[7.4] IP filter only active when Firewall is enabled on VM

[haelekuin]

During IP changes of multiple hosts I noticed that MAC and IP filters were no longer functional in my configuration.
While trying to understand why this behavior changed from when I initially set up IP filtering I noticed that ebtables rules are no longer created when the firewall is disabled on the VM (but enabled on the cluster and Proxmox node).

Cluster config:

cat /etc/pve/firewall/cluster.fw
[OPTIONS]

policy_in: ACCEPT
enable: 1
policy_out: ACCEPT
ebtables: 1

Node config:
[CODE]cat /etc/pve/nodes/node/host.fw
[OPTIONS]
log_level_out: debug
log_level_in: debug
tcp_flags_log_level: debug
enable: 1
smurf_log_level: debug

VM config:

cat /etc/pve/firewall/108.fw
[OPTIONS]

enable: 0
log_level_out: debug
policy_in: ACCEPT
macfilter: 1
ipfilter: 1
log_level_in: debug

[IPSET ipfilter-net0]

1.2.3.4

Ebtables:

btables -L                 
Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 1, policy: ACCEPT
-j PVEFW-FORWARD

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

Bridge chain: PVEFW-FORWARD, entries: 3, policy: ACCEPT
-p IPv4 -j ACCEPT
-p IPv6 -j ACCEPT
-o fwln+ -j PVEFW-FWBR-OUT

Bridge chain: PVEFW-FWBR-OUT, entries: 0, policy: ACCEPT

When enabling the firewall on the VM, ebtables and iptables rules are created for MAC and IP filtering

Ebtables (Firewall On):

ridge chain: PVEFW-FWBR-OUT, entries: 1, policy: ACCEPT
-i tap108i0 -j tap108i0-OUT

Bridge chain: tap108i0-OUT, entries: 3, policy: ACCEPT
-s ! d6:dd:d0:35:3:10 -j DROP
-p ARP -j tap108i0-OUT-ARP
-j ACCEPT

Bridge chain: tap108i0-OUT-ARP, entries: 2, policy: ACCEPT
-p ARP --arp-ip-src 1.2.3.4 -j RETURN
-j DROP

Iptables:

Chain tap108i0-OUT (1 references)
target     prot opt source               destination         
PVEFW-SET-ACCEPT-MARK  udp  --  anywhere             anywhere            [goto]  udp spt:bootpc dpt:bootps
DROP       all  --  anywhere             anywhere             MAC !d6:dd:d0:35:03:10
DROP       all  --  anywhere             anywhere             ! match-set PVEFW-108-ipfilter-net0-v4 src
MARK       all  --  anywhere             anywhere             MARK and 0x7fffffff
PVEFW-SET-ACCEPT-MARK  all  --  anywhere             anywhere            [goto]

Is this behavior intentional? Creating both ebtables and iptables rules for the same purpose seems redundant.
Additionally, I do not want to enable iptables rules just for filtering of IP and MAC addresses as it is not needed. Looking at changes to the pve firewall, I believe this change was introduced with https://github.com/proxmox/pve-firewall/commit/60ab67f52df04c415004ff3e4d45335ca0a62307 - but I was not able to confirm as I don't have a lab machine available to test older versions.

pveversion -v       
proxmox-ve: 7.4-1 (running kernel: 5.15.131-2-pve)
pve-manager: 7.4-17 (running version: 7.4-17/513c62be)
pve-kernel-5.15: 7.4-9
pve-kernel-5.13: 7.1-9
pve-kernel-5.15.131-2-pve: 5.15.131-3
pve-kernel-5.15.126-1-pve: 5.15.126-1
pve-kernel-5.13.19-6-pve: 5.13.19-15
ceph-fuse: 14.2.21-1
corosync: 3.1.7-pve1
criu: 3.15-1+pve-1
glusterfs-client: 9.2-1
ifupdown: 0.8.36+pve2
libjs-extjs: 7.0.0-1
libknet1: 1.24-pve2
libproxmox-acme-perl: 1.4.4
libproxmox-backup-qemu0: 1.3.1-1
libproxmox-rs-perl: 0.2.1
libpve-access-control: 7.4.1
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.4-2
libpve-guest-common-perl: 4.2-4
libpve-http-server-perl: 4.2-3
libpve-rs-perl: 0.7.7
libpve-storage-perl: 7.4-3
libspice-server1: 0.14.3-2.1
lvm2: 2.03.11-2.1
lxc-pve: 5.0.2-2
lxcfs: 5.0.3-pve1
novnc-pve: 1.4.0-1
proxmox-backup-client: 2.4.6-1
proxmox-backup-file-restore: 2.4.6-1
proxmox-kernel-helper: 7.4-1
proxmox-mail-forward: 0.1.1-1
proxmox-mini-journalreader: 1.3-1
proxmox-widget-toolkit: 3.7.3
pve-cluster: 7.3-3
pve-container: 4.4-6
pve-docs: 7.4-2
pve-edk2-firmware: 3.20230228-4~bpo11+2
pve-firewall: 4.3-5
pve-firmware: 3.6-6
pve-ha-manager: 3.6.1
pve-i18n: 2.12-1
pve-qemu-kvm: 7.2.0-8
pve-xtermjs: 4.16.0-2
qemu-server: 7.4-4
smartmontools: 7.2-pve3
spiceterm: 3.2-2
swtpm: 0.8.0~bpo11+3
vncterm: 1.7-1

 

[haelekuin]

Just tested this on a pve 8.2 host and the behaviour is the same.

pveversion -v
proxmox-ve: 8.2.0 (running kernel: 6.8.4-2-pve)
pve-manager: 8.2.2 (running version: 8.2.2/9355359cd7afbae4)
proxmox-kernel-helper: 8.1.0
proxmox-kernel-6.8: 6.8.4-2
proxmox-kernel-6.8.4-2-pve-signed: 6.8.4-2
ceph-fuse: 16.2.11+ds-2
corosync: 3.1.7-pve3
criu: 3.17.1-2
glusterfs-client: 10.3-5
ifupdown: residual config
ifupdown2: 3.2.0-1+pmx8
libjs-extjs: 7.0.0-4
libknet1: 1.28-pve1
libproxmox-acme-perl: 1.5.1
libproxmox-backup-qemu0: 1.4.1
libproxmox-rs-perl: 0.3.3
libpve-access-control: 8.1.4
libpve-apiclient-perl: 3.3.2
libpve-cluster-api-perl: 8.0.6
libpve-cluster-perl: 8.0.6
libpve-common-perl: 8.2.1
libpve-guest-common-perl: 5.1.1
libpve-http-server-perl: 5.1.0
libpve-rs-perl: 0.8.8
libpve-storage-perl: 8.2.1
libspice-server1: 0.15.1-1
lvm2: 2.03.16-2
lxc-pve: 6.0.0-1
lxcfs: 6.0.0-pve2
novnc-pve: 1.4.0-3
proxmox-backup-client: 3.2.2-1
proxmox-backup-file-restore: 3.2.2-1
proxmox-kernel-helper: 8.1.0
proxmox-mail-forward: 0.2.3
proxmox-mini-journalreader: 1.4.0
proxmox-widget-toolkit: 4.2.3
pve-cluster: 8.0.6
pve-container: 5.0.11
pve-docs: 8.2.2
pve-edk2-firmware: not correctly installed
pve-firewall: 5.0.6
pve-firmware: 3.11-1
pve-ha-manager: 4.0.4
pve-i18n: 3.2.2
pve-qemu-kvm: 8.1.5-6
pve-xtermjs: 5.3.0-3
qemu-server: 8.2.1
smartmontools: 7.3-pve1
spiceterm: 3.3.0
swtpm: 0.8.0+pve1
vncterm: 1.8.0