From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 14A071FF348 for ; Wed, 17 Apr 2024 16:03:30 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 8D331989E; Wed, 17 Apr 2024 16:03:27 +0200 (CEST) From: Stefan Hanreich To: pve-devel@lists.proxmox.com Date: Wed, 17 Apr 2024 15:53:59 +0200 Message-Id: <20240417135404.573490-35-s.hanreich@proxmox.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240417135404.573490-1-s.hanreich@proxmox.com> References: <20240417135404.573490-1-s.hanreich@proxmox.com> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.309 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record X-Mailman-Approved-At: Wed, 17 Apr 2024 16:03:25 +0200 Subject: [pve-devel] [PATCH proxmox-firewall v2 34/39] firewall: add integration test X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" Signed-off-by: Stefan Hanreich --- .gitignore | 1 + debian/control | 1 + proxmox-firewall/Cargo.toml | 4 + proxmox-firewall/src/lib.rs | 4 + proxmox-firewall/tests/input/100.conf | 10 + proxmox-firewall/tests/input/100.fw | 22 + proxmox-firewall/tests/input/101.conf | 11 + proxmox-firewall/tests/input/101.fw | 19 + proxmox-firewall/tests/input/chains.json | 1 + proxmox-firewall/tests/input/cluster.fw | 26 + proxmox-firewall/tests/input/host.fw | 23 + proxmox-firewall/tests/integration_tests.rs | 90 + .../integration_tests__firewall.snap | 3530 +++++++++++++++++ 13 files changed, 3742 insertions(+) create mode 100644 proxmox-firewall/src/lib.rs create mode 100644 proxmox-firewall/tests/input/100.conf create mode 100644 proxmox-firewall/tests/input/100.fw create mode 100644 proxmox-firewall/tests/input/101.conf create mode 100644 proxmox-firewall/tests/input/101.fw create mode 100644 proxmox-firewall/tests/input/chains.json create mode 100644 proxmox-firewall/tests/input/cluster.fw create mode 100644 proxmox-firewall/tests/input/host.fw create mode 100644 proxmox-firewall/tests/integration_tests.rs create mode 100644 proxmox-firewall/tests/snapshots/integration_tests__firewall.snap diff --git a/.gitignore b/.gitignore index 90749ee..c5474ef 100644 --- a/.gitignore +++ b/.gitignore @@ -7,3 +7,4 @@ proxmox-firewall-*/ *.build *.buildinfo *.changes +*.snap.new diff --git a/debian/control b/debian/control index fe9467b..174375e 100644 --- a/debian/control +++ b/debian/control @@ -19,6 +19,7 @@ Build-Depends: cargo:native, librust-serde-with+default-dev, librust-libc-0.2+default-dev, librust-proxmox-schema-3+default-dev, + librust-insta-dev, libstd-rust-dev, netbase, python3, diff --git a/proxmox-firewall/Cargo.toml b/proxmox-firewall/Cargo.toml index 1e6a4b8..686aa16 100644 --- a/proxmox-firewall/Cargo.toml +++ b/proxmox-firewall/Cargo.toml @@ -20,3 +20,7 @@ serde_json = "1" proxmox-nftables = { path = "../proxmox-nftables", features = ["config-ext"] } proxmox-ve-config = { path = "../proxmox-ve-config" } + +[dev-dependencies] +insta = { version = "1.21", features = ["json"] } +proxmox-sys = "0.5.3" diff --git a/proxmox-firewall/src/lib.rs b/proxmox-firewall/src/lib.rs new file mode 100644 index 0000000..c4b037a --- /dev/null +++ b/proxmox-firewall/src/lib.rs @@ -0,0 +1,4 @@ +pub mod config; +pub mod firewall; +pub mod object; +pub mod rule; diff --git a/proxmox-firewall/tests/input/100.conf b/proxmox-firewall/tests/input/100.conf new file mode 100644 index 0000000..495f899 --- /dev/null +++ b/proxmox-firewall/tests/input/100.conf @@ -0,0 +1,10 @@ +arch: amd64 +cores: 1 +features: nesting=1 +hostname: host1 +memory: 512 +net1: name=eth0,bridge=simple1,firewall=1,hwaddr=BC:24:11:4D:B0:FF,ip=dhcp,ip6=fd80::1234/64,type=veth +ostype: debian +rootfs: local-lvm:vm-90001-disk-0,size=2G +swap: 512 +unprivileged: 1 diff --git a/proxmox-firewall/tests/input/100.fw b/proxmox-firewall/tests/input/100.fw new file mode 100644 index 0000000..6cf9fff --- /dev/null +++ b/proxmox-firewall/tests/input/100.fw @@ -0,0 +1,22 @@ +[OPTIONS] + +enable: 1 +ndp: 1 +ipfilter: 1 +dhcp: 1 +log_level_in: crit +log_level_out: alert +policy_in: DROP +policy_out: REJECT +macfilter: 0 + +[IPSET ipfilter-net1] + +dc/network1 + +[RULES] + +GROUP network1 -i net1 +IN ACCEPT -source 192.168.0.1/24,127.0.0.1-127.255.255.0,172.16.0.1 -dport 123,222:333 -sport http -p tcp +IN DROP --icmp-type echo-request --proto icmp --log info + diff --git a/proxmox-firewall/tests/input/101.conf b/proxmox-firewall/tests/input/101.conf new file mode 100644 index 0000000..394e2e4 --- /dev/null +++ b/proxmox-firewall/tests/input/101.conf @@ -0,0 +1,11 @@ +boot: order=ide2 +cores: 2 +cpu: x86-64-v2-AES +memory: 2048 +meta: creation-qemu=8.1.5,ctime=1712322773 +numa: 0 +ostype: l26 +scsihw: virtio-scsi-single +smbios1: uuid=78ec7794-78f7-4c03-bf08-18b0000721a6 +sockets: 1 +vmgenid: ec7d4834-cd0a-4376-9c1d-af8a82da8d54 diff --git a/proxmox-firewall/tests/input/101.fw b/proxmox-firewall/tests/input/101.fw new file mode 100644 index 0000000..c77cb5a --- /dev/null +++ b/proxmox-firewall/tests/input/101.fw @@ -0,0 +1,19 @@ +[OPTIONS] + +ndp: 0 +enable: 1 +dhcp: 1 +radv: 0 +policy_out: ACCEPT + +[ALIASES] + +analias 123.123.123.123 + +[IPSET testing] + + +[RULES] + +IN ACCEPT -source guest/analias -dest dc/network2 -log nolog + diff --git a/proxmox-firewall/tests/input/chains.json b/proxmox-firewall/tests/input/chains.json new file mode 100644 index 0000000..327c295 --- /dev/null +++ b/proxmox-firewall/tests/input/chains.json @@ -0,0 +1 @@ +{"nftables": [{"metainfo": {"version": "1.0.6", "release_name": "Lester Gooch #5", "json_schema_version": 1}}, {"chain": {"family": "inet", "table": "proxmox-firewall", "name": "do-reject", "handle": 1}}, {"chain": {"family": "inet", "table": "proxmox-firewall", "name": "accept-management", "handle": 2}}, {"chain": {"family": "inet", "table": "proxmox-firewall", "name": "block-synflood", "handle": 3}}, {"chain": {"family": "inet", "table": "proxmox-firewall", "name": "log-drop-invalid-tcp", "handle": 4}}, {"chain": {"family": "inet", "table": "proxmox-firewall", "name": "block-invalid-tcp", "handle": 5}}, {"chain": {"family": "inet", "table": "proxmox-firewall", "name": "allow-ndp-in", "handle": 6}}, {"chain": {"family": "inet", "table": "proxmox-firewall", "name": "block-ndp-in", "handle": 7}}, {"chain": {"family": "inet", "table": "proxmox-firewall", "name": "allow-ndp-out", "handle": 8}}, {"chain": {"family": "inet", "table": "proxmox-firewall", "name": "block-ndp-out", "handle": 9}}, {"chain": {"family": "inet", "table": "proxmox-firewall", "name": "block-conntrack-invalid", "handle": 10}}, {"chain": {"family": "inet", "table": "proxmox-firewall", "name": "block-smurfs", "handle": 11}}, {"chain": {"family": "inet", "table": "proxmox-firewall", "name": "log-drop-smurfs", "handle": 12}}, {"chain": {"family": "inet", "table": "proxmox-firewall", "name": "default-in", "handle": 13}}, {"chain": {"family": "inet", "table": "proxmox-firewall", "name": "default-out", "handle": 14}}, {"chain": {"family": "inet", "table": "proxmox-firewall", "name": "input", "handle": 15, "type": "filter", "hook": "input", "prio": 0, "policy": "accept"}}, {"chain": {"family": "inet", "table": "proxmox-firewall", "name": "output", "handle": 16, "type": "filter", "hook": "output", "prio": 0, "policy": "accept"}}, {"chain": {"family": "inet", "table": "proxmox-firewall", "name": "ratelimit-synflood", "handle": 17}}, {"chain": {"family": "inet", "table": "proxmox-firewall", "name": "log -invalid-tcp", "handle": 18}}, {"chain": {"family": "inet", "table": "proxmox-firewall", "name": "log-smurfs", "handle": 19}}, {"chain": {"family": "inet", "table": "proxmox-firewall", "name": "option-in", "handle": 20}}, {"chain": {"family": "inet", "table": "proxmox-firewall", "name": "option-out", "handle": 21}}, {"chain": {"family": "inet", "table": "proxmox-firewall", "name": "cluster-in", "handle": 22}}, {"chain": {"family": "inet", "table": "proxmox-firewall", "name": "cluster-out", "handle": 23}}, {"chain": {"family": "inet", "table": "proxmox-firewall", "name": "host-in", "handle": 24}}, {"chain": {"family": "inet", "table": "proxmox-firewall", "name": "host-out", "handle": 25}}, {"chain": {"family": "inet", "table": "proxmox-firewall", "name": "ct-in", "handle": 26}}, {"chain": {"family": "inet", "table": "proxmox-firewall", "name": "group-network1-in", "handle": 95}}, {"chain": {"family": "inet", "table": "proxmox-firewall", "name": "group-network1-out", "handle": 97}}, { "chain": {"family": "bridge", "table": "proxmox-firewall-guests", "name": "allow-dhcp-in", "handle": 1}}, {"chain": {"family": "bridge", "table": "proxmox-firewall-guests", "name": "allow-dhcp-out", "handle": 2}}, {"chain": {"family": "bridge", "table": "proxmox-firewall-guests", "name": "block-dhcp-in", "handle": 3}}, {"chain": {"family": "bridge", "table": "proxmox-firewall-guests", "name": "block-dhcp-out", "handle": 4}}, {"chain": {"family": "bridge", "table": "proxmox-firewall-guests", "name": "allow-ndp-in", "handle": 5}}, {"chain": {"family": "bridge", "table": "proxmox-firewall-guests", "name": "block-ndp-in", "handle": 6}}, {"chain": {"family": "bridge", "table": "proxmox-firewall-guests", "name": "allow-ndp-out", "handle": 7}}, {"chain": {"family": "bridge", "table": "proxmox-firewall-guests", "name": "block-ndp-out", "handle": 8}}, {"chain": {"family": "bridge", "table": "proxmox-firewall-guests", "name": "allow-ra-out", "handle": 9}}, {"chain": {"family": "bridge", "tabl e": "proxmox-firewall-guests", "name": "block-ra-out", "handle": 10}}, {"chain": {"family": "bridge", "table": "proxmox-firewall-guests", "name": "after-vm-in", "handle": 11}}, {"chain": {"family": "bridge", "table": "proxmox-firewall-guests", "name": "do-reject", "handle": 12}}, {"chain": {"family": "bridge", "table": "proxmox-firewall-guests", "name": "vm-out", "handle": 13, "type": "filter", "hook": "prerouting", "prio": 0, "policy": "accept"}}, {"chain": {"family": "bridge", "table": "proxmox-firewall-guests", "name": "vm-in", "handle": 14, "type": "filter", "hook": "postrouting", "prio": 0, "policy": "accept"}}, {"chain": {"family": "bridge", "table": "proxmox-firewall-guests", "name": "group-network1-in", "handle": 6138}}, {"chain": {"family": "bridge", "table": "proxmox-firewall-guests", "name": "group-network1-out", "handle": 6140}}, {"chain": {"family": "bridge", "table": "proxmox-firewall-guests", "name": "guest-90002-in", "handle": 6141}}, {"chain": {"family": "bridge", " table": "proxmox-firewall-guests", "name": "guest-90002-out", "handle": 6142}}, {"chain": {"family": "bridge", "table": "proxmox-firewall-guests", "name": "guest-90001-in", "handle": 6158}}, {"chain": {"family": "bridge", "table": "proxmox-firewall-guests", "name": "guest-90001-out", "handle": 6159}}, {"chain": {"family": "bridge", "table": "proxmox-firewall-guests", "name": "guest-800001-in", "handle": 6179}}, {"chain": {"family": "bridge", "table": "proxmox-firewall-guests", "name": "guest-800001-out", "handle": 6180}}]} diff --git a/proxmox-firewall/tests/input/cluster.fw b/proxmox-firewall/tests/input/cluster.fw new file mode 100644 index 0000000..23168ae --- /dev/null +++ b/proxmox-firewall/tests/input/cluster.fw @@ -0,0 +1,26 @@ +[OPTIONS] + +log_ratelimit: burst=12,enable=1,rate=2/second +enable: 1 + +[ALIASES] + +network1 172.16.100.0/24 +network2 172.16.200.0/24 + +[IPSET network1] + +dc/network1 + +[IPSET management] + +127.0.0.1/8 + +[RULES] + +IN ACCEPT -log nolog + +[group network1] + +IN ACCEPT -source dc/network1 -dest dc/network1 -log nolog + diff --git a/proxmox-firewall/tests/input/host.fw b/proxmox-firewall/tests/input/host.fw new file mode 100644 index 0000000..8fa57e6 --- /dev/null +++ b/proxmox-firewall/tests/input/host.fw @@ -0,0 +1,23 @@ +[OPTIONS] + +log_level_out: notice +tcpflags: 1 +nftables: 1 +tcp_flags_log_level: err +log_level_in: info +enable: 1 +smurf_log_level: alert +ndp: 1 +protection_synflood: 1 +protection_synflood_burst: 1337 +protection_synflood_rate: 400 +nosmurfs: 1 +nf_conntrack_helpers: amanda,ftp,irc,netbios-ns,pptp,sane,sip,snmp,tftp + + +[RULES] + +IN DNS(ACCEPT) -source dc/network1 -log nolog +IN DHCPv6(ACCEPT) -log nolog +IN DHCPfwd(ACCEPT) -log nolog + diff --git a/proxmox-firewall/tests/integration_tests.rs b/proxmox-firewall/tests/integration_tests.rs new file mode 100644 index 0000000..860c78d --- /dev/null +++ b/proxmox-firewall/tests/integration_tests.rs @@ -0,0 +1,90 @@ +use std::collections::HashMap; + +use proxmox_firewall::config::{FirewallConfig, FirewallConfigLoader, NftConfigLoader}; +use proxmox_firewall::firewall::Firewall; +use proxmox_nftables::command::CommandOutput; +use proxmox_sys::nodename; +use proxmox_ve_config::guest::types::Vmid; +use proxmox_ve_config::guest::{GuestEntry, GuestMap, GuestType}; + +struct MockFirewallConfigLoader {} + +impl MockFirewallConfigLoader { + pub fn new() -> Self { + Self {} + } +} + +impl FirewallConfigLoader for MockFirewallConfigLoader { + fn cluster(&self) -> Option> { + Some(Box::new(include_str!("input/cluster.fw").as_bytes())) + } + + fn host(&self) -> Option> { + Some(Box::new(include_str!("input/host.fw").as_bytes())) + } + + fn guest_list(&self) -> GuestMap { + let hostname = nodename().to_string(); + + let mut map = HashMap::new(); + + let entry = GuestEntry::new(hostname.clone(), GuestType::Vm); + map.insert(101.into(), entry); + + let entry = GuestEntry::new(hostname, GuestType::Ct); + map.insert(100.into(), entry); + + GuestMap::from(map) + } + + fn guest_config(&self, vmid: &Vmid, _guest: &GuestEntry) -> Option> { + if *vmid == Vmid::new(101) { + return Some(Box::new(include_str!("input/101.conf").as_bytes())); + } + + if *vmid == Vmid::new(100) { + return Some(Box::new(include_str!("input/100.conf").as_bytes())); + } + + None + } + + fn guest_firewall_config(&self, vmid: &Vmid) -> Option> { + if *vmid == Vmid::new(101) { + return Some(Box::new(include_str!("input/101.fw").as_bytes())); + } + + if *vmid == Vmid::new(100) { + return Some(Box::new(include_str!("input/100.fw").as_bytes())); + } + + None + } +} + +struct MockNftConfigLoader {} + +impl MockNftConfigLoader { + pub fn new() -> Self { + Self {} + } +} + +impl NftConfigLoader for MockNftConfigLoader { + fn chains(&self) -> CommandOutput { + serde_json::from_str(include_str!("input/chains.json")).expect("valid chains.json") + } +} + +#[test] +fn test_firewall() { + let firewall_config = FirewallConfig::new( + Box::new(MockFirewallConfigLoader::new()), + Box::new(MockNftConfigLoader::new()), + ); + + let firewall = Firewall::from(firewall_config); + + insta::assert_json_snapshot!(firewall.full_host_fw().expect("firewall can be generated")); +} diff --git a/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap b/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap new file mode 100644 index 0000000..7611a64 --- /dev/null +++ b/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap @@ -0,0 +1,3530 @@ +--- +source: proxmox-firewall/tests/integration_tests.rs +expression: "firewall.full_host_fw().expect(\"firewall can be generated\")" +--- +{ + "nftables": [ + { + "flush": { + "chain": { + "family": "inet", + "table": "proxmox-firewall", + "name": "cluster-in" + } + } + }, + { + "flush": { + "chain": { + "family": "inet", + "table": "proxmox-firewall", + "name": "cluster-out" + } + } + }, + { + "add": { + "chain": { + "family": "inet", + "table": "proxmox-firewall", + "name": "host-in" + } + } + }, + { + "flush": { + "chain": { + "family": "inet", + "table": "proxmox-firewall", + "name": "host-in" + } + } + }, + { + "flush": { + "chain": { + "family": "inet", + "table": "proxmox-firewall", + "name": "option-in" + } + } + }, + { + "add": { + "chain": { + "family": "inet", + "table": "proxmox-firewall", + "name": "host-out" + } + } + }, + { + "flush": { + "chain": { + "family": "inet", + "table": "proxmox-firewall", + "name": "host-out" + } + } + }, + { + "flush": { + "chain": { + "family": "inet", + "table": "proxmox-firewall", + "name": "option-out" + } + } + }, + { + "flush": { + "map": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "vm-map-in" + } + } + }, + { + "flush": { + "map": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "vm-map-out" + } + } + }, + { + "flush": { + "chain": { + "family": "inet", + "table": "proxmox-firewall", + "name": "ct-in" + } + } + }, + { + "flush": { + "chain": { + "family": "inet", + "table": "proxmox-firewall", + "name": "ratelimit-synflood" + } + } + }, + { + "flush": { + "chain": { + "family": "inet", + "table": "proxmox-firewall", + "name": "log-invalid-tcp" + } + } + }, + { + "flush": { + "chain": { + "family": "inet", + "table": "proxmox-firewall", + "name": "log-smurfs" + } + } + }, + { + "delete": { + "chain": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "guest-800001-in" + } + } + }, + { + "delete": { + "chain": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "guest-800001-out" + } + } + }, + { + "delete": { + "chain": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "guest-90001-in" + } + } + }, + { + "delete": { + "chain": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "guest-90001-out" + } + } + }, + { + "delete": { + "chain": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "guest-90002-in" + } + } + }, + { + "delete": { + "chain": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "guest-90002-out" + } + } + }, + { + "delete": { + "chain": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "group-network1-in" + } + } + }, + { + "delete": { + "chain": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "group-network1-out" + } + } + }, + { + "add": { + "set": { + "family": "inet", + "table": "proxmox-firewall", + "name": "v4-dc/management", + "type": "ipv4_addr", + "flags": [ + "interval" + ] + } + } + }, + { + "flush": { + "set": { + "family": "inet", + "table": "proxmox-firewall", + "name": "v4-dc/management" + } + } + }, + { + "add": { + "set": { + "family": "inet", + "table": "proxmox-firewall", + "name": "v4-dc/management-nomatch", + "type": "ipv4_addr", + "flags": [ + "interval" + ] + } + } + }, + { + "flush": { + "set": { + "family": "inet", + "table": "proxmox-firewall", + "name": "v4-dc/management-nomatch" + } + } + }, + { + "add": { + "element": { + "family": "inet", + "table": "proxmox-firewall", + "name": "v4-dc/management", + "elem": [ + { + "prefix": { + "addr": "127.0.0.1", + "len": 8 + } + } + ] + } + } + }, + { + "add": { + "set": { + "family": "inet", + "table": "proxmox-firewall", + "name": "v6-dc/management", + "type": "ipv6_addr", + "flags": [ + "interval" + ] + } + } + }, + { + "flush": { + "set": { + "family": "inet", + "table": "proxmox-firewall", + "name": "v6-dc/management" + } + } + }, + { + "add": { + "set": { + "family": "inet", + "table": "proxmox-firewall", + "name": "v6-dc/management-nomatch", + "type": "ipv6_addr", + "flags": [ + "interval" + ] + } + } + }, + { + "flush": { + "set": { + "family": "inet", + "table": "proxmox-firewall", + "name": "v6-dc/management-nomatch" + } + } + }, + { + "add": { + "set": { + "family": "inet", + "table": "proxmox-firewall", + "name": "v4-dc/network1", + "type": "ipv4_addr", + "flags": [ + "interval" + ] + } + } + }, + { + "flush": { + "set": { + "family": "inet", + "table": "proxmox-firewall", + "name": "v4-dc/network1" + } + } + }, + { + "add": { + "set": { + "family": "inet", + "table": "proxmox-firewall", + "name": "v4-dc/network1-nomatch", + "type": "ipv4_addr", + "flags": [ + "interval" + ] + } + } + }, + { + "flush": { + "set": { + "family": "inet", + "table": "proxmox-firewall", + "name": "v4-dc/network1-nomatch" + } + } + }, + { + "add": { + "element": { + "family": "inet", + "table": "proxmox-firewall", + "name": "v4-dc/network1", + "elem": [ + { + "prefix": { + "addr": "172.16.100.0", + "len": 24 + } + } + ] + } + } + }, + { + "add": { + "set": { + "family": "inet", + "table": "proxmox-firewall", + "name": "v6-dc/network1", + "type": "ipv6_addr", + "flags": [ + "interval" + ] + } + } + }, + { + "flush": { + "set": { + "family": "inet", + "table": "proxmox-firewall", + "name": "v6-dc/network1" + } + } + }, + { + "add": { + "set": { + "family": "inet", + "table": "proxmox-firewall", + "name": "v6-dc/network1-nomatch", + "type": "ipv6_addr", + "flags": [ + "interval" + ] + } + } + }, + { + "flush": { + "set": { + "family": "inet", + "table": "proxmox-firewall", + "name": "v6-dc/network1-nomatch" + } + } + }, + { + "add": { + "chain": { + "family": "inet", + "table": "proxmox-firewall", + "name": "group-network1-in" + } + } + }, + { + "flush": { + "chain": { + "family": "inet", + "table": "proxmox-firewall", + "name": "group-network1-in" + } + } + }, + { + "add": { + "rule": { + "family": "inet", + "table": "proxmox-firewall", + "chain": "group-network1-in", + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": { + "prefix": { + "addr": "172.16.100.0", + "len": 24 + } + } + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": { + "prefix": { + "addr": "172.16.100.0", + "len": 24 + } + } + } + }, + { + "accept": null + } + ] + } + } + }, + { + "add": { + "chain": { + "family": "inet", + "table": "proxmox-firewall", + "name": "group-network1-out" + } + } + }, + { + "flush": { + "chain": { + "family": "inet", + "table": "proxmox-firewall", + "name": "group-network1-out" + } + } + }, + { + "add": { + "rule": { + "family": "inet", + "table": "proxmox-firewall", + "chain": "cluster-in", + "expr": [ + { + "accept": null + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "inet", + "table": "proxmox-firewall", + "chain": "cluster-in", + "expr": [ + { + "limit": { + "rate": 2, + "per": "second", + "burst": 12 + } + }, + { + "log": { + "prefix": ":0:6:cluster-in: DROP: ", + "group": 0 + } + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "inet", + "table": "proxmox-firewall", + "chain": "cluster-in", + "expr": [ + { + "drop": null + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "inet", + "table": "proxmox-firewall", + "chain": "cluster-out", + "expr": [ + { + "limit": { + "rate": 2, + "per": "second", + "burst": 12 + } + }, + { + "log": { + "prefix": ":0:5:cluster-out: ACCEPT: ", + "group": 0 + } + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "inet", + "table": "proxmox-firewall", + "chain": "cluster-out", + "expr": [ + { + "accept": null + } + ] + } + } + }, + { + "add": { + "ct helper": { + "family": "inet", + "table": "proxmox-firewall", + "name": "helper-amanda-udp", + "type": "amanda", + "protocol": "udp", + "l3proto": null + } + } + }, + { + "add": { + "rule": { + "family": "inet", + "table": "proxmox-firewall", + "chain": "ct-in", + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "udp" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "th", + "field": "dport" + } + }, + "right": 10080 + } + }, + { + "match": { + "op": "==", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "established" + ] + } + }, + { + "accept": null + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "inet", + "table": "proxmox-firewall", + "chain": "ct-in", + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "udp" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "th", + "field": "dport" + } + }, + "right": 10080 + } + }, + { + "ct helper": "helper-amanda-udp" + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "inet", + "table": "proxmox-firewall", + "chain": "ct-in", + "expr": [ + { + "match": { + "op": "==", + "left": { + "ct": { + "key": "helper" + } + }, + "right": "amanda" + } + }, + { + "accept": null + } + ] + } + } + }, + { + "add": { + "ct helper": { + "family": "inet", + "table": "proxmox-firewall", + "name": "helper-ftp-tcp", + "type": "ftp", + "protocol": "tcp", + "l3proto": null + } + } + }, + { + "add": { + "rule": { + "family": "inet", + "table": "proxmox-firewall", + "chain": "ct-in", + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "tcp" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "th", + "field": "dport" + } + }, + "right": 21 + } + }, + { + "match": { + "op": "==", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "established" + ] + } + }, + { + "accept": null + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "inet", + "table": "proxmox-firewall", + "chain": "ct-in", + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "tcp" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "th", + "field": "dport" + } + }, + "right": 21 + } + }, + { + "ct helper": "helper-ftp-tcp" + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "inet", + "table": "proxmox-firewall", + "chain": "ct-in", + "expr": [ + { + "match": { + "op": "==", + "left": { + "ct": { + "key": "helper" + } + }, + "right": "ftp" + } + }, + { + "accept": null + } + ] + } + } + }, + { + "add": { + "ct helper": { + "family": "inet", + "table": "proxmox-firewall", + "name": "helper-irc-tcp", + "type": "irc", + "protocol": "tcp", + "l3proto": "ip" + } + } + }, + { + "add": { + "rule": { + "family": "inet", + "table": "proxmox-firewall", + "chain": "ct-in", + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "tcp" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "th", + "field": "dport" + } + }, + "right": 6667 + } + }, + { + "match": { + "op": "==", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "established" + ] + } + }, + { + "accept": null + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "inet", + "table": "proxmox-firewall", + "chain": "ct-in", + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "tcp" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "th", + "field": "dport" + } + }, + "right": 6667 + } + }, + { + "ct helper": "helper-irc-tcp" + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "inet", + "table": "proxmox-firewall", + "chain": "ct-in", + "expr": [ + { + "match": { + "op": "==", + "left": { + "ct": { + "key": "helper", + "family": "ip" + } + }, + "right": "irc" + } + }, + { + "accept": null + } + ] + } + } + }, + { + "add": { + "ct helper": { + "family": "inet", + "table": "proxmox-firewall", + "name": "helper-netbios-ns-udp", + "type": "netbios-ns", + "protocol": "udp", + "l3proto": "ip" + } + } + }, + { + "add": { + "rule": { + "family": "inet", + "table": "proxmox-firewall", + "chain": "ct-in", + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "udp" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "th", + "field": "dport" + } + }, + "right": 137 + } + }, + { + "match": { + "op": "==", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "established" + ] + } + }, + { + "accept": null + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "inet", + "table": "proxmox-firewall", + "chain": "ct-in", + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "udp" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "th", + "field": "dport" + } + }, + "right": 137 + } + }, + { + "ct helper": "helper-netbios-ns-udp" + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "inet", + "table": "proxmox-firewall", + "chain": "ct-in", + "expr": [ + { + "match": { + "op": "==", + "left": { + "ct": { + "key": "helper", + "family": "ip" + } + }, + "right": "netbios-ns" + } + }, + { + "accept": null + } + ] + } + } + }, + { + "add": { + "ct helper": { + "family": "inet", + "table": "proxmox-firewall", + "name": "helper-pptp-tcp", + "type": "pptp", + "protocol": "tcp", + "l3proto": "ip" + } + } + }, + { + "add": { + "rule": { + "family": "inet", + "table": "proxmox-firewall", + "chain": "ct-in", + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "tcp" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "th", + "field": "dport" + } + }, + "right": 1723 + } + }, + { + "match": { + "op": "==", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "established" + ] + } + }, + { + "accept": null + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "inet", + "table": "proxmox-firewall", + "chain": "ct-in", + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "tcp" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "th", + "field": "dport" + } + }, + "right": 1723 + } + }, + { + "ct helper": "helper-pptp-tcp" + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "inet", + "table": "proxmox-firewall", + "chain": "ct-in", + "expr": [ + { + "match": { + "op": "==", + "left": { + "ct": { + "key": "helper", + "family": "ip" + } + }, + "right": "pptp" + } + }, + { + "accept": null + } + ] + } + } + }, + { + "add": { + "ct helper": { + "family": "inet", + "table": "proxmox-firewall", + "name": "helper-sane-tcp", + "type": "sane", + "protocol": "tcp", + "l3proto": null + } + } + }, + { + "add": { + "rule": { + "family": "inet", + "table": "proxmox-firewall", + "chain": "ct-in", + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "tcp" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "th", + "field": "dport" + } + }, + "right": 6566 + } + }, + { + "match": { + "op": "==", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "established" + ] + } + }, + { + "accept": null + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "inet", + "table": "proxmox-firewall", + "chain": "ct-in", + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "tcp" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "th", + "field": "dport" + } + }, + "right": 6566 + } + }, + { + "ct helper": "helper-sane-tcp" + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "inet", + "table": "proxmox-firewall", + "chain": "ct-in", + "expr": [ + { + "match": { + "op": "==", + "left": { + "ct": { + "key": "helper" + } + }, + "right": "sane" + } + }, + { + "accept": null + } + ] + } + } + }, + { + "add": { + "ct helper": { + "family": "inet", + "table": "proxmox-firewall", + "name": "helper-sip-udp", + "type": "sip", + "protocol": "udp", + "l3proto": null + } + } + }, + { + "add": { + "rule": { + "family": "inet", + "table": "proxmox-firewall", + "chain": "ct-in", + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "udp" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "th", + "field": "dport" + } + }, + "right": 5060 + } + }, + { + "match": { + "op": "==", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "established" + ] + } + }, + { + "accept": null + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "inet", + "table": "proxmox-firewall", + "chain": "ct-in", + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "udp" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "th", + "field": "dport" + } + }, + "right": 5060 + } + }, + { + "ct helper": "helper-sip-udp" + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "inet", + "table": "proxmox-firewall", + "chain": "ct-in", + "expr": [ + { + "match": { + "op": "==", + "left": { + "ct": { + "key": "helper" + } + }, + "right": "sip" + } + }, + { + "accept": null + } + ] + } + } + }, + { + "add": { + "ct helper": { + "family": "inet", + "table": "proxmox-firewall", + "name": "helper-snmp-udp", + "type": "snmp", + "protocol": "udp", + "l3proto": "ip" + } + } + }, + { + "add": { + "rule": { + "family": "inet", + "table": "proxmox-firewall", + "chain": "ct-in", + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "udp" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "th", + "field": "dport" + } + }, + "right": 161 + } + }, + { + "match": { + "op": "==", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "established" + ] + } + }, + { + "accept": null + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "inet", + "table": "proxmox-firewall", + "chain": "ct-in", + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "udp" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "th", + "field": "dport" + } + }, + "right": 161 + } + }, + { + "ct helper": "helper-snmp-udp" + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "inet", + "table": "proxmox-firewall", + "chain": "ct-in", + "expr": [ + { + "match": { + "op": "==", + "left": { + "ct": { + "key": "helper", + "family": "ip" + } + }, + "right": "snmp" + } + }, + { + "accept": null + } + ] + } + } + }, + { + "add": { + "ct helper": { + "family": "inet", + "table": "proxmox-firewall", + "name": "helper-tftp-udp", + "type": "tftp", + "protocol": "udp", + "l3proto": null + } + } + }, + { + "add": { + "rule": { + "family": "inet", + "table": "proxmox-firewall", + "chain": "ct-in", + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "udp" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "th", + "field": "dport" + } + }, + "right": 69 + } + }, + { + "match": { + "op": "==", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "established" + ] + } + }, + { + "accept": null + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "inet", + "table": "proxmox-firewall", + "chain": "ct-in", + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "udp" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "th", + "field": "dport" + } + }, + "right": 69 + } + }, + { + "ct helper": "helper-tftp-udp" + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "inet", + "table": "proxmox-firewall", + "chain": "ct-in", + "expr": [ + { + "match": { + "op": "==", + "left": { + "ct": { + "key": "helper" + } + }, + "right": "tftp" + } + }, + { + "accept": null + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "inet", + "table": "proxmox-firewall", + "chain": "option-in", + "expr": [ + { + "jump": { + "target": "allow-ndp-in" + } + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "inet", + "table": "proxmox-firewall", + "chain": "option-out", + "expr": [ + { + "jump": { + "target": "allow-ndp-out" + } + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "inet", + "table": "proxmox-firewall", + "chain": "option-in", + "expr": [ + { + "jump": { + "target": "block-synflood" + } + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "inet", + "table": "proxmox-firewall", + "chain": "ratelimit-synflood", + "expr": [ + { + "set": { + "op": "update", + "elem": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "set": "@v4-synflood-limit", + "stmt": { + "limit": { + "rate": 400, + "per": "second", + "burst": 1337, + "inv": true + } + } + } + }, + { + "drop": null + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "inet", + "table": "proxmox-firewall", + "chain": "ratelimit-synflood", + "expr": [ + { + "set": { + "op": "update", + "elem": { + "payload": { + "protocol": "ip6", + "field": "saddr" + } + }, + "set": "@v6-synflood-limit", + "stmt": { + "limit": { + "rate": 400, + "per": "second", + "burst": 1337, + "inv": true + } + } + } + }, + { + "drop": null + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "inet", + "table": "proxmox-firewall", + "chain": "option-in", + "expr": [ + { + "jump": { + "target": "block-invalid-tcp" + } + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "inet", + "table": "proxmox-firewall", + "chain": "log-invalid-tcp", + "expr": [ + { + "limit": { + "rate": 2, + "per": "second", + "burst": 12 + } + }, + { + "log": { + "prefix": ":0:3:log-invalid-tcp: DROP: ", + "group": 0 + } + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "inet", + "table": "proxmox-firewall", + "chain": "option-in", + "expr": [ + { + "jump": { + "target": "block-smurfs" + } + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "inet", + "table": "proxmox-firewall", + "chain": "log-smurfs", + "expr": [ + { + "limit": { + "rate": 2, + "per": "second", + "burst": 12 + } + }, + { + "log": { + "prefix": ":0:1:log-smurfs: DROP: ", + "group": 0 + } + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "inet", + "table": "proxmox-firewall", + "chain": "option-in", + "expr": [ + { + "jump": { + "target": "block-conntrack-invalid" + } + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "inet", + "table": "proxmox-firewall", + "chain": "host-in", + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "udp" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "th", + "field": "dport" + } + }, + "right": 53 + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": { + "prefix": { + "addr": "172.16.100.0", + "len": 24 + } + } + } + }, + { + "accept": null + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "inet", + "table": "proxmox-firewall", + "chain": "host-in", + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "tcp" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "th", + "field": "dport" + } + }, + "right": 53 + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": { + "prefix": { + "addr": "172.16.100.0", + "len": 24 + } + } + } + }, + { + "accept": null + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "inet", + "table": "proxmox-firewall", + "chain": "host-in", + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "udp" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "th", + "field": "sport" + } + }, + "right": { + "range": [ + 546, + 547 + ] + } + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "th", + "field": "dport" + } + }, + "right": { + "range": [ + 546, + 547 + ] + } + } + }, + { + "accept": null + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "inet", + "table": "proxmox-firewall", + "chain": "host-in", + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "udp" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "th", + "field": "sport" + } + }, + "right": { + "range": [ + 67, + 68 + ] + } + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "th", + "field": "dport" + } + }, + "right": { + "range": [ + 67, + 68 + ] + } + } + }, + { + "accept": null + } + ] + } + } + }, + { + "add": { + "set": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v4-dc/management", + "type": "ipv4_addr", + "flags": [ + "interval" + ] + } + } + }, + { + "flush": { + "set": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v4-dc/management" + } + } + }, + { + "add": { + "set": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v4-dc/management-nomatch", + "type": "ipv4_addr", + "flags": [ + "interval" + ] + } + } + }, + { + "flush": { + "set": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v4-dc/management-nomatch" + } + } + }, + { + "add": { + "element": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v4-dc/management", + "elem": [ + { + "prefix": { + "addr": "127.0.0.1", + "len": 8 + } + } + ] + } + } + }, + { + "add": { + "set": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v6-dc/management", + "type": "ipv6_addr", + "flags": [ + "interval" + ] + } + } + }, + { + "flush": { + "set": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v6-dc/management" + } + } + }, + { + "add": { + "set": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v6-dc/management-nomatch", + "type": "ipv6_addr", + "flags": [ + "interval" + ] + } + } + }, + { + "flush": { + "set": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v6-dc/management-nomatch" + } + } + }, + { + "add": { + "set": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v4-dc/network1", + "type": "ipv4_addr", + "flags": [ + "interval" + ] + } + } + }, + { + "flush": { + "set": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v4-dc/network1" + } + } + }, + { + "add": { + "set": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v4-dc/network1-nomatch", + "type": "ipv4_addr", + "flags": [ + "interval" + ] + } + } + }, + { + "flush": { + "set": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v4-dc/network1-nomatch" + } + } + }, + { + "add": { + "element": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v4-dc/network1", + "elem": [ + { + "prefix": { + "addr": "172.16.100.0", + "len": 24 + } + } + ] + } + } + }, + { + "add": { + "set": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v6-dc/network1", + "type": "ipv6_addr", + "flags": [ + "interval" + ] + } + } + }, + { + "flush": { + "set": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v6-dc/network1" + } + } + }, + { + "add": { + "set": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v6-dc/network1-nomatch", + "type": "ipv6_addr", + "flags": [ + "interval" + ] + } + } + }, + { + "flush": { + "set": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v6-dc/network1-nomatch" + } + } + }, + { + "add": { + "chain": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "group-network1-in" + } + } + }, + { + "flush": { + "chain": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "group-network1-in" + } + } + }, + { + "add": { + "rule": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "chain": "group-network1-in", + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": { + "prefix": { + "addr": "172.16.100.0", + "len": 24 + } + } + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": { + "prefix": { + "addr": "172.16.100.0", + "len": 24 + } + } + } + }, + { + "accept": null + } + ] + } + } + }, + { + "add": { + "chain": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "group-network1-out" + } + } + }, + { + "flush": { + "chain": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "group-network1-out" + } + } + }, + { + "add": { + "chain": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "guest-100-in" + } + } + }, + { + "flush": { + "chain": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "guest-100-in" + } + } + }, + { + "add": { + "chain": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "guest-100-out" + } + } + }, + { + "flush": { + "chain": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "guest-100-out" + } + } + }, + { + "add": { + "set": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v4-guest-100/ipfilter-net1", + "type": "ipv4_addr", + "flags": [ + "interval" + ] + } + } + }, + { + "flush": { + "set": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v4-guest-100/ipfilter-net1" + } + } + }, + { + "add": { + "set": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v4-guest-100/ipfilter-net1-nomatch", + "type": "ipv4_addr", + "flags": [ + "interval" + ] + } + } + }, + { + "flush": { + "set": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v4-guest-100/ipfilter-net1-nomatch" + } + } + }, + { + "add": { + "element": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v4-guest-100/ipfilter-net1", + "elem": [ + { + "prefix": { + "addr": "172.16.100.0", + "len": 24 + } + } + ] + } + } + }, + { + "add": { + "set": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v6-guest-100/ipfilter-net1", + "type": "ipv6_addr", + "flags": [ + "interval" + ] + } + } + }, + { + "flush": { + "set": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v6-guest-100/ipfilter-net1" + } + } + }, + { + "add": { + "set": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v6-guest-100/ipfilter-net1-nomatch", + "type": "ipv6_addr", + "flags": [ + "interval" + ] + } + } + }, + { + "flush": { + "set": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v6-guest-100/ipfilter-net1-nomatch" + } + } + }, + { + "add": { + "rule": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "chain": "guest-100-in", + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "veth100i1" + } + }, + { + "match": { + "op": "!=", + "left": { + "payload": { + "protocol": "arp", + "field": "daddr ip" + } + }, + "right": "@v4-guest-100/ipfilter-net1" + } + }, + { + "drop": null + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "chain": "guest-100-out", + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "veth100i1" + } + }, + { + "match": { + "op": "!=", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "@v4-guest-100/ipfilter-net1" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "@v4-guest-100/ipfilter-net1-nomatch" + } + }, + { + "drop": null + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "chain": "guest-100-out", + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "veth100i1" + } + }, + { + "match": { + "op": "!=", + "left": { + "payload": { + "protocol": "ip6", + "field": "saddr" + } + }, + "right": "@v6-guest-100/ipfilter-net1" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "saddr" + } + }, + "right": "@v6-guest-100/ipfilter-net1-nomatch" + } + }, + { + "drop": null + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "chain": "guest-100-out", + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "veth100i1" + } + }, + { + "match": { + "op": "!=", + "left": { + "payload": { + "protocol": "arp", + "field": "saddr ip" + } + }, + "right": "@v4-guest-100/ipfilter-net1" + } + }, + { + "drop": null + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "chain": "guest-100-in", + "expr": [ + { + "jump": { + "target": "allow-dhcp-in" + } + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "chain": "guest-100-out", + "expr": [ + { + "jump": { + "target": "allow-dhcp-out" + } + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "chain": "guest-100-in", + "expr": [ + { + "jump": { + "target": "allow-ndp-in" + } + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "chain": "guest-100-out", + "expr": [ + { + "jump": { + "target": "allow-ndp-out" + } + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "chain": "guest-100-out", + "expr": [ + { + "jump": { + "target": "block-ra-out" + } + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "chain": "guest-100-in", + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ether", + "field": "type" + } + }, + "right": "arp" + } + }, + { + "accept": null + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "chain": "guest-100-in", + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "veth100i1" + } + }, + { + "jump": { + "target": "group-network1-in" + } + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "chain": "guest-100-in", + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "tcp" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "th", + "field": "sport" + } + }, + "right": 80 + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "th", + "field": "dport" + } + }, + "right": { + "set": [ + 123, + { + "range": [ + 222, + 333 + ] + } + ] + } + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": { + "set": [ + { + "prefix": { + "addr": "192.168.0.1", + "len": 24 + } + }, + { + "range": [ + "127.0.0.1", + "127.255.255.0" + ] + }, + { + "prefix": { + "addr": "172.16.0.1", + "len": 32 + } + } + ] + } + } + }, + { + "accept": null + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "chain": "guest-100-in", + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "icmp", + "field": "type" + } + }, + "right": "echo-request" + } + }, + { + "limit": { + "rate": 2, + "per": "second", + "burst": 12 + } + }, + { + "log": { + "prefix": ":100:6:guest-100-in: DROP: ", + "group": 0 + } + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "chain": "guest-100-in", + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "icmp", + "field": "type" + } + }, + "right": "echo-request" + } + }, + { + "drop": null + } + ] + } + } + }, + { + "add": { + "element": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "vm-map-in", + "elem": [ + [ + "veth100i1", + { + "goto": { + "target": "guest-100-in" + } + } + ] + ] + } + } + }, + { + "add": { + "rule": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "chain": "guest-100-in", + "expr": [ + { + "jump": { + "target": "after-vm-in" + } + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "chain": "guest-100-in", + "expr": [ + { + "limit": { + "rate": 2, + "per": "second", + "burst": 12 + } + }, + { + "log": { + "prefix": ":100:2:guest-100-in: DROP: ", + "group": 0 + } + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "chain": "guest-100-in", + "expr": [ + { + "drop": null + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "chain": "guest-100-out", + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "veth100i1" + } + }, + { + "jump": { + "target": "group-network1-out" + } + } + ] + } + } + }, + { + "add": { + "element": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "vm-map-out", + "elem": [ + [ + "veth100i1", + { + "goto": { + "target": "guest-100-out" + } + } + ] + ] + } + } + }, + { + "add": { + "rule": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "chain": "guest-100-out", + "expr": [ + { + "limit": { + "rate": 2, + "per": "second", + "burst": 12 + } + }, + { + "log": { + "prefix": ":100:1:guest-100-out: REJECT: ", + "group": 0 + } + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "chain": "guest-100-out", + "expr": [ + { + "drop": null + } + ] + } + } + }, + { + "add": { + "chain": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "guest-101-in" + } + } + }, + { + "flush": { + "chain": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "guest-101-in" + } + } + }, + { + "add": { + "chain": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "guest-101-out" + } + } + }, + { + "flush": { + "chain": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "guest-101-out" + } + } + }, + { + "add": { + "set": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v4-guest-101/testing", + "type": "ipv4_addr", + "flags": [ + "interval" + ] + } + } + }, + { + "flush": { + "set": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v4-guest-101/testing" + } + } + }, + { + "add": { + "set": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v4-guest-101/testing-nomatch", + "type": "ipv4_addr", + "flags": [ + "interval" + ] + } + } + }, + { + "flush": { + "set": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v4-guest-101/testing-nomatch" + } + } + }, + { + "add": { + "set": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v6-guest-101/testing", + "type": "ipv6_addr", + "flags": [ + "interval" + ] + } + } + }, + { + "flush": { + "set": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v6-guest-101/testing" + } + } + }, + { + "add": { + "set": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v6-guest-101/testing-nomatch", + "type": "ipv6_addr", + "flags": [ + "interval" + ] + } + } + }, + { + "flush": { + "set": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v6-guest-101/testing-nomatch" + } + } + }, + { + "add": { + "rule": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "chain": "guest-101-in", + "expr": [ + { + "jump": { + "target": "allow-dhcp-in" + } + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "chain": "guest-101-out", + "expr": [ + { + "jump": { + "target": "allow-dhcp-out" + } + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "chain": "guest-101-in", + "expr": [ + { + "jump": { + "target": "block-ndp-in" + } + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "chain": "guest-101-out", + "expr": [ + { + "jump": { + "target": "block-ndp-out" + } + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "chain": "guest-101-out", + "expr": [ + { + "jump": { + "target": "block-ra-out" + } + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "chain": "guest-101-in", + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ether", + "field": "type" + } + }, + "right": "arp" + } + }, + { + "accept": null + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "chain": "guest-101-in", + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": { + "prefix": { + "addr": "123.123.123.123", + "len": 32 + } + } + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": { + "prefix": { + "addr": "172.16.200.0", + "len": 24 + } + } + } + }, + { + "accept": null + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "chain": "guest-101-in", + "expr": [ + { + "jump": { + "target": "after-vm-in" + } + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "chain": "guest-101-in", + "expr": [ + { + "drop": null + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "chain": "guest-101-out", + "expr": [ + { + "accept": null + } + ] + } + } + } + ] +} -- 2.39.2 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel