In order to be able to send outgoing ARP packets when the default policy is set to drop or reject, we need to explicitly allow ARP traffic in the outgoing chain of guests. We need to do this in the guest chain itself in order to be able to filter spoofed packets via the MAC filter.
Contrary to the out direction we can simply accept all incoming ARP traffic, since we do not do any MAC filtering for incoming traffic. Since we create fdb entries for every NIC, guests should only see ARP traffic for their MAC addresses anyway. Signed-off-by: Stefan Hanreich <[email protected]> Originally-by: Laurent Guerby <[email protected]> --- proxmox-firewall/resources/proxmox-firewall.nft | 1 + proxmox-firewall/src/firewall.rs | 8 ++++---- .../tests/snapshots/integration_tests__firewall.snap | 4 ++-- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/proxmox-firewall/resources/proxmox-firewall.nft b/proxmox-firewall/resources/proxmox-firewall.nft index f36bf3b..90b5d5a 100644 --- a/proxmox-firewall/resources/proxmox-firewall.nft +++ b/proxmox-firewall/resources/proxmox-firewall.nft @@ -305,6 +305,7 @@ table bridge proxmox-firewall-guests { chain vm-in { type filter hook postrouting priority 0; policy accept; + ether type arp accept oifname vmap @vm-map-in } } diff --git a/proxmox-firewall/src/firewall.rs b/proxmox-firewall/src/firewall.rs index 41b1df2..0da3ab7 100644 --- a/proxmox-firewall/src/firewall.rs +++ b/proxmox-firewall/src/firewall.rs @@ -516,7 +516,7 @@ impl Firewall { commands.append(&mut vec![ Add::rule(AddRule::from_statement( - chain_in.clone(), + chain_in, Statement::jump(ndp_chains.0), )), Add::rule(AddRule::from_statement( @@ -532,17 +532,17 @@ impl Firewall { }; commands.push(Add::rule(AddRule::from_statement( - chain_out, + chain_out.clone(), Statement::jump(ra_chain_out), ))); - // we allow incoming ARP by default, except if blocked by any option above + // we allow outgoing ARP, except if blocked by the MAC filter above let arp_rule = vec![ Match::new_eq(Payload::field("ether", "type"), Expression::from("arp")).into(), Statement::make_accept(), ]; - commands.push(Add::rule(AddRule::from_statements(chain_in, arp_rule))); + commands.push(Add::rule(AddRule::from_statements(chain_out, arp_rule))); Ok(()) } diff --git a/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap b/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap index 092ccef..2ca151f 100644 --- a/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap +++ b/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap @@ -2923,7 +2923,7 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")" "rule": { "family": "bridge", "table": "proxmox-firewall-guests", - "chain": "guest-100-in", + "chain": "guest-100-out", "expr": [ { "match": { @@ -3569,7 +3569,7 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")" "rule": { "family": "bridge", "table": "proxmox-firewall-guests", - "chain": "guest-101-in", + "chain": "guest-101-out", "expr": [ { "match": { -- 2.39.2 _______________________________________________ pve-devel mailing list [email protected] https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
