MACRO firewall rules not working with nftables?

[CRCinAU]

Hi all,

I've just done a fresh install of PVE 9.0.6, and noticed that when I add macro rules to a guests firewall - such as the HTTP / HTTPS macros, I can't seem to locate any rule that is created in the nftables firewall.

I'm checking with `nft list ruleset` - and the guest chain doesn't seem to have any rules related to macros.

If I turn off the use of nftables, the expected iptables rules appear.

Can anyone reproduce this?

 

[shanreich]

Just tested this on my machine with a guest and the HTTP macro and the rule seemed to appear:

        chain guest-106-in {
                jump pre-vm-in
                jump allow-dhcp-in
                jump allow-ndp-in
                ct mark set 0x0000006a
                tcp dport 80 accept
                drop
        }

Could you post the firewall configuration file of the guest (/etc/pve/firewall/<vmid>.fw) + the output of nft list ruleset ?

 

[CRCinAU]

Interestingly, I left the firewall rules as they were and then enabled nftables - and all the created rules were there as expected.

I added a macro rule, and saw its output just fine. It was almost instant.

Interestingly, when I wrote this post, I had waited several minutes for the rule to show up in the output of `nft list ruleset` - but it never showed...

I'll keep an eye on it as I migrate / create new VMs on this newly installed system and report back if I notice anything else strange...

 

[shanreich]

Please do, if you find any irregularities or issues you can always mention me. Make sure to check systemctl status proxmox-firewall beforehand, as it might give clues if something is going wrong!