The conntrack statement was included in the host-forward chain, which is managed by the firewall daemon. It gets flushed in every iteration of the daemon, but the rule is never re-created in the daemon. This caused conntracked flows that are routed by the PVE host to not get accepted. Generally, the ruleset is constructed in a way that all chains that are managed by the firewall daemon are empty by default - this was the only exception. Move the ct state statement to the appropriate chain. Since the forward chain is in the inet table which never sees ARP traffic in the first place, remove the respective statement matching on ARP. This is most likely copied from the bridge table where this modifier is indeed necessary, since there ARP traffic is visible.
This also fixes a report from a user in the forum [1], where if the daemon fails to generate a ruleset there are growing number of entries in the host-forward chain that consists only of the ct state statement. This is because the host-forward chain never gets flushed by the default ruleset, but nftables inserts all rules in the chain an additional time when executing the default ruleset. [1] https://forum.proxmox.com/threads/macro-firewall-rules-not-working-with-nftables.171262/#post-799600 Signed-off-by: Stefan Hanreich <[email protected]> --- proxmox-firewall/resources/proxmox-firewall.nft | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/proxmox-firewall/resources/proxmox-firewall.nft b/proxmox-firewall/resources/proxmox-firewall.nft index 2456336..ea102ec 100644 --- a/proxmox-firewall/resources/proxmox-firewall.nft +++ b/proxmox-firewall/resources/proxmox-firewall.nft @@ -267,6 +267,7 @@ table inet proxmox-firewall { chain forward { type filter hook forward priority filter; policy accept; + ct state vmap { established : accept, related : accept, invalid : jump invalid-conntrack } jump host-forward jump cluster-forward } @@ -278,9 +279,7 @@ table inet proxmox-firewall { chain host-out {} chain cluster-forward {} - chain host-forward { - meta protocol != arp ct state vmap { established : accept, related : accept, invalid : jump invalid-conntrack } - } + chain host-forward {} chain ct-in {} chain invalid-conntrack { } -- 2.47.3 _______________________________________________ pve-devel mailing list [email protected] https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
