From: Stefan Hanreich <s.hanreich@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
Hannes Laimer <h.laimer@proxmox.com>
Subject: Re: [pve-devel] [PATCH] firewall: resources: accept invalid ct state by default
Date: Fri, 15 Nov 2024 14:13:26 +0100 [thread overview]
Message-ID: <508606c2-8e34-4d6f-b975-a4e96d022b13@proxmox.com> (raw)
In-Reply-To: <20241115123321.49338-1-h.laimer@proxmox.com>
On 11/15/24 13:33, Hannes Laimer wrote:
> We only add a `block-conntrack-invalid` jump to the in chain, if
> the `nf_conntrack_allow_invalid` option is not set in the config. But we
> already drop connections with an invalid ct state by default. So we have
> to either allow connections with an invalid ct state by default, or explicitly
> allow them when checking for the option and keeping them blocked by default.
> I chose to change the 'default' as it has the same result but is
> simpler a change.
>
> Signed-off-by: Hannes Laimer <h.laimer@proxmox.com>
> ---
> relevant code[1]
> ```
> if self.config.host().block_invalid_conntrack() {
> log::debug!("set block_invalid_conntrack");
>
> commands.push(Add::rule(AddRule::from_statement(
> chain_in,
> Statement::jump("block-conntrack-invalid"),
> )));
> }
> ```
This setting is for toggling invalid traffic on host level and works
because in the host default-in chain we have:
ct state established,related accept
and then insert in the option-in chain
jump block-conntrack-invalid
depending on the `nf_conntrack_allow_invalid` setting.
For VMs this isn't configurable, we always drop conntrack invalid traffic:
>
> chain pre-vm-out {
> - meta protocol != arp ct state vmap { established : accept, related : accept, invalid : drop }
> + meta protocol != arp ct state vmap { established : accept, related : accept, invalid : accept }
> }
>
> chain vm-out {
> @@ -326,7 +326,7 @@ table bridge proxmox-firewall-guests {
> }
>
> chain pre-vm-in {
> - meta protocol != arp ct state vmap { established : accept, related : accept, invalid : drop }
> + meta protocol != arp ct state vmap { established : accept, related : accept, invalid : accept }
> meta protocol arp accept
> }
>
This change has a problem though: It would *always* allow traffic with
ct state invalid for VMs.
I see two ways of solving this problem:
* We introduce a knob at VM level that lets you decide whether to drop
ct invalid traffic or not. (Invalid traffic would then still be
evaluated by the firewall rules if it's allowed in principle, as is the
case on host-level)
* We apply the host-level setting to VMs as well.
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next prev parent reply other threads:[~2024-11-15 13:13 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-15 12:33 Hannes Laimer
2024-11-15 13:13 ` Stefan Hanreich [this message]
2024-11-15 13:43 ` Stefan Hanreich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=508606c2-8e34-4d6f-b975-a4e96d022b13@proxmox.com \
--to=s.hanreich@proxmox.com \
--cc=h.laimer@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox