[SOLVED] Proxmox-Firewall error updating firewall rules: cannot execute nftables commands

[program0089]

Greetings!

I've been recently having an issue with proxmox-firewall that uses nftables as the backend. For some reason I continually get error updating firewall rules: cannot execute nftables commands searching around I've found a few forum posts where others have had this issue from duplicate ranges in IP sets; however I do not have any IP sets used or defined. I have a single security group that I use for common ports such as SSH and MDNS, and the rest are individually added as inbound accept rules on individual VMs or containers.

Here are the firewall logs at the trace level

https://privatebin.net/?19ea9cf7645b6d8f#HN7eAoBy6b5D4darfDJym8wP2ApQhqa184eaTuE53SFj

 

[shanreich]

Seems like there is a casing issue with the 'Common' security group. The problem should be fixed by changing all references to the 'Common' security group to lowercase 'common' in the VM Firewall configuration files.

 

[program0089]

That was indeed the problem... Good catch, thank you!

 

[program0089]

By default proxmox-firewall only prints logs at the Warn level or higher, need to set it to trace.

systemctl edit proxmox-firewall
add

[Service]
Environment="PVE_LOG=trace"

then
systemctl daemon-reload && systemctl restart proxmox-firewall
You can then view the logs via journalctl -u proxmox-firewall
When you no longer need the trace logs systemctl revert proxmox-firewall

 

[tylerellin4]

By default proxmox-firewall only prints logs at the Warn level or higher, need to set it to trace.

systemctl edit proxmox-firewall
add

then
systemctl daemon-reload && systemctl restart proxmox-firewall
You can then view the logs via journalctl -u proxmox-firewall
When you no longer need the trace logs systemctl revert proxmox-firewall

I deleted my last comment because I was unsure if my issue was EXACTLY what you were experiencing. I will run these commands and get back to you.

anyone reading this later;

I was experiencing the same issue using special characters and asked how to check the log referenced by OP.

 

[tylerellin4]

By default proxmox-firewall only prints logs at the Warn level or higher, need to set it to trace.

systemctl edit proxmox-firewall
add

then
systemctl daemon-reload && systemctl restart proxmox-firewall
You can then view the logs via journalctl -u proxmox-firewall
When you no longer need the trace logs systemctl revert proxmox-firewall

Deleting the "-" in my firewall rule/reboot the VM. Makes the security group function.

it seems to be stuck in a loop.
I am getting:
Dec 19 11:35:48 pve03 proxmox-firewall[1563303]: removing existing firewall rules
Dec 19 11:35:53 pve03 proxmox-firewall[1563303]: removing existing firewall rules
Dec 19 11:35:58 pve03 proxmox-firewall[1563303]: removing existing firewall rules
Dec 19 11:36:03 pve03 proxmox-firewall[1563303]: removing existing firewall rules
Dec 19 11:36:08 pve03 proxmox-firewall[1563303]: removing existing firewall rules
Dec 19 11:36:13 pve03 proxmox-firewall[1563303]: removing existing firewall rules
Dec 19 11:36:18 pve03 proxmox-firewall[1563303]: removing existing firewall rules
Dec 19 11:36:23 pve03 proxmox-firewall[1563303]: removing existing firewall rules
Dec 19 11:36:28 pve03 proxmox-firewall[1563303]: removing existing firewall rules
Dec 19 11:36:33 pve03 proxmox-firewall[1563303]: removing existing firewall rules
Dec 19 11:36:38 pve03 proxmox-firewall[1563303]: removing existing firewall rules
Dec 19 11:36:44 pve03 proxmox-firewall[1563303]: removing existing firewall rules
Dec 19 11:36:49 pve03 proxmox-firewall[1563303]: removing existing firewall rules
Dec 19 11:36:54 pve03 proxmox-firewall[1563303]: removing existing firewall rules
Dec 19 11:36:59 pve03 proxmox-firewall[1563303]: removing existing firewall rules
Dec 19 11:37:04 pve03 proxmox-firewall[1563303]: removing existing firewall rules
Dec 19 11:37:09 pve03 proxmox-firewall[1563303]: removing existing firewall rules
Dec 19 11:37:14 pve03 proxmox-firewall[1563303]: removing existing firewall rules
Dec 19 11:37:19 pve03 proxmox-firewall[1563303]: removing existing firewall rules
Dec 19 11:37:24 pve03 proxmox-firewall[1563303]: removing existing firewall rules

The message continues to loop, i disabled the firewall through VM > Firewall and re-enabled. I shutdown / boot and it works again.