From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 885891FF2F6 for ; Wed, 15 May 2024 15:37:11 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 422DB1732E; Wed, 15 May 2024 15:37:22 +0200 (CEST) From: Stefan Hanreich To: pve-devel@lists.proxmox.com Date: Wed, 15 May 2024 15:37:19 +0200 Message-Id: <20240515133719.350719-2-s.hanreich@proxmox.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240515133719.350719-1-s.hanreich@proxmox.com> References: <20240515133719.350719-1-s.hanreich@proxmox.com> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.267 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [firewall.rs] Subject: [pve-devel] [PATCH proxmox-firewall 2/2] firewall: improve conntrack handling X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" The output chain did not have any conntrack rules, which lead to issues when the default output policy is not accept. Also, move the conntrack rules to the beginning of all chains. Signed-off-by: Stefan Hanreich Originally-by: Laurent Guerby --- Based this on the earlier patch in order to avoid conflicts when applying both patches. .../resources/proxmox-firewall.nft | 9 ++---- proxmox-firewall/src/firewall.rs | 7 ---- .../integration_tests__firewall.snap | 32 ------------------- 3 files changed, 2 insertions(+), 46 deletions(-) diff --git a/proxmox-firewall/resources/proxmox-firewall.nft b/proxmox-firewall/resources/proxmox-firewall.nft index 90b5d5a..411e143 100644 --- a/proxmox-firewall/resources/proxmox-firewall.nft +++ b/proxmox-firewall/resources/proxmox-firewall.nft @@ -32,7 +32,6 @@ add chain bridge proxmox-firewall-guests allow-ndp-out add chain bridge proxmox-firewall-guests block-ndp-out add chain bridge proxmox-firewall-guests allow-ra-out add chain bridge proxmox-firewall-guests block-ra-out -add chain bridge proxmox-firewall-guests after-vm-in add chain bridge proxmox-firewall-guests do-reject add chain bridge proxmox-firewall-guests vm-out {type filter hook prerouting priority 0; policy accept;} add chain bridge proxmox-firewall-guests vm-in {type filter hook postrouting priority 0; policy accept;} @@ -64,7 +63,6 @@ flush chain bridge proxmox-firewall-guests allow-ndp-out flush chain bridge proxmox-firewall-guests block-ndp-out flush chain bridge proxmox-firewall-guests allow-ra-out flush chain bridge proxmox-firewall-guests block-ra-out -flush chain bridge proxmox-firewall-guests after-vm-in flush chain bridge proxmox-firewall-guests do-reject flush chain bridge proxmox-firewall-guests vm-out flush chain bridge proxmox-firewall-guests vm-in @@ -293,18 +291,15 @@ table bridge proxmox-firewall-guests { reject with icmp type host-prohibited } - chain after-vm-in { - ct state established,related accept - ether type != arp ct state invalid drop - } - chain vm-out { type filter hook prerouting priority 0; policy accept; + ether type != arp ct state vmap { established : accept, related : accept, invalid : drop } iifname vmap @vm-map-out } chain vm-in { type filter hook postrouting priority 0; policy accept; + ether type != arp ct state vmap { established : accept, related : accept, invalid : drop } ether type arp accept oifname vmap @vm-map-in } diff --git a/proxmox-firewall/src/firewall.rs b/proxmox-firewall/src/firewall.rs index 0da3ab7..4c85ea2 100644 --- a/proxmox-firewall/src/firewall.rs +++ b/proxmox-firewall/src/firewall.rs @@ -810,13 +810,6 @@ impl Firewall { ))); } - if direction == Direction::In { - commands.push(Add::rule(AddRule::from_statement( - chain.clone(), - Statement::jump("after-vm-in"), - ))); - } - self.create_log_rule( commands, config.log_level(direction), diff --git a/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap b/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap index 2ca151f..669bad9 100644 --- a/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap +++ b/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap @@ -3181,22 +3181,6 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")" } } }, - { - "add": { - "rule": { - "family": "bridge", - "table": "proxmox-firewall-guests", - "chain": "guest-100-in", - "expr": [ - { - "jump": { - "target": "after-vm-in" - } - } - ] - } - } - }, { "add": { "rule": { @@ -3638,22 +3622,6 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")" } } }, - { - "add": { - "rule": { - "family": "bridge", - "table": "proxmox-firewall-guests", - "chain": "guest-101-in", - "expr": [ - { - "jump": { - "target": "after-vm-in" - } - } - ] - } - } - }, { "add": { "rule": { -- 2.39.2 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel