On Fri, 05 Sep 2025 14:13:47 +0200, Stefan Hanreich wrote:
> If the host firewall is not enabled, but the vnet firewall is enabled
> for at least one vnet, then the firewall tries to create the chains
> required for the vnet firewall in the cluster / host table, which is
> unnecessary. This leads to an error in the generated nftables ruleset,
> causing the firewall to not get applied.
>
> In order to fix this, skip generating the bridge chains in the inet
> table when the cluster/host firewall is disabled, since they're only
> required for managing the traffic flowing from host <-> bridge ports.
> If the host firewall is disabled, then we do not need to create rules
> for traffic from host <-> bridge port in the first place.
>
> [...]
Applied, thanks!
[1/1] vnet firewall: create chains in host table only if host fw is enabled
commit: fdbcd7dea5ab49430acf100bd70ad6ed062c52a5
_______________________________________________
pve-devel mailing list
[email protected]
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
