MapValue::from(Verdict::Jump { + target: chain.name().to_string(), + }), + )] + .to_vec(), + ); - commands.push(Add::element(map_element)); - } + commands.push(Add::element(map_element)); Ok(()) } -- 2.47.2 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel