From: Hannes Laimer <h.laimer@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH] firewall: resources: accept invalid ct state by default
Date: Fri, 15 Nov 2024 13:33:21 +0100 [thread overview]
Message-ID: <20241115123321.49338-1-h.laimer@proxmox.com> (raw)
We only add a `block-conntrack-invalid` jump to the in chain, if
the `nf_conntrack_allow_invalid` option is not set in the config. But we
already drop connections with an invalid ct state by default. So we have
to either allow connections with an invalid ct state by default, or explicitly
allow them when checking for the option and keeping them blocked by default.
I chose to change the 'default' as it has the same result but is
simpler a change.
Signed-off-by: Hannes Laimer <h.laimer@proxmox.com>
---
relevant code[1]
```
if self.config.host().block_invalid_conntrack() {
log::debug!("set block_invalid_conntrack");
commands.push(Add::rule(AddRule::from_statement(
chain_in,
Statement::jump("block-conntrack-invalid"),
)));
}
```
I am not sure whether adding a jump to `block-conntrack-invalid` would
also make sense for the out chain.
[1] https://git.proxmox.com/?p=proxmox-firewall.git;a=blob;f=proxmox-firewall/src/firewall.rs;h=941aa2008b4e3a22d9b37a0f8bc39c3643eb97c8;hb=bea3e651b47f2a9113b93e45db2904ddfd2fe174#l394
proxmox-firewall/resources/proxmox-firewall.nft | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/proxmox-firewall/resources/proxmox-firewall.nft b/proxmox-firewall/resources/proxmox-firewall.nft
index f42255c..be9a930 100644
--- a/proxmox-firewall/resources/proxmox-firewall.nft
+++ b/proxmox-firewall/resources/proxmox-firewall.nft
@@ -316,7 +316,7 @@ table bridge proxmox-firewall-guests {
}
chain pre-vm-out {
- meta protocol != arp ct state vmap { established : accept, related : accept, invalid : drop }
+ meta protocol != arp ct state vmap { established : accept, related : accept, invalid : accept }
}
chain vm-out {
@@ -326,7 +326,7 @@ table bridge proxmox-firewall-guests {
}
chain pre-vm-in {
- meta protocol != arp ct state vmap { established : accept, related : accept, invalid : drop }
+ meta protocol != arp ct state vmap { established : accept, related : accept, invalid : accept }
meta protocol arp accept
}
--
2.39.5
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next reply other threads:[~2024-11-15 12:33 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-15 12:33 Hannes Laimer [this message]
2024-11-15 13:13 ` Stefan Hanreich
2024-11-15 13:43 ` Stefan Hanreich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241115123321.49338-1-h.laimer@proxmox.com \
--to=h.laimer@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox