nfatbles statful or statsless?

Hello
Thank you for your answer
when I activate the nftables and in vm set outbound traffic for a port to block keeping the inbound of the same port to enabled, the traffic will stop.
I am using nftables and firewall with default settings. while if I disabled nftables it works fine. do you know what is the issue?
 
Maher Khalil said:
Hello
Thank you for your answer
when I activate the nftables and in vm set outbound traffic for a port to block keeping the inbound of the same port to enabled, the traffic will stop.
I am using nftables and firewall with default settings. while if I disabled nftables it works fine. do you know what is the issue?
Click to expand...
You will need to add a CT rule to your firewall chain, otherwise nftables is stateless:

Code: 
ct state established,related accept
 
Maher Khalil said:
Hello
Thank you for your answer
when I activate the nftables and in vm set outbound traffic for a port to block keeping the inbound of the same port to enabled, the traffic will stop.
I am using nftables and firewall with default settings. while if I disabled nftables it works fine. do you know what is the issue?
Click to expand...
with the new proxmox nftables implementation ?

if yes ,can you send the result of

"nft list table bridge proxmox-firewall-guests"

?
 
Last edited:
spirit said:
with the new proxmox nftables implementation ?
Click to expand...
ah, i though we were talking just about nftables in general not the firewall implementation - my mistake. The proxmox implementation is stateful.

Did you already upgrade to proxmox-firewall 0.4.2 ? There was a bug with conntrack that has been fixed in this version.
 
shanreich said:
ah, i though we were talking just about nftables in general not the firewall implementation - my mistake. The proxmox implementation is stateful.

Did you already upgrade to proxmox-firewall 0.4.2 ? There was a bug with conntrack that has been fixed in this version.
Click to expand...
I found it statless. I already upgraded proxmox to up to date
 
shanreich said:
Did you already upgrade to proxmox-firewall 0.4.2 ? There was a bug with conntrack that has been fixed in this version.
Click to expand...
yes, i have that version mentioned below
ii proxmox-firewall 0.4.2 amd64 Proxmox's nftables-based firewall written in rust
 
I got this in system log. so i disabled nftables
###############################################
proxmox_firewall: error updating firewall rules: cannot execute nftables commandsMay 28 00:20:17 host-104 proxmox-firewall[76896]: proxmox_firewall: error updating firewall rules: cannot execute nftables commandsMay 28 00:20:22 host-104 proxmox-firewall[76896]: proxmox_firewall: error updating firewall rules: cannot execute nftables commandsMay 28 00:20:27 host-104 proxmox-firewall[76896]: proxmox_firewall: error updating firewall rules: cannot execute nftables commandsMay 28 00:20:32 host-104 proxmox-firewall[76896]: proxmox_firewall: error updating firewall rules: cannot execute nftables commandsMay 28 00:20:37 host-104 proxmox-firewall[76896]: proxmox_firewall: error updating firewall rules: cannot execute nftables commands
#####################################################
 
Would it be possible for you to provide me with more detailed logs? Then I could take a look at your issue. You can run the firewall in foreground shortly with the following command:

Code: 
RUST_LOG=trace /usr/libexec/proxmox/proxmox-firewall 2> firewall_log_$(hostname).txt

After running it, you can immediately cancel it with CTRL + C and provide me with the created file.
 
shanreich said:
Code: 
RUST_LOG=trace /usr/libexec/proxmox/proxmox-firewall 2> firewall_log_$(hostname).txt
Click to expand...
Hello,
Here is the log as requested
######################################################
[2024-05-28T20:15:43Z DEBUG proxmox_firewall] cmd #2818 {"add":{"rule":{"family":"bridge","table":"proxmox-firewall-guests","chain":"guest-864-out","expr":[{"jump":{"target":"allow-ndp-out"}}]}}}
[2024-05-28T20:15:43Z DEBUG proxmox_firewall] cmd #2819 {"add":{"rule":{"family":"bridge","table":"proxmox-firewall-guests","chain":"guest-864-out","expr":[{"jump":{"target":"allow-ra-out"}}]}}}
[2024-05-28T20:15:43Z DEBUG proxmox_firewall] cmd #2820 {"add":{"rule":{"family":"bridge","table":"proxmox-firewall-guests","chain":"guest-864-out","expr":[{"match":{"op":"==","left":{"payload":{"protocol":"ether","field":"type"}},"right":"arp"}},{"accept":null}]}}}
[2024-05-28T20:15:43Z DEBUG proxmox_firewall] cmd #2821 {"add":{"element":{"family":"bridge","table":"proxmox-firewall-guests","name":"vm-map-in","elem":[["tap864i0",{"goto":{"target":"guest-864-in"}}]]}}}
[2024-05-28T20:15:43Z DEBUG proxmox_firewall] cmd #2822 {"add":{"rule":{"family":"bridge","table":"proxmox-firewall-guests","chain":"guest-864-in","expr":[{"accept":null}]}}}
[2024-05-28T20:15:43Z DEBUG proxmox_firewall] cmd #2823 {"add":{"element":{"family":"bridge","table":"proxmox-firewall-guests","name":"vm-map-out","elem":[["tap864i0",{"goto":{"target":"guest-864-out"}}]]}}}
[2024-05-28T20:15:43Z DEBUG proxmox_firewall] cmd #2824 {"add":{"rule":{"family":"bridge","table":"proxmox-firewall-guests","chain":"guest-864-out","expr":[{"accept":null}]}}}
[2024-05-28T20:15:43Z ERROR proxmox_firewall] error updating firewall rules: cannot execute nftables commands
[2024-05-28T20:15:43Z INFO proxmox_firewall] firewall update time: 105ms
[2024-05-28T20:15:48Z INFO proxmox_firewall] removing existing firewall rules
###########################################################################################################
 
That's only a small part of the logs - if you could somehow send me the whole file that would help a lot.
 
You must log in or register to reply here.
Top Bottom