firewall: apply nt_conntrack_allow_invalid option to guest table

So it behaves the same way the 'old' firewall did. Since currently ct state invalid are always dropped on the guest table, regardless of the option. The host behaviour is not changed as it would require `forward` to match the 'old' behaviour. Signed-off-by: Hannes Laimer <h.laimer@proxmox.com> [ TL: resolve merge conflict due to recent context changes ] Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2025-10-04 20:52:30 +00:00 · 2024-11-15 16:30:16 +01:00 · 2024-11-15 16:30:16 +01:00 · 64dc344bb8
commit 64dc344bb8
parent 8ef2e4e6b5
3 changed files with 37 additions and 1 deletions
--- a/proxmox-firewall/resources/proxmox-firewall.nft
+++ b/proxmox-firewall/resources/proxmox-firewall.nft
@ -365,8 +365,10 @@ table bridge proxmox-firewall-guests {
        iifname vmap @vm-map-out
    }

+    chain invalid-conntrack { }
+
    chain pre-vm-in {
-        meta protocol != arp ct state vmap { established : accept, related : accept, invalid : drop }
+        meta protocol != arp ct state vmap { established : accept, related : accept, invalid : jump invalid-conntrack }
        meta protocol arp accept
    }

--- a/proxmox-firewall/src/firewall.rs
+++ b/proxmox-firewall/src/firewall.rs
@ -95,6 +95,10 @@ impl Firewall {
        ChainPart::new(table, format!("group-{name}-{dir}"))
    }

+    fn guest_invalid_conntrack_chain() -> ChainPart {
+        ChainPart::new(Self::guest_table(), format!("invalid-conntrack"))
+    }
+
    fn host_conntrack_chain() -> ChainPart {
        ChainPart::new(Self::host_table(), "ct-in".to_string())
    }
@ -139,6 +143,7 @@ impl Firewall {
            Flush::chain(Self::host_chain(Direction::Out)),
            Flush::chain(Self::host_option_chain(Direction::Out)),
            Flush::chain(Self::host_chain(Direction::Forward)),
+            Flush::chain(Self::guest_invalid_conntrack_chain()),
            Flush::map(Self::guest_vmap(Direction::In)),
            Flush::map(Self::guest_vmap(Direction::Out)),
            Flush::map(Self::bridge_vmap(Self::guest_table())),
@ -531,6 +536,11 @@ impl Firewall {
                chain_in,
                Statement::jump("block-conntrack-invalid"),
            )));
+
+            commands.push(Add::rule(AddRule::from_statement(
+                Self::guest_invalid_conntrack_chain(),
+                Statement::make_drop(),
+            )));
        }

        if let Some(value) = self.config.host().nf_conntrack_max() {
--- a/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap
+++ b/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap
@ -1,6 +1,7 @@
 ---
 source: proxmox-firewall/tests/integration_tests.rs
 expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
+snapshot_kind: text
 ---
 {
  "nftables": [
@ -94,6 +95,15 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
        }
      }
    },
+    {
+      "flush": {
+        "chain": {
+          "family": "bridge",
+          "table": "proxmox-firewall-guests",
+          "name": "invalid-conntrack"
+        }
+      }
+    },
    {
      "flush": {
        "map": {
@ -3283,6 +3293,20 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
        }
      }
    },
+    {
+      "add": {
+        "rule": {
+          "family": "bridge",
+          "table": "proxmox-firewall-guests",
+          "chain": "invalid-conntrack",
+          "expr": [
+            {
+              "drop": null
+            }
+          ]
+        }
+      }
+    },
    {
      "add": {
        "rule": {