Merge pull request #774 from Luap99/iptables-drop-invalid

iptables: drop invalid packages

src/firewall/varktables/types.rs

@@ -353,6 +353,14 @@ pub fn get_network_chains<'a>(
         VarkChain::new(conn, FILTER.to_string(), NETAVARK_FORWARD.to_string(), None);
     netavark_forward_chain.create = true;
 
+    // Drop all invalid packages, due a race the container source ip could be leaked on the local
+    // network and we should avoid that, https://bugzilla.redhat.com/show_bug.cgi?id=2230144
+    // This should't harm anything so just add one global rule instead of filtering per subnet.
+    netavark_forward_chain.build_rule(VarkRule::new(
+        "-m conntrack --ctstate INVALID -j DROP".to_string(),
+        Some(TeardownPolicy::Never),
+    ));
+
     // Create incoming traffic rule
     // CNI did this by IP address, this is implemented per subnet
     netavark_forward_chain.build_rule(VarkRule::new(

test/100-bridge-iptables.bats

@@ -81,9 +81,10 @@ fw_driver=iptables
     assert "${#lines[@]}" = 2 "too many FORWARD rules"
 
     run_in_host_netns iptables -S NETAVARK_FORWARD
-    assert "${lines[1]}" == "-A NETAVARK_FORWARD -d 10.88.0.0/16 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT" "NETAVARK_FORWARD rule 1"
-    assert "${lines[2]}" == "-A NETAVARK_FORWARD -s 10.88.0.0/16 -j ACCEPT" "NETAVARK_FORWARD rule 2"
-    assert "${#lines[@]}" = 3 "too many NETAVARK_FORWARD rules"
+    assert "${lines[1]}" == "-A NETAVARK_FORWARD -m conntrack --ctstate INVALID -j DROP" "NETAVARK_FORWARD rule 1"
+    assert "${lines[2]}" == "-A NETAVARK_FORWARD -d 10.88.0.0/16 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT" "NETAVARK_FORWARD rule 2"
+    assert "${lines[3]}" == "-A NETAVARK_FORWARD -s 10.88.0.0/16 -j ACCEPT" "NETAVARK_FORWARD rule 3"
+    assert "${#lines[@]}" = 4 "too many NETAVARK_FORWARD rules"
 
     run_netavark --file ${TESTSDIR}/testfiles/simplebridge.json teardown $(get_container_netns_path)
 
@@ -97,7 +98,8 @@ fw_driver=iptables
 
     # rule 1 should be DROP for any existing networks
     run_in_host_netns iptables -S NETAVARK_FORWARD
-    assert "${#lines[@]}" = 1 "too many NETAVARK_FORWARD rules after teardown"
+    assert "${lines[1]}" == "-A NETAVARK_FORWARD -m conntrack --ctstate INVALID -j DROP" "NETAVARK_FORWARD rule 1"
+    assert "${#lines[@]}" = 2 "too many NETAVARK_FORWARD rules after teardown"
 
     # check POSTROUTING nat rules
     run_in_host_netns iptables -S POSTROUTING -t nat
@@ -833,14 +835,19 @@ EOF
     run_in_host_netns ip link show podman1
 
     run_in_host_netns iptables -S NETAVARK_FORWARD
-    assert "${lines[1]}" == "-A NETAVARK_FORWARD -d 10.88.0.0/16 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT" "NETAVARK_FORWARD rule 1"
-    assert "${lines[2]}" == "-A NETAVARK_FORWARD -s 10.88.0.0/16 -j ACCEPT" "NETAVARK_FORWARD rule 2"
-    assert "${#lines[@]}" = 3 "too many NETAVARK_FORWARD rules"
+    assert "${lines[1]}" == "-A NETAVARK_FORWARD -m conntrack --ctstate INVALID -j DROP" "NETAVARK_FORWARD rule 1"
+    assert "${lines[2]}" == "-A NETAVARK_FORWARD -d 10.88.0.0/16 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT" "NETAVARK_FORWARD rule 2"
+    assert "${lines[3]}" == "-A NETAVARK_FORWARD -s 10.88.0.0/16 -j ACCEPT" "NETAVARK_FORWARD rule 3"
+    assert "${#lines[@]}" = 4 "too many NETAVARK_FORWARD rules"
 
     run_netavark teardown $(get_container_netns_path 1) <<<"${configs[1]}"
     # bridge should be removed
     expected_rc=1 run_in_host_netns ip link show podman1
 
+    run_in_host_netns iptables -S NETAVARK_FORWARD
+    assert "${lines[1]}" == "-A NETAVARK_FORWARD -m conntrack --ctstate INVALID -j DROP" "NETAVARK_FORWARD rule 1"
+    assert "${#lines[@]}" = 2 "too many NETAVARK_FORWARD rules"
+
     run_in_host_netns ip -o link
     assert "${#lines[@]}" == 1 "only loopback adapter"
 }