Hi, I have notice a bug with current firewall implementation,
with a simple test like: 1) host fw: -------- iptables -F iptables -X iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables-save > rules.dump 2)start vm, an established a connection. (like ssh for example) 3) iptables -F. (like pve-firewall stop) 4) restore the rules (iptables-restore -n < rules.dump), (like pve-firewall start) Then, the connection is dropped with iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP This is critical for some protocol like cephfs, where this hang the mds connection for 15min by default. (client think it's still connected,) By reverting the 2 rules order, it's working fine iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP I'm not expert enough with conntrack, but I have see a lot of documentation about this order (ufw firewall, archlinux wiki,....) Does somebody have an idea what should be the correct order ? (Note that running iptables INPUT inside the vm, is working fine with INVALID first, so maybe it's specific to forwarding) _______________________________________________ pve-devel mailing list [email protected] https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
