* [pve-devel] [PATCH proxmox-firewall 1/1] fix #6831: move conntrack statement to forward chain
@ 2025-09-23 12:26 Stefan Hanreich
0 siblings, 0 replies; only message in thread
From: Stefan Hanreich @ 2025-09-23 12:26 UTC (permalink / raw)
To: pve-devel
The conntrack statement was included in the host-forward chain, which
is managed by the firewall daemon. It gets flushed in every iteration
of the daemon, but the rule is never re-created in the daemon. This
caused conntracked flows that are routed by the PVE host to not get
accepted. Generally, the ruleset is constructed in a way that all
chains that are managed by the firewall daemon are empty by default -
this was the only exception. Move the ct state statement to the
appropriate chain. Since the forward chain is in the inet table which
never sees ARP traffic in the first place, remove the respective
statement matching on ARP. This is most likely copied from the bridge
table where this modifier is indeed necessary, since there ARP traffic
is visible.
This also fixes a report from a user in the forum [1], where if the
daemon fails to generate a ruleset there are growing number of entries
in the host-forward chain that consists only of the ct state
statement. This is because the host-forward chain never gets flushed
by the default ruleset, but nftables inserts all rules in the chain an
additional time when executing the default ruleset.
[1] https://forum.proxmox.com/threads/macro-firewall-rules-not-working-with-nftables.171262/#post-799600
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
proxmox-firewall/resources/proxmox-firewall.nft | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/proxmox-firewall/resources/proxmox-firewall.nft b/proxmox-firewall/resources/proxmox-firewall.nft
index 2456336..ea102ec 100644
--- a/proxmox-firewall/resources/proxmox-firewall.nft
+++ b/proxmox-firewall/resources/proxmox-firewall.nft
@@ -267,6 +267,7 @@ table inet proxmox-firewall {
chain forward {
type filter hook forward priority filter; policy accept;
+ ct state vmap { established : accept, related : accept, invalid : jump invalid-conntrack }
jump host-forward
jump cluster-forward
}
@@ -278,9 +279,7 @@ table inet proxmox-firewall {
chain host-out {}
chain cluster-forward {}
- chain host-forward {
- meta protocol != arp ct state vmap { established : accept, related : accept, invalid : jump invalid-conntrack }
- }
+ chain host-forward {}
chain ct-in {}
chain invalid-conntrack { }
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2025-09-23 12:26 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-09-23 12:26 [pve-devel] [PATCH proxmox-firewall 1/1] fix #6831: move conntrack statement to forward chain Stefan Hanreich
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox