From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id CD0F21FF2AD for ; Wed, 3 Jul 2024 11:17:34 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id BC8B84A73; Wed, 3 Jul 2024 11:17:48 +0200 (CEST) From: Stefan Hanreich To: pve-devel@lists.proxmox.com Date: Wed, 3 Jul 2024 11:17:12 +0200 Message-Id: <20240703091712.99197-3-s.hanreich@proxmox.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240703091712.99197-1-s.hanreich@proxmox.com> References: <20240703091712.99197-1-s.hanreich@proxmox.com> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.255 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [firewall.rs] Subject: [pve-devel] [PATCH proxmox-firewall 3/3] guest: match arp packets via meta X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" When matching via ether type, VLAN packets are not matched. This can cause ARP packets encapsulated in VLAN frames to be dropped. Signed-off-by: Stefan Hanreich --- proxmox-firewall/src/firewall.rs | 2 +- .../tests/snapshots/integration_tests__firewall.snap | 10 ++++------ 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/proxmox-firewall/src/firewall.rs b/proxmox-firewall/src/firewall.rs index 4ea81df..941aa20 100644 --- a/proxmox-firewall/src/firewall.rs +++ b/proxmox-firewall/src/firewall.rs @@ -538,7 +538,7 @@ impl Firewall { // we allow outgoing ARP, except if blocked by the MAC filter above let arp_rule = vec![ - Match::new_eq(Payload::field("ether", "type"), Expression::from("arp")).into(), + Match::new_eq(Meta::new("protocol"), Expression::from("arp")).into(), Statement::make_accept(), ]; diff --git a/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap b/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap index e1953e0..40d4405 100644 --- a/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap +++ b/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap @@ -2961,9 +2961,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")" "match": { "op": "==", "left": { - "payload": { - "protocol": "ether", - "field": "type" + "meta": { + "key": "protocol" } }, "right": "arp" @@ -3623,9 +3622,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")" "match": { "op": "==", "left": { - "payload": { - "protocol": "ether", - "field": "type" + "meta": { + "key": "protocol" } }, "right": "arp" -- 2.39.2 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel