How to allow broadcase VM IP in PVE Cluster Firewall

[chengkinhung]

Hi, Guys, I just enable the PVE Cluster Firewall , and found there is one default rules on Chain PVEFW-smurfs and PVEFW-smurflog blocked some of broadcast network packages, it me caused my load balancer IP setup in VM encounter issue, could any one tell how can I disable this rules or modify it ? Thanks.

Here is iptables Chain PVEFW-smurfs and PVEFW-smurflog :

# iptables -n -v -L PVEFW-smurfs
Chain PVEFW-smurfs (2 references)
 pkts bytes target     prot opt in     out     source               destination
15131 5268K RETURN     all  --  *      *       0.0.0.0              0.0.0.0/0
    0     0 PVEFW-smurflog  all  --  *      *       0.0.0.0/0            0.0.0.0/0           [gotYPE match src-type BROADCAST
    0     0 PVEFW-smurflog  all  --  *      *       224.0.0.0/4          0.0.0.0/0           [got
1015K   60M            all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* PVESICBXd5mc9kC88749+7fag */

Chain PVEFW-smurflog (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* PVESIG:2gfT1VMkfr0JL6OccRXTGXo+1qk */

 

[fabian]

on the host level you can configure whether SMURFS filtering is enabled or not..

 

[chengkinhung]

Hi, @fabian , thanks for your reply. I found the "SMURFS filter" option in Firewall of Host node. I also added the "nf_conntrack_allow_invalid: 1" into /etc/pve/nodes/NODE/host.fw