From: Stefan Hanreich <s.hanreich@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH proxmox-firewall v3 34/39] firewall: add integration test
Date: Thu, 18 Apr 2024 18:14:29 +0200 [thread overview]
Message-ID: <20240418161434.709473-35-s.hanreich@proxmox.com> (raw)
In-Reply-To: <20240418161434.709473-1-s.hanreich@proxmox.com>
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
.gitignore | 1 +
debian/control | 1 +
proxmox-firewall/Cargo.toml | 4 +
proxmox-firewall/tests/input/100.conf | 10 +
proxmox-firewall/tests/input/100.fw | 22 +
proxmox-firewall/tests/input/101.conf | 11 +
proxmox-firewall/tests/input/101.fw | 19 +
proxmox-firewall/tests/input/chains.json | 427 ++
proxmox-firewall/tests/input/cluster.fw | 26 +
proxmox-firewall/tests/input/host.fw | 23 +
proxmox-firewall/tests/integration_tests.rs | 90 +
.../integration_tests__firewall.snap | 3530 +++++++++++++++++
12 files changed, 4164 insertions(+)
create mode 100644 proxmox-firewall/tests/input/100.conf
create mode 100644 proxmox-firewall/tests/input/100.fw
create mode 100644 proxmox-firewall/tests/input/101.conf
create mode 100644 proxmox-firewall/tests/input/101.fw
create mode 100644 proxmox-firewall/tests/input/chains.json
create mode 100644 proxmox-firewall/tests/input/cluster.fw
create mode 100644 proxmox-firewall/tests/input/host.fw
create mode 100644 proxmox-firewall/tests/integration_tests.rs
create mode 100644 proxmox-firewall/tests/snapshots/integration_tests__firewall.snap
diff --git a/.gitignore b/.gitignore
index 90749ee..c5474ef 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,3 +7,4 @@ proxmox-firewall-*/
*.build
*.buildinfo
*.changes
+*.snap.new
diff --git a/debian/control b/debian/control
index 97f9e89..845b84d 100644
--- a/debian/control
+++ b/debian/control
@@ -20,6 +20,7 @@ Build-Depends: cargo:native,
librust-thiserror-dev,
librust-libc-0.2+default-dev,
librust-proxmox-schema-3+default-dev,
+ librust-insta-dev,
libstd-rust-dev,
netbase,
python3,
diff --git a/proxmox-firewall/Cargo.toml b/proxmox-firewall/Cargo.toml
index bec7552..163ab17 100644
--- a/proxmox-firewall/Cargo.toml
+++ b/proxmox-firewall/Cargo.toml
@@ -22,3 +22,7 @@ signal-hook = "0.3"
proxmox-nftables = { path = "../proxmox-nftables", features = ["config-ext"] }
proxmox-ve-config = { path = "../proxmox-ve-config" }
+
+[dev-dependencies]
+insta = { version = "1.21", features = ["json"] }
+proxmox-sys = "0.5.3"
diff --git a/proxmox-firewall/tests/input/100.conf b/proxmox-firewall/tests/input/100.conf
new file mode 100644
index 0000000..495f899
--- /dev/null
+++ b/proxmox-firewall/tests/input/100.conf
@@ -0,0 +1,10 @@
+arch: amd64
+cores: 1
+features: nesting=1
+hostname: host1
+memory: 512
+net1: name=eth0,bridge=simple1,firewall=1,hwaddr=BC:24:11:4D:B0:FF,ip=dhcp,ip6=fd80::1234/64,type=veth
+ostype: debian
+rootfs: local-lvm:vm-90001-disk-0,size=2G
+swap: 512
+unprivileged: 1
diff --git a/proxmox-firewall/tests/input/100.fw b/proxmox-firewall/tests/input/100.fw
new file mode 100644
index 0000000..6cf9fff
--- /dev/null
+++ b/proxmox-firewall/tests/input/100.fw
@@ -0,0 +1,22 @@
+[OPTIONS]
+
+enable: 1
+ndp: 1
+ipfilter: 1
+dhcp: 1
+log_level_in: crit
+log_level_out: alert
+policy_in: DROP
+policy_out: REJECT
+macfilter: 0
+
+[IPSET ipfilter-net1]
+
+dc/network1
+
+[RULES]
+
+GROUP network1 -i net1
+IN ACCEPT -source 192.168.0.1/24,127.0.0.1-127.255.255.0,172.16.0.1 -dport 123,222:333 -sport http -p tcp
+IN DROP --icmp-type echo-request --proto icmp --log info
+
diff --git a/proxmox-firewall/tests/input/101.conf b/proxmox-firewall/tests/input/101.conf
new file mode 100644
index 0000000..394e2e4
--- /dev/null
+++ b/proxmox-firewall/tests/input/101.conf
@@ -0,0 +1,11 @@
+boot: order=ide2
+cores: 2
+cpu: x86-64-v2-AES
+memory: 2048
+meta: creation-qemu=8.1.5,ctime=1712322773
+numa: 0
+ostype: l26
+scsihw: virtio-scsi-single
+smbios1: uuid=78ec7794-78f7-4c03-bf08-18b0000721a6
+sockets: 1
+vmgenid: ec7d4834-cd0a-4376-9c1d-af8a82da8d54
diff --git a/proxmox-firewall/tests/input/101.fw b/proxmox-firewall/tests/input/101.fw
new file mode 100644
index 0000000..c77cb5a
--- /dev/null
+++ b/proxmox-firewall/tests/input/101.fw
@@ -0,0 +1,19 @@
+[OPTIONS]
+
+ndp: 0
+enable: 1
+dhcp: 1
+radv: 0
+policy_out: ACCEPT
+
+[ALIASES]
+
+analias 123.123.123.123
+
+[IPSET testing]
+
+
+[RULES]
+
+IN ACCEPT -source guest/analias -dest dc/network2 -log nolog
+
diff --git a/proxmox-firewall/tests/input/chains.json b/proxmox-firewall/tests/input/chains.json
new file mode 100644
index 0000000..aabfc6e
--- /dev/null
+++ b/proxmox-firewall/tests/input/chains.json
@@ -0,0 +1,427 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "1.0.6",
+ "release_name": "Lester Gooch #5",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "do-reject",
+ "handle": 1
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "accept-management",
+ "handle": 2
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "block-synflood",
+ "handle": 3
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "log-drop-invalid-tcp",
+ "handle": 4
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "block-invalid-tcp",
+ "handle": 5
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "allow-ndp-in",
+ "handle": 6
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "block-ndp-in",
+ "handle": 7
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "allow-ndp-out",
+ "handle": 8
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "block-ndp-out",
+ "handle": 9
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "block-conntrack-invalid",
+ "handle": 10
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "block-smurfs",
+ "handle": 11
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "log-drop-smurfs",
+ "handle": 12
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "default-in",
+ "handle": 13
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "default-out",
+ "handle": 14
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "input",
+ "handle": 15,
+ "type": "filter",
+ "hook": "input",
+ "prio": 0,
+ "policy": "accept"
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "output",
+ "handle": 16,
+ "type": "filter",
+ "hook": "output",
+ "prio": 0,
+ "policy": "accept"
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "ratelimit-synflood",
+ "handle": 17
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "log-invalid-tcp",
+ "handle": 18
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "log-smurfs",
+ "handle": 19
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "option-in",
+ "handle": 20
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "option-out",
+ "handle": 21
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "cluster-in",
+ "handle": 22
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "cluster-out",
+ "handle": 23
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "host-in",
+ "handle": 24
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "host-out",
+ "handle": 25
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "ct-in",
+ "handle": 26
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "group-network1-in",
+ "handle": 95
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "group-network1-out",
+ "handle": 97
+ }
+ },
+ {
+ "chain": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "allow-dhcp-in",
+ "handle": 1
+ }
+ },
+ {
+ "chain": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "allow-dhcp-out",
+ "handle": 2
+ }
+ },
+ {
+ "chain": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "block-dhcp-in",
+ "handle": 3
+ }
+ },
+ {
+ "chain": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "block-dhcp-out",
+ "handle": 4
+ }
+ },
+ {
+ "chain": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "allow-ndp-in",
+ "handle": 5
+ }
+ },
+ {
+ "chain": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "block-ndp-in",
+ "handle": 6
+ }
+ },
+ {
+ "chain": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "allow-ndp-out",
+ "handle": 7
+ }
+ },
+ {
+ "chain": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "block-ndp-out",
+ "handle": 8
+ }
+ },
+ {
+ "chain": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "allow-ra-out",
+ "handle": 9
+ }
+ },
+ {
+ "chain": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "block-ra-out",
+ "handle": 10
+ }
+ },
+ {
+ "chain": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "after-vm-in",
+ "handle": 11
+ }
+ },
+ {
+ "chain": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "do-reject",
+ "handle": 12
+ }
+ },
+ {
+ "chain": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "vm-out",
+ "handle": 13,
+ "type": "filter",
+ "hook": "prerouting",
+ "prio": 0,
+ "policy": "accept"
+ }
+ },
+ {
+ "chain": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "vm-in",
+ "handle": 14,
+ "type": "filter",
+ "hook": "postrouting",
+ "prio": 0,
+ "policy": "accept"
+ }
+ },
+ {
+ "chain": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "group-network1-in",
+ "handle": 6138
+ }
+ },
+ {
+ "chain": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "group-network1-out",
+ "handle": 6140
+ }
+ },
+ {
+ "chain": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "guest-90002-in",
+ "handle": 6141
+ }
+ },
+ {
+ "chain": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "guest-90002-out",
+ "handle": 6142
+ }
+ },
+ {
+ "chain": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "guest-90001-in",
+ "handle": 6158
+ }
+ },
+ {
+ "chain": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "guest-90001-out",
+ "handle": 6159
+ }
+ },
+ {
+ "chain": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "guest-800001-in",
+ "handle": 6179
+ }
+ },
+ {
+ "chain": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "guest-800001-out",
+ "handle": 6180
+ }
+ }
+ ]
+}
diff --git a/proxmox-firewall/tests/input/cluster.fw b/proxmox-firewall/tests/input/cluster.fw
new file mode 100644
index 0000000..23168ae
--- /dev/null
+++ b/proxmox-firewall/tests/input/cluster.fw
@@ -0,0 +1,26 @@
+[OPTIONS]
+
+log_ratelimit: burst=12,enable=1,rate=2/second
+enable: 1
+
+[ALIASES]
+
+network1 172.16.100.0/24
+network2 172.16.200.0/24
+
+[IPSET network1]
+
+dc/network1
+
+[IPSET management]
+
+127.0.0.1/8
+
+[RULES]
+
+IN ACCEPT -log nolog
+
+[group network1]
+
+IN ACCEPT -source dc/network1 -dest dc/network1 -log nolog
+
diff --git a/proxmox-firewall/tests/input/host.fw b/proxmox-firewall/tests/input/host.fw
new file mode 100644
index 0000000..8fa57e6
--- /dev/null
+++ b/proxmox-firewall/tests/input/host.fw
@@ -0,0 +1,23 @@
+[OPTIONS]
+
+log_level_out: notice
+tcpflags: 1
+nftables: 1
+tcp_flags_log_level: err
+log_level_in: info
+enable: 1
+smurf_log_level: alert
+ndp: 1
+protection_synflood: 1
+protection_synflood_burst: 1337
+protection_synflood_rate: 400
+nosmurfs: 1
+nf_conntrack_helpers: amanda,ftp,irc,netbios-ns,pptp,sane,sip,snmp,tftp
+
+
+[RULES]
+
+IN DNS(ACCEPT) -source dc/network1 -log nolog
+IN DHCPv6(ACCEPT) -log nolog
+IN DHCPfwd(ACCEPT) -log nolog
+
diff --git a/proxmox-firewall/tests/integration_tests.rs b/proxmox-firewall/tests/integration_tests.rs
new file mode 100644
index 0000000..860c78d
--- /dev/null
+++ b/proxmox-firewall/tests/integration_tests.rs
@@ -0,0 +1,90 @@
+use std::collections::HashMap;
+
+use proxmox_firewall::config::{FirewallConfig, FirewallConfigLoader, NftConfigLoader};
+use proxmox_firewall::firewall::Firewall;
+use proxmox_nftables::command::CommandOutput;
+use proxmox_sys::nodename;
+use proxmox_ve_config::guest::types::Vmid;
+use proxmox_ve_config::guest::{GuestEntry, GuestMap, GuestType};
+
+struct MockFirewallConfigLoader {}
+
+impl MockFirewallConfigLoader {
+ pub fn new() -> Self {
+ Self {}
+ }
+}
+
+impl FirewallConfigLoader for MockFirewallConfigLoader {
+ fn cluster(&self) -> Option<Box<dyn std::io::BufRead>> {
+ Some(Box::new(include_str!("input/cluster.fw").as_bytes()))
+ }
+
+ fn host(&self) -> Option<Box<dyn std::io::BufRead>> {
+ Some(Box::new(include_str!("input/host.fw").as_bytes()))
+ }
+
+ fn guest_list(&self) -> GuestMap {
+ let hostname = nodename().to_string();
+
+ let mut map = HashMap::new();
+
+ let entry = GuestEntry::new(hostname.clone(), GuestType::Vm);
+ map.insert(101.into(), entry);
+
+ let entry = GuestEntry::new(hostname, GuestType::Ct);
+ map.insert(100.into(), entry);
+
+ GuestMap::from(map)
+ }
+
+ fn guest_config(&self, vmid: &Vmid, _guest: &GuestEntry) -> Option<Box<dyn std::io::BufRead>> {
+ if *vmid == Vmid::new(101) {
+ return Some(Box::new(include_str!("input/101.conf").as_bytes()));
+ }
+
+ if *vmid == Vmid::new(100) {
+ return Some(Box::new(include_str!("input/100.conf").as_bytes()));
+ }
+
+ None
+ }
+
+ fn guest_firewall_config(&self, vmid: &Vmid) -> Option<Box<dyn std::io::BufRead>> {
+ if *vmid == Vmid::new(101) {
+ return Some(Box::new(include_str!("input/101.fw").as_bytes()));
+ }
+
+ if *vmid == Vmid::new(100) {
+ return Some(Box::new(include_str!("input/100.fw").as_bytes()));
+ }
+
+ None
+ }
+}
+
+struct MockNftConfigLoader {}
+
+impl MockNftConfigLoader {
+ pub fn new() -> Self {
+ Self {}
+ }
+}
+
+impl NftConfigLoader for MockNftConfigLoader {
+ fn chains(&self) -> CommandOutput {
+ serde_json::from_str(include_str!("input/chains.json")).expect("valid chains.json")
+ }
+}
+
+#[test]
+fn test_firewall() {
+ let firewall_config = FirewallConfig::new(
+ Box::new(MockFirewallConfigLoader::new()),
+ Box::new(MockNftConfigLoader::new()),
+ );
+
+ let firewall = Firewall::from(firewall_config);
+
+ insta::assert_json_snapshot!(firewall.full_host_fw().expect("firewall can be generated"));
+}
diff --git a/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap b/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap
new file mode 100644
index 0000000..7611a64
--- /dev/null
+++ b/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap
@@ -0,0 +1,3530 @@
+---
+source: proxmox-firewall/tests/integration_tests.rs
+expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
+---
+{
+ "nftables": [
+ {
+ "flush": {
+ "chain": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "cluster-in"
+ }
+ }
+ },
+ {
+ "flush": {
+ "chain": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "cluster-out"
+ }
+ }
+ },
+ {
+ "add": {
+ "chain": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "host-in"
+ }
+ }
+ },
+ {
+ "flush": {
+ "chain": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "host-in"
+ }
+ }
+ },
+ {
+ "flush": {
+ "chain": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "option-in"
+ }
+ }
+ },
+ {
+ "add": {
+ "chain": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "host-out"
+ }
+ }
+ },
+ {
+ "flush": {
+ "chain": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "host-out"
+ }
+ }
+ },
+ {
+ "flush": {
+ "chain": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "option-out"
+ }
+ }
+ },
+ {
+ "flush": {
+ "map": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "vm-map-in"
+ }
+ }
+ },
+ {
+ "flush": {
+ "map": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "vm-map-out"
+ }
+ }
+ },
+ {
+ "flush": {
+ "chain": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "ct-in"
+ }
+ }
+ },
+ {
+ "flush": {
+ "chain": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "ratelimit-synflood"
+ }
+ }
+ },
+ {
+ "flush": {
+ "chain": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "log-invalid-tcp"
+ }
+ }
+ },
+ {
+ "flush": {
+ "chain": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "log-smurfs"
+ }
+ }
+ },
+ {
+ "delete": {
+ "chain": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "guest-800001-in"
+ }
+ }
+ },
+ {
+ "delete": {
+ "chain": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "guest-800001-out"
+ }
+ }
+ },
+ {
+ "delete": {
+ "chain": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "guest-90001-in"
+ }
+ }
+ },
+ {
+ "delete": {
+ "chain": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "guest-90001-out"
+ }
+ }
+ },
+ {
+ "delete": {
+ "chain": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "guest-90002-in"
+ }
+ }
+ },
+ {
+ "delete": {
+ "chain": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "guest-90002-out"
+ }
+ }
+ },
+ {
+ "delete": {
+ "chain": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "group-network1-in"
+ }
+ }
+ },
+ {
+ "delete": {
+ "chain": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "group-network1-out"
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v4-dc/management",
+ "type": "ipv4_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v4-dc/management"
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v4-dc/management-nomatch",
+ "type": "ipv4_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v4-dc/management-nomatch"
+ }
+ }
+ },
+ {
+ "add": {
+ "element": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v4-dc/management",
+ "elem": [
+ {
+ "prefix": {
+ "addr": "127.0.0.1",
+ "len": 8
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v6-dc/management",
+ "type": "ipv6_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v6-dc/management"
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v6-dc/management-nomatch",
+ "type": "ipv6_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v6-dc/management-nomatch"
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v4-dc/network1",
+ "type": "ipv4_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v4-dc/network1"
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v4-dc/network1-nomatch",
+ "type": "ipv4_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v4-dc/network1-nomatch"
+ }
+ }
+ },
+ {
+ "add": {
+ "element": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v4-dc/network1",
+ "elem": [
+ {
+ "prefix": {
+ "addr": "172.16.100.0",
+ "len": 24
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v6-dc/network1",
+ "type": "ipv6_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v6-dc/network1"
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v6-dc/network1-nomatch",
+ "type": "ipv6_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "v6-dc/network1-nomatch"
+ }
+ }
+ },
+ {
+ "add": {
+ "chain": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "group-network1-in"
+ }
+ }
+ },
+ {
+ "flush": {
+ "chain": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "group-network1-in"
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "group-network1-in",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ "right": {
+ "prefix": {
+ "addr": "172.16.100.0",
+ "len": 24
+ }
+ }
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "ip",
+ "field": "daddr"
+ }
+ },
+ "right": {
+ "prefix": {
+ "addr": "172.16.100.0",
+ "len": 24
+ }
+ }
+ }
+ },
+ {
+ "accept": null
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "chain": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "group-network1-out"
+ }
+ }
+ },
+ {
+ "flush": {
+ "chain": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "group-network1-out"
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "cluster-in",
+ "expr": [
+ {
+ "accept": null
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "cluster-in",
+ "expr": [
+ {
+ "limit": {
+ "rate": 2,
+ "per": "second",
+ "burst": 12
+ }
+ },
+ {
+ "log": {
+ "prefix": ":0:6:cluster-in: DROP: ",
+ "group": 0
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "cluster-in",
+ "expr": [
+ {
+ "drop": null
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "cluster-out",
+ "expr": [
+ {
+ "limit": {
+ "rate": 2,
+ "per": "second",
+ "burst": 12
+ }
+ },
+ {
+ "log": {
+ "prefix": ":0:5:cluster-out: ACCEPT: ",
+ "group": 0
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "cluster-out",
+ "expr": [
+ {
+ "accept": null
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "ct helper": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "helper-amanda-udp",
+ "type": "amanda",
+ "protocol": "udp",
+ "l3proto": null
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "ct-in",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "meta": {
+ "key": "l4proto"
+ }
+ },
+ "right": "udp"
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "th",
+ "field": "dport"
+ }
+ },
+ "right": 10080
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "ct": {
+ "key": "state"
+ }
+ },
+ "right": [
+ "new",
+ "established"
+ ]
+ }
+ },
+ {
+ "accept": null
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "ct-in",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "meta": {
+ "key": "l4proto"
+ }
+ },
+ "right": "udp"
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "th",
+ "field": "dport"
+ }
+ },
+ "right": 10080
+ }
+ },
+ {
+ "ct helper": "helper-amanda-udp"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "ct-in",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "ct": {
+ "key": "helper"
+ }
+ },
+ "right": "amanda"
+ }
+ },
+ {
+ "accept": null
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "ct helper": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "helper-ftp-tcp",
+ "type": "ftp",
+ "protocol": "tcp",
+ "l3proto": null
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "ct-in",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "meta": {
+ "key": "l4proto"
+ }
+ },
+ "right": "tcp"
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "th",
+ "field": "dport"
+ }
+ },
+ "right": 21
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "ct": {
+ "key": "state"
+ }
+ },
+ "right": [
+ "new",
+ "established"
+ ]
+ }
+ },
+ {
+ "accept": null
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "ct-in",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "meta": {
+ "key": "l4proto"
+ }
+ },
+ "right": "tcp"
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "th",
+ "field": "dport"
+ }
+ },
+ "right": 21
+ }
+ },
+ {
+ "ct helper": "helper-ftp-tcp"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "ct-in",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "ct": {
+ "key": "helper"
+ }
+ },
+ "right": "ftp"
+ }
+ },
+ {
+ "accept": null
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "ct helper": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "helper-irc-tcp",
+ "type": "irc",
+ "protocol": "tcp",
+ "l3proto": "ip"
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "ct-in",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "meta": {
+ "key": "l4proto"
+ }
+ },
+ "right": "tcp"
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "th",
+ "field": "dport"
+ }
+ },
+ "right": 6667
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "ct": {
+ "key": "state"
+ }
+ },
+ "right": [
+ "new",
+ "established"
+ ]
+ }
+ },
+ {
+ "accept": null
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "ct-in",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "meta": {
+ "key": "l4proto"
+ }
+ },
+ "right": "tcp"
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "th",
+ "field": "dport"
+ }
+ },
+ "right": 6667
+ }
+ },
+ {
+ "ct helper": "helper-irc-tcp"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "ct-in",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "ct": {
+ "key": "helper",
+ "family": "ip"
+ }
+ },
+ "right": "irc"
+ }
+ },
+ {
+ "accept": null
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "ct helper": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "helper-netbios-ns-udp",
+ "type": "netbios-ns",
+ "protocol": "udp",
+ "l3proto": "ip"
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "ct-in",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "meta": {
+ "key": "l4proto"
+ }
+ },
+ "right": "udp"
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "th",
+ "field": "dport"
+ }
+ },
+ "right": 137
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "ct": {
+ "key": "state"
+ }
+ },
+ "right": [
+ "new",
+ "established"
+ ]
+ }
+ },
+ {
+ "accept": null
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "ct-in",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "meta": {
+ "key": "l4proto"
+ }
+ },
+ "right": "udp"
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "th",
+ "field": "dport"
+ }
+ },
+ "right": 137
+ }
+ },
+ {
+ "ct helper": "helper-netbios-ns-udp"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "ct-in",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "ct": {
+ "key": "helper",
+ "family": "ip"
+ }
+ },
+ "right": "netbios-ns"
+ }
+ },
+ {
+ "accept": null
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "ct helper": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "helper-pptp-tcp",
+ "type": "pptp",
+ "protocol": "tcp",
+ "l3proto": "ip"
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "ct-in",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "meta": {
+ "key": "l4proto"
+ }
+ },
+ "right": "tcp"
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "th",
+ "field": "dport"
+ }
+ },
+ "right": 1723
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "ct": {
+ "key": "state"
+ }
+ },
+ "right": [
+ "new",
+ "established"
+ ]
+ }
+ },
+ {
+ "accept": null
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "ct-in",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "meta": {
+ "key": "l4proto"
+ }
+ },
+ "right": "tcp"
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "th",
+ "field": "dport"
+ }
+ },
+ "right": 1723
+ }
+ },
+ {
+ "ct helper": "helper-pptp-tcp"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "ct-in",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "ct": {
+ "key": "helper",
+ "family": "ip"
+ }
+ },
+ "right": "pptp"
+ }
+ },
+ {
+ "accept": null
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "ct helper": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "helper-sane-tcp",
+ "type": "sane",
+ "protocol": "tcp",
+ "l3proto": null
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "ct-in",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "meta": {
+ "key": "l4proto"
+ }
+ },
+ "right": "tcp"
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "th",
+ "field": "dport"
+ }
+ },
+ "right": 6566
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "ct": {
+ "key": "state"
+ }
+ },
+ "right": [
+ "new",
+ "established"
+ ]
+ }
+ },
+ {
+ "accept": null
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "ct-in",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "meta": {
+ "key": "l4proto"
+ }
+ },
+ "right": "tcp"
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "th",
+ "field": "dport"
+ }
+ },
+ "right": 6566
+ }
+ },
+ {
+ "ct helper": "helper-sane-tcp"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "ct-in",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "ct": {
+ "key": "helper"
+ }
+ },
+ "right": "sane"
+ }
+ },
+ {
+ "accept": null
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "ct helper": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "helper-sip-udp",
+ "type": "sip",
+ "protocol": "udp",
+ "l3proto": null
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "ct-in",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "meta": {
+ "key": "l4proto"
+ }
+ },
+ "right": "udp"
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "th",
+ "field": "dport"
+ }
+ },
+ "right": 5060
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "ct": {
+ "key": "state"
+ }
+ },
+ "right": [
+ "new",
+ "established"
+ ]
+ }
+ },
+ {
+ "accept": null
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "ct-in",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "meta": {
+ "key": "l4proto"
+ }
+ },
+ "right": "udp"
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "th",
+ "field": "dport"
+ }
+ },
+ "right": 5060
+ }
+ },
+ {
+ "ct helper": "helper-sip-udp"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "ct-in",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "ct": {
+ "key": "helper"
+ }
+ },
+ "right": "sip"
+ }
+ },
+ {
+ "accept": null
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "ct helper": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "helper-snmp-udp",
+ "type": "snmp",
+ "protocol": "udp",
+ "l3proto": "ip"
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "ct-in",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "meta": {
+ "key": "l4proto"
+ }
+ },
+ "right": "udp"
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "th",
+ "field": "dport"
+ }
+ },
+ "right": 161
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "ct": {
+ "key": "state"
+ }
+ },
+ "right": [
+ "new",
+ "established"
+ ]
+ }
+ },
+ {
+ "accept": null
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "ct-in",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "meta": {
+ "key": "l4proto"
+ }
+ },
+ "right": "udp"
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "th",
+ "field": "dport"
+ }
+ },
+ "right": 161
+ }
+ },
+ {
+ "ct helper": "helper-snmp-udp"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "ct-in",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "ct": {
+ "key": "helper",
+ "family": "ip"
+ }
+ },
+ "right": "snmp"
+ }
+ },
+ {
+ "accept": null
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "ct helper": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "name": "helper-tftp-udp",
+ "type": "tftp",
+ "protocol": "udp",
+ "l3proto": null
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "ct-in",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "meta": {
+ "key": "l4proto"
+ }
+ },
+ "right": "udp"
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "th",
+ "field": "dport"
+ }
+ },
+ "right": 69
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "ct": {
+ "key": "state"
+ }
+ },
+ "right": [
+ "new",
+ "established"
+ ]
+ }
+ },
+ {
+ "accept": null
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "ct-in",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "meta": {
+ "key": "l4proto"
+ }
+ },
+ "right": "udp"
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "th",
+ "field": "dport"
+ }
+ },
+ "right": 69
+ }
+ },
+ {
+ "ct helper": "helper-tftp-udp"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "ct-in",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "ct": {
+ "key": "helper"
+ }
+ },
+ "right": "tftp"
+ }
+ },
+ {
+ "accept": null
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "option-in",
+ "expr": [
+ {
+ "jump": {
+ "target": "allow-ndp-in"
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "option-out",
+ "expr": [
+ {
+ "jump": {
+ "target": "allow-ndp-out"
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "option-in",
+ "expr": [
+ {
+ "jump": {
+ "target": "block-synflood"
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "ratelimit-synflood",
+ "expr": [
+ {
+ "set": {
+ "op": "update",
+ "elem": {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ "set": "@v4-synflood-limit",
+ "stmt": {
+ "limit": {
+ "rate": 400,
+ "per": "second",
+ "burst": 1337,
+ "inv": true
+ }
+ }
+ }
+ },
+ {
+ "drop": null
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "ratelimit-synflood",
+ "expr": [
+ {
+ "set": {
+ "op": "update",
+ "elem": {
+ "payload": {
+ "protocol": "ip6",
+ "field": "saddr"
+ }
+ },
+ "set": "@v6-synflood-limit",
+ "stmt": {
+ "limit": {
+ "rate": 400,
+ "per": "second",
+ "burst": 1337,
+ "inv": true
+ }
+ }
+ }
+ },
+ {
+ "drop": null
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "option-in",
+ "expr": [
+ {
+ "jump": {
+ "target": "block-invalid-tcp"
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "log-invalid-tcp",
+ "expr": [
+ {
+ "limit": {
+ "rate": 2,
+ "per": "second",
+ "burst": 12
+ }
+ },
+ {
+ "log": {
+ "prefix": ":0:3:log-invalid-tcp: DROP: ",
+ "group": 0
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "option-in",
+ "expr": [
+ {
+ "jump": {
+ "target": "block-smurfs"
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "log-smurfs",
+ "expr": [
+ {
+ "limit": {
+ "rate": 2,
+ "per": "second",
+ "burst": 12
+ }
+ },
+ {
+ "log": {
+ "prefix": ":0:1:log-smurfs: DROP: ",
+ "group": 0
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "option-in",
+ "expr": [
+ {
+ "jump": {
+ "target": "block-conntrack-invalid"
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "host-in",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "meta": {
+ "key": "l4proto"
+ }
+ },
+ "right": "udp"
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "th",
+ "field": "dport"
+ }
+ },
+ "right": 53
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ "right": {
+ "prefix": {
+ "addr": "172.16.100.0",
+ "len": 24
+ }
+ }
+ }
+ },
+ {
+ "accept": null
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "host-in",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "meta": {
+ "key": "l4proto"
+ }
+ },
+ "right": "tcp"
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "th",
+ "field": "dport"
+ }
+ },
+ "right": 53
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ "right": {
+ "prefix": {
+ "addr": "172.16.100.0",
+ "len": 24
+ }
+ }
+ }
+ },
+ {
+ "accept": null
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "host-in",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "meta": {
+ "key": "l4proto"
+ }
+ },
+ "right": "udp"
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "th",
+ "field": "sport"
+ }
+ },
+ "right": {
+ "range": [
+ 546,
+ 547
+ ]
+ }
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "th",
+ "field": "dport"
+ }
+ },
+ "right": {
+ "range": [
+ 546,
+ 547
+ ]
+ }
+ }
+ },
+ {
+ "accept": null
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": "proxmox-firewall",
+ "chain": "host-in",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "meta": {
+ "key": "l4proto"
+ }
+ },
+ "right": "udp"
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "th",
+ "field": "sport"
+ }
+ },
+ "right": {
+ "range": [
+ 67,
+ 68
+ ]
+ }
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "th",
+ "field": "dport"
+ }
+ },
+ "right": {
+ "range": [
+ 67,
+ 68
+ ]
+ }
+ }
+ },
+ {
+ "accept": null
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v4-dc/management",
+ "type": "ipv4_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v4-dc/management"
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v4-dc/management-nomatch",
+ "type": "ipv4_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v4-dc/management-nomatch"
+ }
+ }
+ },
+ {
+ "add": {
+ "element": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v4-dc/management",
+ "elem": [
+ {
+ "prefix": {
+ "addr": "127.0.0.1",
+ "len": 8
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v6-dc/management",
+ "type": "ipv6_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v6-dc/management"
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v6-dc/management-nomatch",
+ "type": "ipv6_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v6-dc/management-nomatch"
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v4-dc/network1",
+ "type": "ipv4_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v4-dc/network1"
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v4-dc/network1-nomatch",
+ "type": "ipv4_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v4-dc/network1-nomatch"
+ }
+ }
+ },
+ {
+ "add": {
+ "element": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v4-dc/network1",
+ "elem": [
+ {
+ "prefix": {
+ "addr": "172.16.100.0",
+ "len": 24
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v6-dc/network1",
+ "type": "ipv6_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v6-dc/network1"
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v6-dc/network1-nomatch",
+ "type": "ipv6_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v6-dc/network1-nomatch"
+ }
+ }
+ },
+ {
+ "add": {
+ "chain": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "group-network1-in"
+ }
+ }
+ },
+ {
+ "flush": {
+ "chain": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "group-network1-in"
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "chain": "group-network1-in",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ "right": {
+ "prefix": {
+ "addr": "172.16.100.0",
+ "len": 24
+ }
+ }
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "ip",
+ "field": "daddr"
+ }
+ },
+ "right": {
+ "prefix": {
+ "addr": "172.16.100.0",
+ "len": 24
+ }
+ }
+ }
+ },
+ {
+ "accept": null
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "chain": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "group-network1-out"
+ }
+ }
+ },
+ {
+ "flush": {
+ "chain": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "group-network1-out"
+ }
+ }
+ },
+ {
+ "add": {
+ "chain": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "guest-100-in"
+ }
+ }
+ },
+ {
+ "flush": {
+ "chain": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "guest-100-in"
+ }
+ }
+ },
+ {
+ "add": {
+ "chain": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "guest-100-out"
+ }
+ }
+ },
+ {
+ "flush": {
+ "chain": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "guest-100-out"
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v4-guest-100/ipfilter-net1",
+ "type": "ipv4_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v4-guest-100/ipfilter-net1"
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v4-guest-100/ipfilter-net1-nomatch",
+ "type": "ipv4_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v4-guest-100/ipfilter-net1-nomatch"
+ }
+ }
+ },
+ {
+ "add": {
+ "element": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v4-guest-100/ipfilter-net1",
+ "elem": [
+ {
+ "prefix": {
+ "addr": "172.16.100.0",
+ "len": 24
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v6-guest-100/ipfilter-net1",
+ "type": "ipv6_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v6-guest-100/ipfilter-net1"
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v6-guest-100/ipfilter-net1-nomatch",
+ "type": "ipv6_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v6-guest-100/ipfilter-net1-nomatch"
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "chain": "guest-100-in",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "meta": {
+ "key": "oifname"
+ }
+ },
+ "right": "veth100i1"
+ }
+ },
+ {
+ "match": {
+ "op": "!=",
+ "left": {
+ "payload": {
+ "protocol": "arp",
+ "field": "daddr ip"
+ }
+ },
+ "right": "@v4-guest-100/ipfilter-net1"
+ }
+ },
+ {
+ "drop": null
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "chain": "guest-100-out",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "meta": {
+ "key": "iifname"
+ }
+ },
+ "right": "veth100i1"
+ }
+ },
+ {
+ "match": {
+ "op": "!=",
+ "left": {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ "right": "@v4-guest-100/ipfilter-net1"
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ "right": "@v4-guest-100/ipfilter-net1-nomatch"
+ }
+ },
+ {
+ "drop": null
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "chain": "guest-100-out",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "meta": {
+ "key": "iifname"
+ }
+ },
+ "right": "veth100i1"
+ }
+ },
+ {
+ "match": {
+ "op": "!=",
+ "left": {
+ "payload": {
+ "protocol": "ip6",
+ "field": "saddr"
+ }
+ },
+ "right": "@v6-guest-100/ipfilter-net1"
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "ip6",
+ "field": "saddr"
+ }
+ },
+ "right": "@v6-guest-100/ipfilter-net1-nomatch"
+ }
+ },
+ {
+ "drop": null
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "chain": "guest-100-out",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "meta": {
+ "key": "iifname"
+ }
+ },
+ "right": "veth100i1"
+ }
+ },
+ {
+ "match": {
+ "op": "!=",
+ "left": {
+ "payload": {
+ "protocol": "arp",
+ "field": "saddr ip"
+ }
+ },
+ "right": "@v4-guest-100/ipfilter-net1"
+ }
+ },
+ {
+ "drop": null
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "chain": "guest-100-in",
+ "expr": [
+ {
+ "jump": {
+ "target": "allow-dhcp-in"
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "chain": "guest-100-out",
+ "expr": [
+ {
+ "jump": {
+ "target": "allow-dhcp-out"
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "chain": "guest-100-in",
+ "expr": [
+ {
+ "jump": {
+ "target": "allow-ndp-in"
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "chain": "guest-100-out",
+ "expr": [
+ {
+ "jump": {
+ "target": "allow-ndp-out"
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "chain": "guest-100-out",
+ "expr": [
+ {
+ "jump": {
+ "target": "block-ra-out"
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "chain": "guest-100-in",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "ether",
+ "field": "type"
+ }
+ },
+ "right": "arp"
+ }
+ },
+ {
+ "accept": null
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "chain": "guest-100-in",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "meta": {
+ "key": "oifname"
+ }
+ },
+ "right": "veth100i1"
+ }
+ },
+ {
+ "jump": {
+ "target": "group-network1-in"
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "chain": "guest-100-in",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "meta": {
+ "key": "l4proto"
+ }
+ },
+ "right": "tcp"
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "th",
+ "field": "sport"
+ }
+ },
+ "right": 80
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "th",
+ "field": "dport"
+ }
+ },
+ "right": {
+ "set": [
+ 123,
+ {
+ "range": [
+ 222,
+ 333
+ ]
+ }
+ ]
+ }
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ "right": {
+ "set": [
+ {
+ "prefix": {
+ "addr": "192.168.0.1",
+ "len": 24
+ }
+ },
+ {
+ "range": [
+ "127.0.0.1",
+ "127.255.255.0"
+ ]
+ },
+ {
+ "prefix": {
+ "addr": "172.16.0.1",
+ "len": 32
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "accept": null
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "chain": "guest-100-in",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "icmp",
+ "field": "type"
+ }
+ },
+ "right": "echo-request"
+ }
+ },
+ {
+ "limit": {
+ "rate": 2,
+ "per": "second",
+ "burst": 12
+ }
+ },
+ {
+ "log": {
+ "prefix": ":100:6:guest-100-in: DROP: ",
+ "group": 0
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "chain": "guest-100-in",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "icmp",
+ "field": "type"
+ }
+ },
+ "right": "echo-request"
+ }
+ },
+ {
+ "drop": null
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "element": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "vm-map-in",
+ "elem": [
+ [
+ "veth100i1",
+ {
+ "goto": {
+ "target": "guest-100-in"
+ }
+ }
+ ]
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "chain": "guest-100-in",
+ "expr": [
+ {
+ "jump": {
+ "target": "after-vm-in"
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "chain": "guest-100-in",
+ "expr": [
+ {
+ "limit": {
+ "rate": 2,
+ "per": "second",
+ "burst": 12
+ }
+ },
+ {
+ "log": {
+ "prefix": ":100:2:guest-100-in: DROP: ",
+ "group": 0
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "chain": "guest-100-in",
+ "expr": [
+ {
+ "drop": null
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "chain": "guest-100-out",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "meta": {
+ "key": "iifname"
+ }
+ },
+ "right": "veth100i1"
+ }
+ },
+ {
+ "jump": {
+ "target": "group-network1-out"
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "element": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "vm-map-out",
+ "elem": [
+ [
+ "veth100i1",
+ {
+ "goto": {
+ "target": "guest-100-out"
+ }
+ }
+ ]
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "chain": "guest-100-out",
+ "expr": [
+ {
+ "limit": {
+ "rate": 2,
+ "per": "second",
+ "burst": 12
+ }
+ },
+ {
+ "log": {
+ "prefix": ":100:1:guest-100-out: REJECT: ",
+ "group": 0
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "chain": "guest-100-out",
+ "expr": [
+ {
+ "drop": null
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "chain": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "guest-101-in"
+ }
+ }
+ },
+ {
+ "flush": {
+ "chain": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "guest-101-in"
+ }
+ }
+ },
+ {
+ "add": {
+ "chain": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "guest-101-out"
+ }
+ }
+ },
+ {
+ "flush": {
+ "chain": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "guest-101-out"
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v4-guest-101/testing",
+ "type": "ipv4_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v4-guest-101/testing"
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v4-guest-101/testing-nomatch",
+ "type": "ipv4_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v4-guest-101/testing-nomatch"
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v6-guest-101/testing",
+ "type": "ipv6_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v6-guest-101/testing"
+ }
+ }
+ },
+ {
+ "add": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v6-guest-101/testing-nomatch",
+ "type": "ipv6_addr",
+ "flags": [
+ "interval"
+ ]
+ }
+ }
+ },
+ {
+ "flush": {
+ "set": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "name": "v6-guest-101/testing-nomatch"
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "chain": "guest-101-in",
+ "expr": [
+ {
+ "jump": {
+ "target": "allow-dhcp-in"
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "chain": "guest-101-out",
+ "expr": [
+ {
+ "jump": {
+ "target": "allow-dhcp-out"
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "chain": "guest-101-in",
+ "expr": [
+ {
+ "jump": {
+ "target": "block-ndp-in"
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "chain": "guest-101-out",
+ "expr": [
+ {
+ "jump": {
+ "target": "block-ndp-out"
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "chain": "guest-101-out",
+ "expr": [
+ {
+ "jump": {
+ "target": "block-ra-out"
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "chain": "guest-101-in",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "ether",
+ "field": "type"
+ }
+ },
+ "right": "arp"
+ }
+ },
+ {
+ "accept": null
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "chain": "guest-101-in",
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "ip",
+ "field": "saddr"
+ }
+ },
+ "right": {
+ "prefix": {
+ "addr": "123.123.123.123",
+ "len": 32
+ }
+ }
+ }
+ },
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "ip",
+ "field": "daddr"
+ }
+ },
+ "right": {
+ "prefix": {
+ "addr": "172.16.200.0",
+ "len": 24
+ }
+ }
+ }
+ },
+ {
+ "accept": null
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "chain": "guest-101-in",
+ "expr": [
+ {
+ "jump": {
+ "target": "after-vm-in"
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "chain": "guest-101-in",
+ "expr": [
+ {
+ "drop": null
+ }
+ ]
+ }
+ }
+ },
+ {
+ "add": {
+ "rule": {
+ "family": "bridge",
+ "table": "proxmox-firewall-guests",
+ "chain": "guest-101-out",
+ "expr": [
+ {
+ "accept": null
+ }
+ ]
+ }
+ }
+ }
+ ]
+}
--
2.39.2
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next prev parent reply other threads:[~2024-04-19 7:48 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-18 16:13 [pve-devel] [PATCH container/docs/firewall/manager/proxmox-firewall/qemu-server v3 00/39] proxmox firewall nftables implementation Stefan Hanreich
2024-04-18 16:13 ` [pve-devel] [PATCH proxmox-firewall v3 01/39] config: add proxmox-ve-config crate Stefan Hanreich
2024-04-18 16:13 ` [pve-devel] [PATCH proxmox-firewall v3 02/39] config: firewall: add types for ip addresses Stefan Hanreich
2024-04-18 16:13 ` [pve-devel] [PATCH proxmox-firewall v3 03/39] config: firewall: add types for ports Stefan Hanreich
2024-04-18 16:13 ` [pve-devel] [PATCH proxmox-firewall v3 04/39] config: firewall: add types for log level and rate limit Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 05/39] config: firewall: add types for aliases Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 06/39] config: host: add helpers for host network configuration Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 07/39] config: guest: add helpers for parsing guest network config Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 08/39] config: firewall: add types for ipsets Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 09/39] config: firewall: add types for rules Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 10/39] config: firewall: add types for security groups Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 11/39] config: firewall: add generic parser for firewall configs Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 12/39] config: firewall: add cluster-specific config + option types Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 13/39] config: firewall: add host specific " Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 14/39] config: firewall: add guest-specific " Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 15/39] config: firewall: add firewall macros Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 16/39] config: firewall: add conntrack helper types Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 17/39] nftables: add crate for libnftables bindings Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 18/39] nftables: add helpers Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 19/39] nftables: expression: add types Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 20/39] nftables: expression: implement conversion traits for firewall config Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 21/39] nftables: statement: add types Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 22/39] nftables: statement: add conversion traits for config types Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 23/39] nftables: commands: add types Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 24/39] nftables: types: add conversion traits Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 25/39] nftables: add nft client Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 26/39] firewall: add firewall crate Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 27/39] firewall: add base ruleset Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 28/39] firewall: add config loader Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 29/39] firewall: add rule generation logic Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 30/39] firewall: add object " Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 31/39] firewall: add ruleset " Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 32/39] firewall: add proxmox-firewall binary and move existing code into lib Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH proxmox-firewall v3 33/39] firewall: add files for debian packaging Stefan Hanreich
2024-04-18 16:14 ` Stefan Hanreich [this message]
2024-04-18 16:14 ` [pve-devel] [PATCH qemu-server v3 35/39] firewall: add handling for new nft firewall Stefan Hanreich
2024-04-18 21:08 ` Thomas Lamprecht
2024-04-18 16:14 ` [pve-devel] [PATCH pve-container v3 36/39] " Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH pve-firewall v3 37/39] add configuration option for new nftables firewall Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH pve-manager v3 38/39] firewall: expose " Stefan Hanreich
2024-04-18 16:14 ` [pve-devel] [PATCH pve-docs v3 39/39] firewall: add documentation for proxmox-firewall Stefan Hanreich
2024-04-18 20:05 ` [pve-devel] partially-applied-series: [PATCH container/docs/firewall/manager/proxmox-firewall/qemu-server v3 00/39] proxmox firewall nftables implementation Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240418161434.709473-35-s.hanreich@proxmox.com \
--to=s.hanreich@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox