From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id A16061FF165 for ; Thu, 25 Sep 2025 14:21:25 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id E8F2A1FABD; Thu, 25 Sep 2025 14:21:47 +0200 (CEST) From: Stefan Hanreich To: pve-devel@lists.proxmox.com Date: Thu, 25 Sep 2025 14:21:40 +0200 Message-ID: <20250925122142.228719-4-s.hanreich@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20250925122142.228719-1-s.hanreich@proxmox.com> References: <20250925122142.228719-1-s.hanreich@proxmox.com> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.182 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record Subject: [pve-devel] [PATCH proxmox-firewall v2 2/3] ipfilter: fix wrong entries for containers X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" The firewall used the CIDR from the container network configuration for autogenerating the IP filter. If an IP of 192.0.2.1/24 was configured, then the whole 192.0.2.0/24 range was allowed instead of only 192.0.2.1 . Signed-off-by: Stefan Hanreich --- proxmox-firewall/src/firewall.rs | 10 +- proxmox-firewall/tests/input/100.conf | 1 + .../integration_tests__firewall.snap | 316 ++++++++++++++++++ 3 files changed, 324 insertions(+), 3 deletions(-) diff --git a/proxmox-firewall/src/firewall.rs b/proxmox-firewall/src/firewall.rs index 5012610..ddf839b 100644 --- a/proxmox-firewall/src/firewall.rs +++ b/proxmox-firewall/src/firewall.rs @@ -24,7 +24,7 @@ use proxmox_ve_config::firewall::ct_helper::get_cthelper; use proxmox_ve_config::firewall::guest::Config as GuestConfig; use proxmox_ve_config::firewall::host::Config as HostConfig; -use proxmox_network_types::ip_address::{Cidr, Ipv6Cidr}; +use proxmox_network_types::ip_address::{Cidr, Ipv4Cidr, Ipv6Cidr}; use proxmox_ve_config::firewall::types::ipset::{ Ipfilter, Ipset, IpsetEntry, IpsetName, IpsetScope, }; @@ -815,11 +815,15 @@ impl Firewall { ipset.push(IpsetEntry::from(Cidr::from(cidr))); if let Some(ip_address) = network_device.ip() { - ipset.push(IpsetEntry::from(Cidr::from(ip_address))); + ipset.push(IpsetEntry::from(Cidr::from(Ipv4Cidr::from( + *ip_address.address(), + )))); } if let Some(ip6_address) = network_device.ip6() { - ipset.push(IpsetEntry::from(Cidr::from(ip6_address))); + ipset.push(IpsetEntry::from(Cidr::from(Ipv6Cidr::from( + *ip6_address.address(), + )))); } commands.append(&mut ipset.to_nft_objects(&env)?); diff --git a/proxmox-firewall/tests/input/100.conf b/proxmox-firewall/tests/input/100.conf index cf9af7f..1f81186 100644 --- a/proxmox-firewall/tests/input/100.conf +++ b/proxmox-firewall/tests/input/100.conf @@ -5,6 +5,7 @@ hostname: host1 memory: 512 net1: name=eth0,bridge=simple1,firewall=1,hwaddr=BC:24:11:4D:B0:FF,ip=dhcp,ip6=fd80::1234/64,type=veth net2: name=eth0,bridge=simple1,hwaddr=BC:24:11:4D:B0:FF,ip=dhcp,ip6=fd80::1234/64,type=veth +net3: name=eth0,bridge=simple2,firewall=1,hwaddr=BC:24:11:4D:B0:FE,ip=192.0.2.10/24,ip6=fd80::1235/64,type=veth ostype: debian rootfs: local-lvm:vm-90001-disk-0,size=2G swap: 512 diff --git a/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap b/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap index e3db8ae..feeda5b 100644 --- a/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap +++ b/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap @@ -4384,6 +4384,306 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")" } } }, + { + "add": { + "set": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v4-guest-100/ipfilter-net3", + "type": "ipv4_addr", + "flags": [ + "interval" + ] + } + } + }, + { + "flush": { + "set": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v4-guest-100/ipfilter-net3" + } + } + }, + { + "add": { + "set": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v4-guest-100/ipfilter-net3-nomatch", + "type": "ipv4_addr", + "flags": [ + "interval" + ] + } + } + }, + { + "flush": { + "set": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v4-guest-100/ipfilter-net3-nomatch" + } + } + }, + { + "add": { + "element": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v4-guest-100/ipfilter-net3", + "elem": [ + { + "prefix": { + "addr": "192.0.2.10", + "len": 32 + } + } + ] + } + } + }, + { + "add": { + "set": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v6-guest-100/ipfilter-net3", + "type": "ipv6_addr", + "flags": [ + "interval" + ] + } + } + }, + { + "flush": { + "set": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v6-guest-100/ipfilter-net3" + } + } + }, + { + "add": { + "set": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v6-guest-100/ipfilter-net3-nomatch", + "type": "ipv6_addr", + "flags": [ + "interval" + ] + } + } + }, + { + "flush": { + "set": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v6-guest-100/ipfilter-net3-nomatch" + } + } + }, + { + "add": { + "element": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v6-guest-100/ipfilter-net3", + "elem": [ + { + "prefix": { + "addr": "fe80::be24:11ff:fe4d:b0fe", + "len": 128 + } + }, + { + "prefix": { + "addr": "fd80::1235", + "len": 128 + } + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "chain": "guest-100-in", + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "veth100i3" + } + }, + { + "match": { + "op": "!=", + "left": { + "payload": { + "protocol": "arp", + "field": "daddr ip" + } + }, + "right": "@v4-guest-100/ipfilter-net3" + } + }, + { + "drop": null + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "chain": "guest-100-out", + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "veth100i3" + } + }, + { + "match": { + "op": "!=", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "@v4-guest-100/ipfilter-net3" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "@v4-guest-100/ipfilter-net3-nomatch" + } + }, + { + "drop": null + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "chain": "guest-100-out", + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "veth100i3" + } + }, + { + "match": { + "op": "!=", + "left": { + "payload": { + "protocol": "ip6", + "field": "saddr" + } + }, + "right": "@v6-guest-100/ipfilter-net3" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "saddr" + } + }, + "right": "@v6-guest-100/ipfilter-net3-nomatch" + } + }, + { + "drop": null + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "chain": "guest-100-out", + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "veth100i3" + } + }, + { + "match": { + "op": "!=", + "left": { + "payload": { + "protocol": "arp", + "field": "saddr ip" + } + }, + "right": "@v4-guest-100/ipfilter-net3" + } + }, + { + "drop": null + } + ] + } + } + }, { "add": { "rule": { @@ -4742,6 +5042,14 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")" "target": "guest-100-in" } } + ], + [ + "veth100i3", + { + "goto": { + "target": "guest-100-in" + } + } ] ] } @@ -4886,6 +5194,14 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")" "target": "guest-100-out" } } + ], + [ + "veth100i3", + { + "goto": { + "target": "guest-100-out" + } + } ] ] } -- 2.47.3 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel