From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id DCE881FF2F6 for ; Wed, 15 May 2024 15:37:39 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 6A5CA1735A; Wed, 15 May 2024 15:37:52 +0200 (CEST) From: Stefan Hanreich To: pve-devel@lists.proxmox.com Date: Wed, 15 May 2024 15:37:18 +0200 Message-Id: <20240515133719.350719-1-s.hanreich@proxmox.com> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.268 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [firewall.rs] Subject: [pve-devel] [PATCH proxmox-firewall 1/2] firewall: improve handling of ARP traffic for guests X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" In order to be able to send outgoing ARP packets when the default policy is set to drop or reject, we need to explicitly allow ARP traffic in the outgoing chain of guests. We need to do this in the guest chain itself in order to be able to filter spoofed packets via the MAC filter. Contrary to the out direction we can simply accept all incoming ARP traffic, since we do not do any MAC filtering for incoming traffic. Since we create fdb entries for every NIC, guests should only see ARP traffic for their MAC addresses anyway. Signed-off-by: Stefan Hanreich Originally-by: Laurent Guerby --- proxmox-firewall/resources/proxmox-firewall.nft | 1 + proxmox-firewall/src/firewall.rs | 8 ++++---- .../tests/snapshots/integration_tests__firewall.snap | 4 ++-- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/proxmox-firewall/resources/proxmox-firewall.nft b/proxmox-firewall/resources/proxmox-firewall.nft index f36bf3b..90b5d5a 100644 --- a/proxmox-firewall/resources/proxmox-firewall.nft +++ b/proxmox-firewall/resources/proxmox-firewall.nft @@ -305,6 +305,7 @@ table bridge proxmox-firewall-guests { chain vm-in { type filter hook postrouting priority 0; policy accept; + ether type arp accept oifname vmap @vm-map-in } } diff --git a/proxmox-firewall/src/firewall.rs b/proxmox-firewall/src/firewall.rs index 41b1df2..0da3ab7 100644 --- a/proxmox-firewall/src/firewall.rs +++ b/proxmox-firewall/src/firewall.rs @@ -516,7 +516,7 @@ impl Firewall { commands.append(&mut vec![ Add::rule(AddRule::from_statement( - chain_in.clone(), + chain_in, Statement::jump(ndp_chains.0), )), Add::rule(AddRule::from_statement( @@ -532,17 +532,17 @@ impl Firewall { }; commands.push(Add::rule(AddRule::from_statement( - chain_out, + chain_out.clone(), Statement::jump(ra_chain_out), ))); - // we allow incoming ARP by default, except if blocked by any option above + // we allow outgoing ARP, except if blocked by the MAC filter above let arp_rule = vec![ Match::new_eq(Payload::field("ether", "type"), Expression::from("arp")).into(), Statement::make_accept(), ]; - commands.push(Add::rule(AddRule::from_statements(chain_in, arp_rule))); + commands.push(Add::rule(AddRule::from_statements(chain_out, arp_rule))); Ok(()) } diff --git a/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap b/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap index 092ccef..2ca151f 100644 --- a/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap +++ b/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap @@ -2923,7 +2923,7 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")" "rule": { "family": "bridge", "table": "proxmox-firewall-guests", - "chain": "guest-100-in", + "chain": "guest-100-out", "expr": [ { "match": { @@ -3569,7 +3569,7 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")" "rule": { "family": "bridge", "table": "proxmox-firewall-guests", - "chain": "guest-101-in", + "chain": "guest-101-out", "expr": [ { "match": { -- 2.39.2 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel