On Tue, 23 Sep 2025 14:26:43 +0200, Stefan Hanreich wrote:
> The conntrack statement was included in the host-forward chain, which
> is managed by the firewall daemon. It gets flushed in every iteration
> of the daemon, but the rule is never re-created in the daemon. This
> caused conntracked flows that are routed by the PVE host to not get
> accepted. Generally, the ruleset is constructed in a way that all
> chains that are managed by the firewall daemon are empty by default -
> this was the only exception. Move the ct state statement to the
> appropriate chain. Since the forward chain is in the inet table which
> never sees ARP traffic in the first place, remove the respective
> statement matching on ARP. This is most likely copied from the bridge
> table where this modifier is indeed necessary, since there ARP traffic
> is visible.
>
> [...]
Applied, thanks!
[1/1] fix #6831: move conntrack statement to forward chain
commit: 70c65c07db51659070c3fe6f24bfe8f4b6479045
_______________________________________________
pve-devel mailing list
[email protected]
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
