firewall: apply nf_conntrack_allow_invalid option to host table

... on all chains that check for ct state. Since we support this option, we should also use it in our firewall rule generation. This is a follow-up to 64dc344b ("firewall: apply `nt_conntrack_allow_invalid` option to guest table") Signed-off-by: Hannes Laimer <h.laimer@proxmox.com>
2025-11-01 06:35:39 +00:00 · 2025-03-12 14:20:25 +01:00 · 2025-03-12 14:20:25 +01:00 · ee45277559
commit ee45277559
parent ab2709bf51
3 changed files with 30 additions and 21 deletions
--- a/proxmox-firewall/resources/proxmox-firewall.nft
+++ b/proxmox-firewall/resources/proxmox-firewall.nft
@ -14,7 +14,6 @@ add chain inet proxmox-firewall allow-ndp-in
 add chain inet proxmox-firewall block-ndp-in
 add chain inet proxmox-firewall allow-ndp-out
 add chain inet proxmox-firewall block-ndp-out
 add chain inet proxmox-firewall block-conntrack-invalid
 add chain inet proxmox-firewall block-smurfs
 add chain inet proxmox-firewall allow-icmp
 add chain inet proxmox-firewall log-drop-smurfs
@ -55,7 +54,6 @@ flush chain inet proxmox-firewall allow-ndp-in
 flush chain inet proxmox-firewall block-ndp-in
 flush chain inet proxmox-firewall allow-ndp-out
 flush chain inet proxmox-firewall block-ndp-out
 flush chain inet proxmox-firewall block-conntrack-invalid
 flush chain inet proxmox-firewall block-smurfs
 flush chain inet proxmox-firewall allow-icmp
 flush chain inet proxmox-firewall log-drop-smurfs
@ -176,10 +174,6 @@ table inet proxmox-firewall {
        icmpv6 type { nd-router-solicit, nd-neighbor-solicit, nd-neighbor-advert } drop
    }
    chain block-conntrack-invalid {
        ct state invalid drop
    }
    chain block-smurfs {
        ip saddr 0.0.0.0/32 return
        meta pkttype broadcast goto log-drop-smurfs
@ -205,7 +199,7 @@ table inet proxmox-firewall {
        iifname "lo" accept
        jump allow-icmp
-        ct state related,established accept
+        ct state vmap { invalid : jump invalid-conntrack, established : accept, related : accept }
        meta l4proto igmp accept
@ -229,7 +223,7 @@ table inet proxmox-firewall {
        oifname "lo" accept
        jump allow-icmp
-        ct state vmap { invalid : drop, established : accept, related : accept }
+        ct state vmap { invalid : jump invalid-conntrack, established : accept, related : accept }
    }
    chain option-in {}
@ -241,7 +235,7 @@ table inet proxmox-firewall {
    chain before-bridge {
        meta protocol arp accept
-        meta protocol != arp ct state vmap { established : accept, related : accept, invalid : drop }
+        meta protocol != arp ct state vmap { established : accept, related : accept, invalid : jump invalid-conntrack }
    }
    chain host-bridge-input {
@ -284,9 +278,12 @@ table inet proxmox-firewall {
    chain host-out {}
    chain cluster-forward {}
-    chain host-forward {}
+    chain host-forward {
        meta protocol != arp ct state vmap { established : accept, related : accept, invalid : jump invalid-conntrack }
    }
    chain ct-in {}
    chain invalid-conntrack { }
 }
 table bridge proxmox-firewall-guests {
--- a/proxmox-firewall/src/firewall.rs
+++ b/proxmox-firewall/src/firewall.rs
@ -99,6 +99,10 @@ impl Firewall {
        ChainPart::new(Self::guest_table(), "invalid-conntrack".to_string())
    }
    fn host_invalid_conntrack_chain() -> ChainPart {
        ChainPart::new(Self::host_table(), "invalid-conntrack".to_string())
    }
    fn host_conntrack_chain() -> ChainPart {
        ChainPart::new(Self::host_table(), "ct-in".to_string())
    }
@ -144,6 +148,7 @@ impl Firewall {
            Flush::chain(Self::host_option_chain(Direction::Out)),
            Flush::chain(Self::host_chain(Direction::Forward)),
            Flush::chain(Self::guest_invalid_conntrack_chain()),
            Flush::chain(Self::host_invalid_conntrack_chain()),
            Flush::map(Self::guest_vmap(Direction::In)),
            Flush::map(Self::guest_vmap(Direction::Out)),
            Flush::map(Self::bridge_vmap(Self::guest_table())),
@ -533,12 +538,12 @@ impl Firewall {
            log::debug!("set block_invalid_conntrack");
            commands.push(Add::rule(AddRule::from_statement(
-                chain_in,
+                Self::guest_invalid_conntrack_chain(),
-                Statement::jump("block-conntrack-invalid"),
+                Statement::make_drop(),
            )));
            commands.push(Add::rule(AddRule::from_statement(
-                Self::guest_invalid_conntrack_chain(),
+                Self::host_invalid_conntrack_chain(),
                Statement::make_drop(),
            )));
        }
--- a/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap
+++ b/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap
@ -103,6 +103,15 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
        }
      }
    },
    {
      "flush": {
        "chain": {
          "family": "inet",
          "table": "proxmox-firewall",
          "name": "invalid-conntrack"
        }
      }
    },
    {
      "flush": {
        "map": {
@ -3333,14 +3342,12 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
    {
      "add": {
        "rule": {
-          "family": "inet",
+          "family": "bridge",
-          "table": "proxmox-firewall",
+          "table": "proxmox-firewall-guests",
-          "chain": "option-in",
+          "chain": "invalid-conntrack",
          "expr": [
            {
-              "jump": {
+              "drop": null
                "target": "block-conntrack-invalid"
              }
            }
          ]
        }
@ -3349,8 +3356,8 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
    {
      "add": {
        "rule": {
-          "family": "bridge",
+          "family": "inet",
-          "table": "proxmox-firewall-guests",
+          "table": "proxmox-firewall",
          "chain": "invalid-conntrack",
          "expr": [
            {