How to disable the bridge level firewall in PVE 9.1.1

F

ftzh75

New Member
Feb 19, 2026
13
0
1
Hi,

I created a file in /etc/sysclt.d/ as following :

net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-arptables = 0

Then i applied it using "sysctl --system". But every time i start the pve-firewall, the value of "net.bridge.bridge-nf-call-iptables" return to 1.

How to solve it with the pve-firewall enable ?

Thanks for your help !
 
ftzh75 said:
I created a file in /etc/sysclt.d/ as following :
Click to expand...

First: typo? It is "sysctl.d"...

Second: what is the filename? Only *.conf is evaluated.
 
UdoB said:
First: typo? It is "sysctl.d"...
Click to expand...
Yes, it's a typo. The filename is 99-bridge.conf.

I have the impression that pve-firewall monitors this setting and forces it to a value of 1 at each time interval.
 
ftzh75 said:
Yes, it's a typo. The filename is 99-bridge.conf.

I have the impression that pve-firewall monitors this setting and forces it to a value of 1 at each time interval.
Click to expand...
Is this expected behavior from Proxmox? If so, how can it be disabled? I am currently blocked by this issue. Any help appreciated. Thanks
 
ftzh75 said:
Hi,

I created a file in /etc/sysclt.d/ as following :

net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-arptables = 0

Then i applied it using "sysctl --system". But every time i start the pve-firewall, the value of "net.bridge.bridge-nf-call-iptables" return to 1.

How to solve it with the pve-firewall enable ?

Thanks for your help !
Click to expand...
This is needed if you want to use iptables (used by pve-firewall) to have ip rules at bridge level.

why do you want to disable them ?

Alternatively, they shouldn't be needed by the new nftables based firewall (proxmox-firewall services), as nftables is able to handle it without tricks at bridge level.
 
spirit said:
This is needed if you want to use iptables (used by pve-firewall) to have ip rules at bridge level.

why do you want to disable them ?
Click to expand...
Because the bridge-level firewall has several issues, especially with VLAN-aware bridges which I need. In addition, it significantly impacts network performance between VMs.
spirit said:
Alternatively, they shouldn't be needed by the new nftables based firewall (proxmox-firewall services), as nftables is able to handle it without tricks at bridge level.
Click to expand...
I think the new nftables use always theses settings for bridge level filtering.
 
ftzh75 said:
Because the bridge-level firewall has several issues, especially with VLAN-aware bridges which I need. In addition, it significantly impacts network performance between VMs.
Click to expand...
So, why do you want to use pve-firewall ? (I mean, disable pve-firewall service or uncheck firewall checkbox on the vms)

ftzh75 said:
I think the new nftables use always theses settings for bridge level filtering.
Click to expand...
I'll try to look at proxmox-firewall code, but it shouldn't be needed
 
spirit said:
So, why do you want to use pve-firewall ? (I mean, disable pve-firewall service or uncheck firewall checkbox on the vms)
Click to expand...
I would like to keep using the pve-firewall functionality on the Proxmox nodes while disabling filtering at the bridge level. However, simply unchecking the firewall checkbox at the VM level does not solve the issue. The only reliable workaround I found is to completely disable pve-firewall and manage my own firewall rules directly with iptables.
 
There's no way to turn this off currently, since the firewall daemon enables it unconditionally as soon as the firewall is enabled.

nftables does not use these settings at all, since they're specific to xtables (iptables, ip6tables, arptables) and nftables has bridge support built-in natively and therefore doesn't require the workarounds.
 
shanreich said:
There's no way to turn this off currently, since the firewall daemon enables it unconditionally as soon as the firewall is enabled.

nftables does not use these settings at all, since they're specific to xtables (iptables, ip6tables, arptables) and nftables has bridge support built-in natively and therefore doesn't require the workarounds.
Click to expand...
Thank you for the clarification. It appears that the nftables-based firewall is currently in technical preview. If I switch to nftables, how can I disable filtering at the bridge level?
 
ftzh75 said:
Thank you for the clarification. It appears that the nftables-based firewall is currently in technical preview. If I switch to nftables, how can I disable filtering at the bridge level?
Click to expand...

The nftables firewall utilizes the bridge table when using guest firewalls - they're created at the prerouting and postrouting hook respectively. What exactly do you mean with filtering at the bridge level? The bridge forward chain? Or any hook in the bridge table? As long as you do not create any guest-level or VNet-level rules, the bridge table will never get created by proxmox-firewall in the first place.

As you already noticed, the proxmox-firewall is still in tech-preview and therefore not as well-tested as e.g. pve-firewall, so we currently do not recommend it for production use.
 
shanreich said:
The nftables firewall utilizes the bridge table when using guest firewalls - they're created at the prerouting and postrouting hook respectively. What exactly do you mean with filtering at the bridge level? The bridge forward chain? Or any hook in the bridge table? As long as you do not create any guest-level or VNet-level rules, the bridge table will never get created by proxmox-firewall in the first place.
Click to expand...
By bridge-level filtering I mean inspection of packets that are simply switched by the Linux bridge (e.g., VM-to-VM traffic on the same VLAN-aware bridge) without any routing involved.

With the current iptables-based pve-firewall, this happens due to bridge-nf-call-iptables=1, which sends all bridged packets through iptables. This introduces additional overhead and can negatively affect VM-to-VM performance.

What I would like is for the bridge to behave like a pure L2 switch, where packets traversing the bridge are not inspected by the firewall. If I understood correctly, with the nftables implementation the bridge table is only created when guest-level or VNet-level rules exist. If no such rules are defined, then bridge traffic would not be processed by nftables. If that’s the case, this would match exactly the behavior I’m looking for.
 
ftzh75 said:
If I understood correctly, with the nftables implementation the bridge table is only created when guest-level or VNet-level rules exist. If no such rules are defined, then bridge traffic would not be processed by nftables. If that’s the case, this would match exactly the behavior I’m looking for.
Click to expand...

Yes, that should be the case with the nftables firewall
 
You must log in or register to reply here.
Top Bottom
Back