How can I change chain do-reject to reject?

E

encryptedserver

Member
Jul 10, 2021
70
13
13
44
www.saudiqbal.com
The last rule in chain do-reject is wrong. I was wondering why the connection keeps timing out instead of immediately getting a reject.

It is currently at drop when it should be reject, even the rule name is do-reject!

Code: 
chain do-reject {
    meta pkttype broadcast drop
    ip saddr 224.0.0.0/4 drop
    meta l4proto tcp reject with tcp reset
    meta l4proto { icmp, ipv6-icmp } reject
    reject with icmp host-prohibited
    reject with icmpv6 admin-prohibited
    drop
}

Please fix the rule by replacing drop with reject.

Is there any way to edit the file manually right now myself? where is the nftables rules stored in PVE?
 
Last edited:
The rule is fine - those 2 statements should be terminal already:

Code: 
    reject with icmp host-prohibited
    reject with icmpv6 admin-prohibited

The only way the drop is reached if it is an ARP packet in the bridge table. The drop rule is just as a safety measure in case there is any unforeseen traffic that cannot be matched / rejected by nftables.



Are you by chance trying to reject incoming traffic of a guest? This is currently not possible due to limitations of nftables, we also have a small section in the documentation [1] regarding that:

  • REJECT is currently not possible for guest traffic (traffic will instead be dropped).
Click to expand...

[1] https://pve.proxmox.com/pve-docs/pve-admin-guide.html#_nftables
 
I added the reject rule to block local lan

Code: 
        set v4-dc/lan {
                type ipv4_addr
                flags interval
                elements = { 10.0.0.0/8, 172.16.0.0/12,
                             192.168.0.0/16 }
        }

        set v4-dc/lan-nomatch {
                type ipv4_addr
                flags interval
        }

        set v6-dc/lan {
                type ipv6_addr
                flags interval
                elements = { fc00::/7 }
        }

        chain group-deny-lan-access-out {                                                                                                                 
                ip daddr @v4-dc/gateway ip daddr != @v4-dc/gateway-nomatch accept                                                                         
                ip6 daddr @v6-dc/gateway ip6 daddr != @v6-dc/gateway-nomatch accept                                                                       
                ip daddr @v4-dc/lan ip daddr != @v4-dc/lan-nomatch jump do-reject                                                                         
                ip6 daddr @v6-dc/lan ip6 daddr != @v6-dc/lan-nomatch jump do-reject                                                                       
        }

For example if I ping 10.88.88.12 from my VM it should reject immediately but I am getting a timeout.
 
I've looked at this, the issue here seems to be that the packet is actually rejected, but the responding packet has CT state invalid - so it gets dropped by the incoming firewall:

Code: 
trace id c784a776 bridge proxmox-firewall-guests vm-in packet: oif "tap2001i0" ether saddr 36:86:46:c7:59:3f ether daddr bc:24:11:5e:44:b4 ip saddr 10.101.1.1 ip daddr 10.101.95.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 0 ip protocol icmp ip length 112 icmp type destination-unreachable icmp code port-unreachable icmp id 0 icmp sequence 0 @th,64,96 0x4500005419dc40004001ac01
trace id c784a776 bridge proxmox-firewall-guests vm-in rule ether type != arp ct state vmap { invalid : drop, established : accept, related : accept } (verdict drop)

It might make sense to "whitelist" certain ICMP types but I'll have to think about the possible implications of this - but I'll create a patch once I've looked more into this. Some ICMP type certainly should be (e.g. the ones used for Path MTU discovery)
 
Last edited:
You should be able to work around this for now by creating a rule that exempts ICMP packets with type destination unreachable from conntrack:

Code: 
#!/usr/sbin/nft -f
table bridge icmp-reject
delete table bridge icmp-reject

table bridge icmp-reject {
    chain postrouting {
        type filter hook postrouting priority -350; policy accept;
        oifname "tap*" icmp type destination-unreachable notrack
    }
}

As well as explicitly allowing ICMP packets with type destination unreachable in the incoming chain of the VM:

Code: 
[RULES]

IN ACCEPT -p icmp -log nolog -icmp-type destination-unreachable
 
shanreich said:
Code: 
#!/usr/sbin/nft -f
table bridge icmp-reject
delete table bridge icmp-reject

table bridge icmp-reject {
chain postrouting {
type filter hook postrouting priority -350; policy accept;
oifname "tap*" icmp type destination-unreachable notrack
}
}
Click to expand...

I tried pasting the code in /etc/nftables.conf but it does not work over there, where should I paste these commands?
 
encryptedserver said:
I tried pasting the code in /etc/nftables.conf but it does not work over there, where should I paste these commands?
Click to expand...
You can just save it as a new file, e.g. icmp.nft, and then make it executable (chmod +x icmp.nft) and then execute it (./icmp.nft)
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back