nftables : when output policy drop is set on a VM there's no way to accept ARP output

[guerby]

Hi,

It looks like when output policy drop is set on a VM the ARP protocol in the out direction are filtered and there's no way I could find to enable it in the proxmox firewall settings.

In the IN direction there's a ether type arp accept in chain guest-408-in but there's no equivalent in guest-408-out.

Traces below for a VM 408 with IP 192.168.73.59 when IP 192.168.73.104 and 102 are trying to talk to it, the ARP reply is emitted as seen on tap408i0 but disappears after firewall on fwln408i0 (as expected).

Thanks!

Laurent

# tcpdump -eni tap408i0 arp and host 192.168.73.59
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tap408i0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
11:02:23.646049 a0:ce:c8:96:5b:84 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 192.168.73.59 tell 192.168.73.104, length 28
11:02:23.646331 bc:24:11:84:a3:db > a0:ce:c8:96:5b:84, ethertype ARP (0x0806), length 42: Reply 192.168.73.59 is-at bc:24:11:84:a3:db, length 28
11:02:24.050729 d4:81:d7:6b:c8:c8 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has 192.168.73.59 tell 192.168.73.102, length 46
11:02:24.050950 bc:24:11:84:a3:db > d4:81:d7:6b:c8:c8, ethertype ARP (0x0806), length 42: Reply 192.168.73.59 is-at bc:24:11:84:a3:db, length 28
11:02:24.664774 a0:ce:c8:96:5b:84 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 192.168.73.59 tell 192.168.73.104, length 28
11:02:24.665007 bc:24:11:84:a3:db > a0:ce:c8:96:5b:84, ethertype ARP (0x0806), length 42: Reply 192.168.73.59 is-at bc:24:11:84:a3:db, length 28

# tcpdump -eni fwln408i0 arp and host 192.168.73.59
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on fwln408i0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
11:02:23.646043 a0:ce:c8:96:5b:84 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 192.168.73.59 tell 192.168.73.104, length 28
11:02:24.050726 d4:81:d7:6b:c8:c8 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has 192.168.73.59 tell 192.168.73.102, length 46
11:02:24.664769 a0:ce:c8:96:5b:84 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 192.168.73.59 tell 192.168.73.104, length 28

# cat /etc/pve/firewall/408.fw
[OPTIONS]

enable: 1
policy_out: DROP

[RULES]

GROUP secgrp1


# cat /etc/pve/firewall/cluster.fw
[OPTIONS]

log_ratelimit: burst=5,enable=0,rate=1/second
enable: 1

[ALIASES]

albi-lan 192.168.73.0/24
pbsfw1a-ipv4 192.168.73.59

[group secgrp1]

IN SSH(ACCEPT) -source dc/albi-lan -dest dc/pbsfw1a-ipv4 -log nolog

 

[guerby]

I think this works in iptables mode as Proxmox VE doesn't install arptables so everything ARP is ACCEPT by default whereas in nftables everything is unified so you have to add explicit rules and do it in both directions.

Note : I tried to add the missing ether type arp accept but handles are moving constantly so I couldn't do it. I don't know if there's another way to quickly test ntables insertion/deletion with Proxmox VE.

# nft -a list ruleset|grep "jump allow-dhcp-out";sleep 10;nft -a list ruleset|grep "jump allow-dhcp-out"
        jump allow-dhcp-out # handle 399
        jump allow-dhcp-out # handle 497

# nft add rule bridge  proxmox-firewall-guests guest-408-out position 497 ether type arp accept
Error: Could not process rule: No such file or directory
add rule bridge proxmox-firewall-guests guest-408-out position 497 ether type arp accept
                                                      ^^^^^^^^^^^^

 

[guerby]

Patch : https://bugzilla.proxmox.com/show_bug.cgi?id=2370#c17