Search results

What may not be addressed however, is the fact that the DHCP/NDP rules seem to be set backwards, preventing "client" service when set to no in the options, when the iptables system did it "correctly". There may be room for improvement in the docs, mentionning that DHCP means in fact DHCP server...

This is addressed in https://forum.proxmox.com/threads/nftables-when-output-policy-drop-is-set-on-a-vm-theres-no-way-to-accept-arp-output.146015/

Solution, as it's not very configurable as it is, change proxmox-firewall/resources/proxmox-firewall.nft so that for vm-out it reads: chain vm-out { type filter hook prerouting priority 0; policy accept; ct state related,established accept iifname vmap @vm-map-out }

There are two parts I'm interested in in the nft rulesets: chain output { type filter hook output priority filter; policy accept; jump default-out jump option-out jump host-out jump cluster-out }...

Well, your rules end up with… accept, so it's probably not the same issue, as connection state is probably not directly your issue, I'd say

To summarize the issue, and how to reproduce it. This test was done using IPv6 on WAN, and IPv4 on LAN. - set a CT/VM to policy DROP/DROP - enable port 22 INPUT On iptables/pve-firewall, conf set to: [OPTIONS] enable: 1 policy_out: DROP [RULES] IN SSH(ACCEPT) -log nolog ssh to_ct: SYN...

Hi, I wanted to try nftables on Proxmox, it seems quite nicely done, bravo! I guess most users don't use any output filters, but if using them in iptables, we get a stateful output rule, allowing to only open INPUT for a given port, and assume that it will go out. Chain PVEFW-HOST-OUT (1...

Yeah, I was impacted by that as well on a legacy rule using a legacy ipset (+management => dc/management) and that made proxmox-firewall fail. Fixing it made it start nicely.

It's also true for storage, I have tested adding an "external" SMB storage, if I DROP on INPUT, it's whitelisted, but if I drop on OUTPUT, I get blocked until I add a specific rule to add it. Should I report a bug/try to patch?

Hi, I have code not maintained to do that, around here: https://github.com/gilou/proxmoxthings especially the wol_hack.py thing. No clue if it still works, might need to be updated a bit…

Hi, I noticed that if I set the OUTPUT policy to DROP, I need to add a few rules by default for SSH, migrations to work if I add another ringX address. Could it be that some rules that gets set by default for INPUT may have been forgotten in output ? I see the usual ports...

Jumping in, we do have a PBS instance, rather powerful and well connected, yet the full listing takes 2-5s, while filtering by VMID is a lot quicker. The full list sometimes timeout.. there might be an improvement path there ;)

OK, it works once a VM is started on the bridge...

Hi, Did you ever solve this (without enslaving dummyX)? I do notice the same behavior, even on a public IP, not even ULA… IPv4 works, IPv6 doesn't. Most of the time (aha!). On one machine I have: ip l : 4: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default...

Hi, I had the same issue on a OVH server using nvme disks (though I think that is not related). In reFind, you can select the proper boot option, for some reason, efibootmgr or whatever is used on proxmox 7 let the debian uefi take over the proxmox one, so it fails booting (not sure why, but I...

Sorry, this might look like I'm digging up an old thread, it is not ;) The idea here is interesting, and would, if doable, allow proxmox to present an openstack compliant API, which could be awesome… and indeed, as the compute part is kvm-based, it should be "easy" to map the features needed...