[pve-devel] [PATCH proxmox-firewall v2 1/1] firewall: properly reject ipv6 traffic

[pve-devel] [PATCH proxmox-firewall v2 1/1] firewall: properly reject ipv6 traffic

[Stefan Hanreich]

ICMPv6 has different message types for rejecting traffic. With ICMP we
used host-prohibited as rejection type, which doesn't exist in ICMPv6.
Add an additional rule for IPv6, so it uses admin-prohibited.

Additionally, add a terminal drop statement in order to prevent any
traffic that does not get matched from bypassing the reject chain.

Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
Changes from v1 -> v2:
* add a terminal drop statement to prevent any unmatched traffic from
  bypassing the reject chain
* properly match ICMPv6 traffic via l4proto

 proxmox-firewall/resources/proxmox-firewall.nft | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/proxmox-firewall/resources/proxmox-firewall.nft b/proxmox-firewall/resources/proxmox-firewall.nft
index f36bf3b..f60f8b5 100644
--- a/proxmox-firewall/resources/proxmox-firewall.nft
+++ b/proxmox-firewall/resources/proxmox-firewall.nft
@@ -75,8 +75,10 @@ table inet proxmox-firewall {
         ip saddr 224.0.0.0/4 drop
 
         meta l4proto tcp reject with tcp reset
-        meta l4proto icmp reject with icmp type port-unreachable
+        meta l4proto { icmp, ipv6-icmp } reject with icmpx type port-unreachable
         reject with icmp type host-prohibited
+        reject with icmpv6 type admin-prohibited
+        drop
     }
 
     set v4-dc/management {
@@ -289,8 +291,10 @@ table bridge proxmox-firewall-guests {
         ip saddr 224.0.0.0/4 drop
 
         meta l4proto tcp reject with tcp reset
-        meta l4proto icmp reject with icmp type port-unreachable
+        meta l4proto { icmp, ipv6-icmp } reject with icmpx type port-unreachable
         reject with icmp type host-prohibited
+        reject with icmpv6 type admin-prohibited
+        drop
     }
 
     chain after-vm-in {
-- 
2.39.2


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] applied: [PATCH proxmox-firewall v2 1/1] firewall: properly reject ipv6 traffic

[Thomas Lamprecht]

Am 13/05/2024 um 14:14 schrieb Stefan Hanreich:
> ICMPv6 has different message types for rejecting traffic. With ICMP we
> used host-prohibited as rejection type, which doesn't exist in ICMPv6.
> Add an additional rule for IPv6, so it uses admin-prohibited.
> 
> Additionally, add a terminal drop statement in order to prevent any
> traffic that does not get matched from bypassing the reject chain.
> 
> Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
> ---
> Changes from v1 -> v2:
> * add a terminal drop statement to prevent any unmatched traffic from
>   bypassing the reject chain
> * properly match ICMPv6 traffic via l4proto
> 
>  proxmox-firewall/resources/proxmox-firewall.nft | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
> 
>

applied, with an updated commit subject (as per our guideline[0], using the
"firewall" tag inside a repo that has "firewall" already in the name is not
really adding much), thanks!

[0]: https://pve.proxmox.com/wiki/Developer_Documentation#Commits_and_Commit_Messages


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel