proxmox-mirrors/proxmox-firewall
1
0
Fork 0
mirror of https://git.proxmox.com/git/proxmox-firewall synced 2025-10-04 10:15:33 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

security groups: skip in forward chain when interface is specified

Browse Source 
Security groups can be bound to a specific interface. The notion of
this breaks down when considering the forward direction, since there
are two interfaces involved: incoming and outgoing, which can be
different depending on the kind of traffic.

With the current implementation, the firewall refuses to generate
rulesets with security groups that are bound to specific interfaces.
Check for this case explicitly and skip creating rules in the forward
chain when a security group bound to a specific interface is
encountered.

Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
Tested-by: Hannes Duerr <h.duerr@proxmox.com>
This commit is contained in:
Stefan Hanreich 2025-03-13 13:49:19 +01:00 committed by Wolfgang Bumiller
parent 697da0168e
commit b3f3d7209b
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
proxmox-firewall/src/rule.rs
View File

@ -201,6 +201,10 @@ fn handle_iface(rules: &mut [NftRule], env: &NftRuleEnv, name: &str) -> Result<(
impl ToNftRules for RuleGroup {
fn to_nft_rules(&self, rules: &mut Vec<NftRule>, env: &NftRuleEnv) -> Result<(), Error> {
if env.direction == Direction::Forward && self.iface().is_some() {
return Ok(());
}
let chain_name = format!("group-{}-{}", self.group(), env.direction);
rules.push(NftRule::new(Statement::jump(chain_name)));