SDN aliases not found by firewall

[beastyAlk]

Hello

I'm having problems creating firewall rules using aliases created dinamically.

I started by creating a simple zone and a vnet on top of that. The zone is using integrated IPAM and PowerDNS for name registration and resolution.
The vnet has one subnet declared with gateway, snat and dhcp range.

I set the firewall at DC level to default drop IN and FORWARD and to default DROP at vnet level (firewall is on at DC, host and vnet level while off on vm/lxc and network interface)

I want to allow traffice inside the vnet from one specific container to another using the aliases but the firewall seems unable to find the value of any "+sdn/guest-ipam-###" as it shows in the logs:
pve proxmox-firewall [11671]: error updating firewall rules: could not find ipset sdn/guest-ipam-105


The containers are in a vnet created in a simple zone, the simple zone is using integrated IPAM and PowerDNS.

 

[shanreich]

The name seems to include a q instead of a g (sdn/quest-ipam-105)? Did you create the rule entry manually or via the API?

 

[beastyAlk]

The name seems to include a q instead of a g (sdn/quest-ipam-105)? Did you create the rule entry manually or via the API?

sorry it was a typo. now it's correct.

I didn't create them manually, they were created automatically after I moved the containers from the host linux bridge to the vnet interface.

I want to specify that the IPSets related to the vnet (in my case +sdn/vlabnet-*) are correctly evaluated by the firewall.

 

[shanreich]

Can you post the output of the following files (from the host where the issue occurs).

cat /etc/pve/firewall/cluster.fw
cat /etc/pve/local/host.fw
cat /etc/pve/sdn/firewall/*

cat /etc/pve/sdn/zones.cfg
cat /etc/pve/sdn/vnets.cfg

cat /etc/pve/sdn/pve-ipam-state.json

 

[beastyAlk]

Here

Thanks for the help

 

[shanreich]

Thanks for the report! This seems to be a bug that has been recently introduced, I have already identified the issue and sent a fix to the development mailing list [1].

[1] https://lore.proxmox.com/pve-devel/20260212084832.63278-1-s.hanreich@proxmox.com/T

 

[beastyAlk]

Thanks for the report! This seems to be a bug that has been recently introduced, I have already identified the issue and sent a fix to the development mailing list [1].

[1] https://lore.proxmox.com/pve-devel/20260212084832.63278-1-s.hanreich@proxmox.com/T

Glad to help!

 

[Keller18306]

@shanreich

Hello. I found this thread because I also encountered this problem.

This is a VERY serious issue. After updating PVE (unknown when or what version), this problem persisted. It turns out the firewall wasn't enforcing any rules, and absolutely all cluster ports were open. I noticed this completely by accident when we were checking iperf after replacing the network card and realized I hadn't even touched the ports (and our policy is to block everything).

May I ask why the proxmox-firewall package hasn't been updated to the new version in two months? I see the patch is already in git and on the master branch. The latest version in the repository is 1.2.1. According to git, nothing has changed except the patch and "code formatting." So why don't you release this "security patch"?

I don't think I'm the only one sitting unnoticed with a 100% open cluster. It would be great if you could release a patch as soon as possible.

 

[shanreich]

I'll double-check with the release team whether we can get this into the repositories!

 

[shanreich]

The fix is now in the testing repository - so you can update the firewall package from there. It should hit the other repositories in the coming days!