The firewall used the CIDR from the container network configuration for autogenerating the IP filter. If an IP of 192.0.2.1/24 was configured, then the whole 192.0.2.0/24 range was allowed instead of only 192.0.2.1 .
Signed-off-by: Stefan Hanreich <[email protected]> --- proxmox-firewall/src/firewall.rs | 10 +- proxmox-firewall/tests/input/100.conf | 1 + .../integration_tests__firewall.snap | 316 ++++++++++++++++++ 3 files changed, 324 insertions(+), 3 deletions(-) diff --git a/proxmox-firewall/src/firewall.rs b/proxmox-firewall/src/firewall.rs index 5012610..ddf839b 100644 --- a/proxmox-firewall/src/firewall.rs +++ b/proxmox-firewall/src/firewall.rs @@ -24,7 +24,7 @@ use proxmox_ve_config::firewall::ct_helper::get_cthelper; use proxmox_ve_config::firewall::guest::Config as GuestConfig; use proxmox_ve_config::firewall::host::Config as HostConfig; -use proxmox_network_types::ip_address::{Cidr, Ipv6Cidr}; +use proxmox_network_types::ip_address::{Cidr, Ipv4Cidr, Ipv6Cidr}; use proxmox_ve_config::firewall::types::ipset::{ Ipfilter, Ipset, IpsetEntry, IpsetName, IpsetScope, }; @@ -815,11 +815,15 @@ impl Firewall { ipset.push(IpsetEntry::from(Cidr::from(cidr))); if let Some(ip_address) = network_device.ip() { - ipset.push(IpsetEntry::from(Cidr::from(ip_address))); + ipset.push(IpsetEntry::from(Cidr::from(Ipv4Cidr::from( + *ip_address.address(), + )))); } if let Some(ip6_address) = network_device.ip6() { - ipset.push(IpsetEntry::from(Cidr::from(ip6_address))); + ipset.push(IpsetEntry::from(Cidr::from(Ipv6Cidr::from( + *ip6_address.address(), + )))); } commands.append(&mut ipset.to_nft_objects(&env)?); diff --git a/proxmox-firewall/tests/input/100.conf b/proxmox-firewall/tests/input/100.conf index cf9af7f..1f81186 100644 --- a/proxmox-firewall/tests/input/100.conf +++ b/proxmox-firewall/tests/input/100.conf @@ -5,6 +5,7 @@ hostname: host1 memory: 512 net1: name=eth0,bridge=simple1,firewall=1,hwaddr=BC:24:11:4D:B0:FF,ip=dhcp,ip6=fd80::1234/64,type=veth net2: name=eth0,bridge=simple1,hwaddr=BC:24:11:4D:B0:FF,ip=dhcp,ip6=fd80::1234/64,type=veth +net3: name=eth0,bridge=simple2,firewall=1,hwaddr=BC:24:11:4D:B0:FE,ip=192.0.2.10/24,ip6=fd80::1235/64,type=veth ostype: debian rootfs: local-lvm:vm-90001-disk-0,size=2G swap: 512 diff --git a/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap b/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap index e3db8ae..feeda5b 100644 --- a/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap +++ b/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap @@ -4384,6 +4384,306 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")" } } }, + { + "add": { + "set": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v4-guest-100/ipfilter-net3", + "type": "ipv4_addr", + "flags": [ + "interval" + ] + } + } + }, + { + "flush": { + "set": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v4-guest-100/ipfilter-net3" + } + } + }, + { + "add": { + "set": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v4-guest-100/ipfilter-net3-nomatch", + "type": "ipv4_addr", + "flags": [ + "interval" + ] + } + } + }, + { + "flush": { + "set": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v4-guest-100/ipfilter-net3-nomatch" + } + } + }, + { + "add": { + "element": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v4-guest-100/ipfilter-net3", + "elem": [ + { + "prefix": { + "addr": "192.0.2.10", + "len": 32 + } + } + ] + } + } + }, + { + "add": { + "set": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v6-guest-100/ipfilter-net3", + "type": "ipv6_addr", + "flags": [ + "interval" + ] + } + } + }, + { + "flush": { + "set": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v6-guest-100/ipfilter-net3" + } + } + }, + { + "add": { + "set": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v6-guest-100/ipfilter-net3-nomatch", + "type": "ipv6_addr", + "flags": [ + "interval" + ] + } + } + }, + { + "flush": { + "set": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v6-guest-100/ipfilter-net3-nomatch" + } + } + }, + { + "add": { + "element": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "name": "v6-guest-100/ipfilter-net3", + "elem": [ + { + "prefix": { + "addr": "fe80::be24:11ff:fe4d:b0fe", + "len": 128 + } + }, + { + "prefix": { + "addr": "fd80::1235", + "len": 128 + } + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "chain": "guest-100-in", + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "veth100i3" + } + }, + { + "match": { + "op": "!=", + "left": { + "payload": { + "protocol": "arp", + "field": "daddr ip" + } + }, + "right": "@v4-guest-100/ipfilter-net3" + } + }, + { + "drop": null + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "chain": "guest-100-out", + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "veth100i3" + } + }, + { + "match": { + "op": "!=", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "@v4-guest-100/ipfilter-net3" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": "@v4-guest-100/ipfilter-net3-nomatch" + } + }, + { + "drop": null + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "chain": "guest-100-out", + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "veth100i3" + } + }, + { + "match": { + "op": "!=", + "left": { + "payload": { + "protocol": "ip6", + "field": "saddr" + } + }, + "right": "@v6-guest-100/ipfilter-net3" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "saddr" + } + }, + "right": "@v6-guest-100/ipfilter-net3-nomatch" + } + }, + { + "drop": null + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "bridge", + "table": "proxmox-firewall-guests", + "chain": "guest-100-out", + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "veth100i3" + } + }, + { + "match": { + "op": "!=", + "left": { + "payload": { + "protocol": "arp", + "field": "saddr ip" + } + }, + "right": "@v4-guest-100/ipfilter-net3" + } + }, + { + "drop": null + } + ] + } + } + }, { "add": { "rule": { @@ -4742,6 +5042,14 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")" "target": "guest-100-in" } } + ], + [ + "veth100i3", + { + "goto": { + "target": "guest-100-in" + } + } ] ] } @@ -4886,6 +5194,14 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")" "target": "guest-100-out" } } + ], + [ + "veth100i3", + { + "goto": { + "target": "guest-100-out" + } + } ] ] } -- 2.47.3 _______________________________________________ pve-devel mailing list [email protected] https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
