From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id BE42FF46C for ; Fri, 21 Jul 2023 11:50:11 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 9BA1E1D3F2 for ; Fri, 21 Jul 2023 11:49:41 +0200 (CEST) Received: from ip1-isp1-algemesi.verdnatura.es (ip1-isp1-algemesi.verdnatura.es [195.77.191.178]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Fri, 21 Jul 2023 11:49:40 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by ip1-isp1-algemesi.verdnatura.es (Postfix) with ESMTP id 48C91A00C1 for ; Fri, 21 Jul 2023 11:49:34 +0200 (CEST) Authentication-Results: ip1-isp1-algemesi.verdnatura.es (amavisd-new); dkim=pass (1024-bit key) reason="pass (just generated, assumed good)" header.d=verdnatura.es DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=verdnatura.es; h= content-transfer-encoding:content-type:content-type:message-id :subject:subject:from:from:date:date:mime-version:received :received; s=mail; t=1689932974; bh=wIE/H7gd+W6RoswYNEBbQfY4UBoq URkYDTQjRCoGHNc=; b=pM1tTKLr6VP5I+RhPYdxbiwkGUlFu0aPiXY5RI6Uu9ca lQVvzkQiVRDjQIVGZBl/8RxpX3oPWOkLz2Qtr0l0/ULkvX7bIQVh4tfN2NtX/Q6N RIARm7J7XVJqjCqbalTvvx6Cw5Zv2yHoCwi40LaiI+0KJsi3JfZao+5Wavpa4sk= X-Virus-Scanned: Debian amavisd-new at verdnatura.es Received: from ip1-isp1-algemesi.verdnatura.es ([127.0.0.1]) by localhost (ip1-isp1-algemesi.verdnatura.es [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id nw5gB_UDSl-C; Fri, 21 Jul 2023 11:49:34 +0200 (CEST) Received: from webmail.verdnatura.es (kube-worker4.static.verdnatura.es [10.0.2.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ip1-isp1-algemesi.verdnatura.es (Postfix) with ESMTPSA id F1859A00BF; Fri, 21 Jul 2023 11:49:33 +0200 (CEST) MIME-Version: 1.0 Date: Fri, 21 Jul 2023 11:49:33 +0200 From: nada To: pve-user@lists.proxmox.com Message-ID: <3fec86b989521833db41524a04fc9a37@verdnatura.es> X-Sender: nada@verdnatura.es Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.149 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature DKIM_VALID_AU -0.1 Message has a valid DKIM or DK signature from author's domain DKIM_VALID_EF -0.1 Message has a valid DKIM or DK signature from envelope-from domain DMARC_PASS -0.1 DMARC pass policy SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [multi-user.target, pve-firewall.pid, shutdown.target, network.target, verdnatura.es] Subject: [PVE-User] migration from iptables to nftables X-BeenThere: pve-user@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE user list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Jul 2023 09:50:11 -0000 hi folks I am testing migration of firewall from iptables to nftables my versions * pve-manager/7.4-16/0f39f621 (running kernel: 5.15.108-1-pve) * iptables 1.8.7-1 * nftables 0.9.8-3.1+deb11u1 # nft -V nftables v0.9.8 (E.D.S.) cli: editline json: yes minigmp: no libxtables: yes I've already translated rulesets from iptables to nftables and want to deploy them at pve-firewall PLS can anybody let me know the configuration of pve-firewall.service for nft ? current for iptables # cat /lib/systemd/system/pve-firewall.service [Unit] Description=Proxmox VE firewall ConditionPathExists=/usr/sbin/pve-firewall Wants=pve-cluster.service pvefw-logger.service After=pvefw-logger.service pve-cluster.service network.target systemd-modules-load.service DefaultDependencies=no Before=shutdown.target Conflicts=shutdown.target [Service] ExecStartPre=-/usr/bin/update-alternatives --set ebtables /usr/sbin/ebtables-legacy ExecStartPre=-/usr/bin/update-alternatives --set iptables /usr/sbin/iptables-legacy ExecStartPre=-/usr/bin/update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy ExecStart=/usr/sbin/pve-firewall start ExecStop=/usr/sbin/pve-firewall stop ExecReload=/usr/sbin/pve-firewall restart PIDFile=/run/pve-firewall.pid Type=forking [Install] WantedBy=multi-user.target thank you NadaMac