From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9])
	by lore.proxmox.com (Postfix) with ESMTPS id 2FE621FF191
	for <inbox@lore.proxmox.com>; Tue, 23 Sep 2025 14:26:50 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 3FFB0E06A;
	Tue, 23 Sep 2025 14:27:19 +0200 (CEST)
From: Stefan Hanreich <s.hanreich@proxmox.com>
To: pve-devel@lists.proxmox.com
Date: Tue, 23 Sep 2025 14:26:43 +0200
Message-ID: <20250923122645.154759-1-s.hanreich@proxmox.com>
X-Mailer: git-send-email 2.47.3
MIME-Version: 1.0
X-SPAM-LEVEL: Spam detection results:  0
 AWL -0.183 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery
 methods
 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_NONE                0.001 SPF: sender does not publish an SPF Record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [proxmox.com]
Subject: [pve-devel] [PATCH proxmox-firewall 1/1] fix #6831: move conntrack
 statement to forward chain
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pve-devel-bounces@lists.proxmox.com
Sender: "pve-devel" <pve-devel-bounces@lists.proxmox.com>

The conntrack statement was included in the host-forward chain, which
is managed by the firewall daemon. It gets flushed in every iteration
of the daemon, but the rule is never re-created in the daemon. This
caused conntracked flows that are routed by the PVE host to not get
accepted. Generally, the ruleset is constructed in a way that all
chains that are managed by the firewall daemon are empty by default -
this was the only exception. Move the ct state statement to the
appropriate chain. Since the forward chain is in the inet table which
never sees ARP traffic in the first place, remove the respective
statement matching on ARP. This is most likely copied from the bridge
table where this modifier is indeed necessary, since there ARP traffic
is visible.

This also fixes a report from a user in the forum [1], where if the
daemon fails to generate a ruleset there are growing number of entries
in the host-forward chain that consists only of the ct state
statement. This is because the host-forward chain never gets flushed
by the default ruleset, but nftables inserts all rules in the chain an
additional time when executing the default ruleset.

[1] https://forum.proxmox.com/threads/macro-firewall-rules-not-working-with-nftables.171262/#post-799600

Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
 proxmox-firewall/resources/proxmox-firewall.nft | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/proxmox-firewall/resources/proxmox-firewall.nft b/proxmox-firewall/resources/proxmox-firewall.nft
index 2456336..ea102ec 100644
--- a/proxmox-firewall/resources/proxmox-firewall.nft
+++ b/proxmox-firewall/resources/proxmox-firewall.nft
@@ -267,6 +267,7 @@ table inet proxmox-firewall {
 
     chain forward {
         type filter hook forward priority filter; policy accept;
+        ct state vmap { established : accept, related : accept, invalid : jump invalid-conntrack }
         jump host-forward
         jump cluster-forward
     }
@@ -278,9 +279,7 @@ table inet proxmox-firewall {
     chain host-out {}
 
     chain cluster-forward {}
-    chain host-forward {
-        meta protocol != arp ct state vmap { established : accept, related : accept, invalid : jump invalid-conntrack }
-    }
+    chain host-forward {}
 
     chain ct-in {}
     chain invalid-conntrack { }
-- 
2.47.3


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel