On 11/15/24 14:13, Stefan Hanreich wrote: > I see two ways of solving this problem: > > * We introduce a knob at VM level that lets you decide whether to drop > ct invalid traffic or not. (Invalid traffic would then still be > evaluated by the firewall rules if it's allowed in principle, as is the > case on host-level) > > * We apply the host-level setting to VMs as well.
The old firewall does it like this - so maybe we should do it here as well: * drop invalid traffic in PVEFW-HOST-IN (= INPUT chain) irregardless of the setting * drop invalid traffic on PVEFW-FORWARD (= FORWARD chain) if allow_invalid is 0 (= default) It's important not to accept it immediately, because then the rest of the ruleset still gets evaluated, mitigating the blast radius of this setting considerably. _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
