proxmox-mirrors/proxmox-firewall
1
0
Fork 0
mirror of https://git.proxmox.com/git/proxmox-firewall synced 2025-10-04 04:47:33 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

firewall: apply nf_conntrack_allow_invalid option to host table

Browse Source 
... on all chains that check for ct state. Since we support this option,
we should also use it in our firewall rule generation.

This is a follow-up to
  64dc344b ("firewall: apply `nt_conntrack_allow_invalid` option to guest table")

Signed-off-by: Hannes Laimer <h.laimer@proxmox.com>
This commit is contained in:
Hannes Laimer 2025-03-12 14:20:25 +01:00 committed by Wolfgang Bumiller
parent ab2709bf51
commit ee45277559
3 changed files with 30 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
proxmox-firewall/resources/proxmox-firewall.nft
View File

@ -14,7 +14,6 @@ add chain inet proxmox-firewall allow-ndp-in
add chain inet proxmox-firewall block-ndp-in
add chain inet proxmox-firewall allow-ndp-out
add chain inet proxmox-firewall block-ndp-out
add chain inet proxmox-firewall block-conntrack-invalid
add chain inet proxmox-firewall block-smurfs
add chain inet proxmox-firewall allow-icmp
add chain inet proxmox-firewall log-drop-smurfs
@ -55,7 +54,6 @@ flush chain inet proxmox-firewall allow-ndp-in
flush chain inet proxmox-firewall block-ndp-in
flush chain inet proxmox-firewall allow-ndp-out
flush chain inet proxmox-firewall block-ndp-out
flush chain inet proxmox-firewall block-conntrack-invalid
flush chain inet proxmox-firewall block-smurfs
flush chain inet proxmox-firewall allow-icmp
flush chain inet proxmox-firewall log-drop-smurfs
@ -176,10 +174,6 @@ table inet proxmox-firewall {
icmpv6 type { nd-router-solicit, nd-neighbor-solicit, nd-neighbor-advert } drop
}
chain block-conntrack-invalid {
ct state invalid drop
}
chain block-smurfs {
ip saddr 0.0.0.0/32 return
meta pkttype broadcast goto log-drop-smurfs
@ -205,7 +199,7 @@ table inet proxmox-firewall {
iifname "lo" accept
jump allow-icmp
ct state related,established accept
ct state vmap { invalid : jump invalid-conntrack, established : accept, related : accept }
meta l4proto igmp accept
@ -229,7 +223,7 @@ table inet proxmox-firewall {
oifname "lo" accept
jump allow-icmp
ct state vmap { invalid : drop, established : accept, related : accept }
ct state vmap { invalid : jump invalid-conntrack, established : accept, related : accept }
}
chain option-in {}
@ -241,7 +235,7 @@ table inet proxmox-firewall {
chain before-bridge {
meta protocol arp accept
meta protocol != arp ct state vmap { established : accept, related : accept, invalid : drop }
meta protocol != arp ct state vmap { established : accept, related : accept, invalid : jump invalid-conntrack }
}
chain host-bridge-input {
@ -284,9 +278,12 @@ table inet proxmox-firewall {
chain host-out {}
chain cluster-forward {}
chain host-forward {}
chain host-forward {
meta protocol != arp ct state vmap { established : accept, related : accept, invalid : jump invalid-conntrack }
}
chain ct-in {}
chain invalid-conntrack { }
}
table bridge proxmox-firewall-guests {

11
proxmox-firewall/src/firewall.rs
View File

@ -99,6 +99,10 @@ impl Firewall {
ChainPart::new(Self::guest_table(), "invalid-conntrack".to_string())
}
fn host_invalid_conntrack_chain() -> ChainPart {
ChainPart::new(Self::host_table(), "invalid-conntrack".to_string())
}
fn host_conntrack_chain() -> ChainPart {
ChainPart::new(Self::host_table(), "ct-in".to_string())
}
@ -144,6 +148,7 @@ impl Firewall {
Flush::chain(Self::host_option_chain(Direction::Out)),
Flush::chain(Self::host_chain(Direction::Forward)),
Flush::chain(Self::guest_invalid_conntrack_chain()),
Flush::chain(Self::host_invalid_conntrack_chain()),
Flush::map(Self::guest_vmap(Direction::In)),
Flush::map(Self::guest_vmap(Direction::Out)),
Flush::map(Self::bridge_vmap(Self::guest_table())),
@ -533,12 +538,12 @@ impl Firewall {
log::debug!("set block_invalid_conntrack");
commands.push(Add::rule(AddRule::from_statement(
chain_in,
Statement::jump("block-conntrack-invalid"),
Self::guest_invalid_conntrack_chain(),
Statement::make_drop(),
)));
commands.push(Add::rule(AddRule::from_statement(
Self::guest_invalid_conntrack_chain(),
Self::host_invalid_conntrack_chain(),
Statement::make_drop(),
)));
}

23
proxmox-firewall/tests/snapshots/integration_tests__firewall.snap
View File

@ -103,6 +103,15 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
}
}
},
{
"flush": {
"chain": {
"family": "inet",
"table": "proxmox-firewall",
"name": "invalid-conntrack"
}
}
},
{
"flush": {
"map": {
@ -3333,14 +3342,12 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
{
"add": {
"rule": {
"family": "inet",
"table": "proxmox-firewall",
"chain": "option-in",
"family": "bridge",
"table": "proxmox-firewall-guests",
"chain": "invalid-conntrack",
"expr": [
{
"jump": {
"target": "block-conntrack-invalid"
}
"drop": null
}
]
}
@ -3349,8 +3356,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
{
"add": {
"rule": {
"family": "bridge",
"table": "proxmox-firewall-guests",
"family": "inet",
"table": "proxmox-firewall",
"chain": "invalid-conntrack",
"expr": [
{