[pve-devel] [PATCH proxmox-firewall 1/1] service: flush firewall rules on force disable

public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed

* [pve-devel] [PATCH proxmox-firewall 1/1] service: flush firewall rules on force disable
@ 2024-05-29 13:25 Stefan Hanreich
  2024-07-04 10:49 ` Fabian Grünbichler
  2024-07-04 12:37 ` Stefan Hanreich
  0 siblings, 2 replies; 4+ messages in thread
From: Stefan Hanreich @ 2024-05-29 13:25 UTC (permalink / raw)
  To: pve-devel

When disabling the nftables firewall again, there is a race condition
where the nftables ruleset never gets flushed and persists after
disabling. In practice this almost never happens due to pve-firewall
running every 10 seconds, and proxmox-firewall running every 5
seconds, so the proxmox-firewall main loop almost always runs at least
once before the force disable file gets created and flushes the
ruleset.

Reported-by: Hannes Laimer <h.laimer@proxmox.com>
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
 proxmox-firewall/src/bin/proxmox-firewall.rs | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/proxmox-firewall/src/bin/proxmox-firewall.rs b/proxmox-firewall/src/bin/proxmox-firewall.rs
index f7e816e..5133cbf 100644
--- a/proxmox-firewall/src/bin/proxmox-firewall.rs
+++ b/proxmox-firewall/src/bin/proxmox-firewall.rs
@@ -91,6 +91,10 @@ fn main() -> Result<(), std::io::Error> {
 
     while !term.load(Ordering::Relaxed) {
         if force_disable_flag.exists() {
+            if let Err(error) = remove_firewall() {
+                log::error!("unable to disable firewall: {error:#}");
+            }
+
             std::thread::sleep(Duration::from_secs(5));
             continue;
         }
-- 
2.39.2


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [pve-devel] [PATCH proxmox-firewall 1/1] service: flush firewall rules on force disable
  2024-05-29 13:25 [pve-devel] [PATCH proxmox-firewall 1/1] service: flush firewall rules on force disable Stefan Hanreich
@ 2024-07-04 10:49 ` Fabian Grünbichler
  2024-07-04 12:06   ` Stefan Hanreich
  2024-07-04 12:37 ` Stefan Hanreich
  1 sibling, 1 reply; 4+ messages in thread
From: Fabian Grünbichler @ 2024-07-04 10:49 UTC (permalink / raw)
  To: Proxmox VE development discussion

Quoting Stefan Hanreich (2024-05-29 15:25:26)
> When disabling the nftables firewall again, there is a race condition
> where the nftables ruleset never gets flushed and persists after
> disabling. In practice this almost never happens due to pve-firewall
> running every 10 seconds, and proxmox-firewall running every 5
> seconds, so the proxmox-firewall main loop almost always runs at least
> once before the force disable file gets created and flushes the
> ruleset.

so if I understand this correctly, it should handle the following case:

proxmox-firewall runs and sets up NFT rules
user disables NFT
pve-firewall runs and sets up legacy rules and force disable file
proxmox-firewall runs and disables NFT rules

as opposed to the following sequence

proxmox-firewall runs and sets up NFT rules
user disables NFT
proxmox-firewall runs and disables NFT rules
pve-firewall runs and sets up legacy rules and force disable file

which is already handled..

I don't see why the first cast should "almost never happen", just because the
loops have a different period - it all comes down to alignment of the periods
and timing of the user action?

in other words, you have a sequence

0:    N
5:    N
5+X:  L
10:   N
15:   N
15+X: L
20:   N
25:   N
25+X: L

where the gap between N and N is 5 seconds, and the gap between N and L and L
and N together is also 5 seconds. on average (assuming random alignment of the
periods), there's an X=2.5s window (out of 10) that the user action must hit to
trigger the issue (in the gap between L and N, since X can be between 0 and
5s)?

FWIW, the change itself looks good to me, but the commit message might need
some adaptation ;)

> 
> Reported-by: Hannes Laimer <h.laimer@proxmox.com>
> Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
> ---
>  proxmox-firewall/src/bin/proxmox-firewall.rs | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/proxmox-firewall/src/bin/proxmox-firewall.rs b/proxmox-firewall/src/bin/proxmox-firewall.rs
> index f7e816e..5133cbf 100644
> --- a/proxmox-firewall/src/bin/proxmox-firewall.rs
> +++ b/proxmox-firewall/src/bin/proxmox-firewall.rs
> @@ -91,6 +91,10 @@ fn main() -> Result<(), std::io::Error> {
>  
>      while !term.load(Ordering::Relaxed) {
>          if force_disable_flag.exists() {
> +            if let Err(error) = remove_firewall() {
> +                log::error!("unable to disable firewall: {error:#}");
> +            }
> +
>              std::thread::sleep(Duration::from_secs(5));
>              continue;
>          }
> -- 
> 2.39.2
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
>


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [pve-devel] [PATCH proxmox-firewall 1/1] service: flush firewall rules on force disable
  2024-07-04 10:49 ` Fabian Grünbichler
@ 2024-07-04 12:06   ` Stefan Hanreich
  0 siblings, 0 replies; 4+ messages in thread
From: Stefan Hanreich @ 2024-07-04 12:06 UTC (permalink / raw)
  To: Proxmox VE development discussion, Fabian Grünbichler



On 7/4/24 12:49, Fabian Grünbichler wrote:
> so if I understand this correctly, it should handle the following case:
> 
> proxmox-firewall runs and sets up NFT rules
> user disables NFT
> pve-firewall runs and sets up legacy rules and force disable file
> proxmox-firewall runs and disables NFT rules
> 
> as opposed to the following sequence
> 
> proxmox-firewall runs and sets up NFT rules
> user disables NFT
> proxmox-firewall runs and disables NFT rules
> pve-firewall runs and sets up legacy rules and force disable file
> 
> which is already handled..

correct

> I don't see why the first cast should "almost never happen", just because the
> loops have a different period - it all comes down to alignment of the periods
> and timing of the user action?
> 
> in other words, you have a sequence
> 
> 0:    N
> 5:    N
> 5+X:  L
> 10:   N
> 15:   N
> 15+X: L
> 20:   N
> 25:   N
> 25+X: L
> 
> where the gap between N and N is 5 seconds, and the gap between N and L and L
> and N together is also 5 seconds. on average (assuming random alignment of the
> periods), there's an X=2.5s window (out of 10) that the user action must hit to
> trigger the issue (in the gap between L and N, since X can be between 0 and
> 5s)?
> 
> FWIW, the change itself looks good to me, but the commit message might need
> some adaptation ;)

You're correct, the reasoning in the commit message is wrong or at least
badly worded and I'll try to improve upon that in a v2. I guess it might
even be unnecessary to mention how often / rarely this can happen and
focus more on describing the race condition itself.


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [pve-devel] [PATCH proxmox-firewall 1/1] service: flush firewall rules on force disable
  2024-05-29 13:25 [pve-devel] [PATCH proxmox-firewall 1/1] service: flush firewall rules on force disable Stefan Hanreich
  2024-07-04 10:49 ` Fabian Grünbichler
@ 2024-07-04 12:37 ` Stefan Hanreich
  1 sibling, 0 replies; 4+ messages in thread
From: Stefan Hanreich @ 2024-07-04 12:37 UTC (permalink / raw)
  To: pve-devel

superseded by:
https://lists.proxmox.com/pipermail/pve-devel/2024-July/064439.html

On 5/29/24 15:25, Stefan Hanreich wrote:
> When disabling the nftables firewall again, there is a race condition
> where the nftables ruleset never gets flushed and persists after
> disabling. In practice this almost never happens due to pve-firewall
> running every 10 seconds, and proxmox-firewall running every 5
> seconds, so the proxmox-firewall main loop almost always runs at least
> once before the force disable file gets created and flushes the
> ruleset.
> 
> Reported-by: Hannes Laimer <h.laimer@proxmox.com>
> Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
> ---
>  proxmox-firewall/src/bin/proxmox-firewall.rs | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/proxmox-firewall/src/bin/proxmox-firewall.rs b/proxmox-firewall/src/bin/proxmox-firewall.rs
> index f7e816e..5133cbf 100644
> --- a/proxmox-firewall/src/bin/proxmox-firewall.rs
> +++ b/proxmox-firewall/src/bin/proxmox-firewall.rs
> @@ -91,6 +91,10 @@ fn main() -> Result<(), std::io::Error> {
>  
>      while !term.load(Ordering::Relaxed) {
>          if force_disable_flag.exists() {
> +            if let Err(error) = remove_firewall() {
> +                log::error!("unable to disable firewall: {error:#}");
> +            }
> +
>              std::thread::sleep(Duration::from_secs(5));
>              continue;
>          }


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2024-07-04 12:37 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-05-29 13:25 [pve-devel] [PATCH proxmox-firewall 1/1] service: flush firewall rules on force disable Stefan Hanreich
2024-07-04 10:49 ` Fabian Grünbichler
2024-07-04 12:06   ` Stefan Hanreich
2024-07-04 12:37 ` Stefan Hanreich

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox

Service provided by Proxmox Server Solutions GmbH | Privacy | Legal