[SOLVED] Bug - IPv6 nftables = supplied string is neither a valid icmpv6 type nor code

[prmadmax]

Hey,

I had nftables enabled and had recently added IPv6 to my single node and wanted to allow the ipv6-icmp/neighbour-solicitation, neighbour-advertisement, router-advertisement and router-solicitation.

Now I have drop rules for ipv6-icmp/reply/request coming in. These rules work fine under IP tables, but as soon as I enable nftables I get the following error spammed every second in the system-log:

proxmox-firewall[3174]: error updating firewall rules: supplied string is neither a valid icmpv6 type nor code

Looking like a bug as this works as intended under IP tables and nothing changed other than a firewall restart leads to that message spammed over and over.

@shanreich might be one for you, since I see you have done work in other threads on IPv6.

 

[ggoller]

Hi!
could you please post your exact firewall rules?
So
cat /etc/pve/nodes/{hostname}/host.fw
or
cat /etc/pve/firewall/cluster.fw

Thanks!

 

[prmadmax]

Hi!
could you please post your exact firewall rules?
So
cat /etc/pve/nodes/{hostname}/host.fw
or
cat /etc/pve/firewall/cluster.fw

Thanks!

removed for security.

 

[ggoller]

Ah I see, nftables changed the icmpv6 type names.
This should be fixed with: https://lore.proxmox.com/pve-devel/20250916093116.114942-1-g.goller@proxmox.com/

 

[prmadmax]

Ah I see, nftables changed the icmpv6 type names.
This should be fixed with: https://lore.proxmox.com/pve-devel/20250916093116.114942-1-g.goller@proxmox.com/

Thanks for that i have marked the thread as solved Any idea when the patch might go out?

 

[ggoller]

Pretty sure that the patch will be included in the next release, which is probably around November/December.