MACRO firewall rules not working with nftables?

C

CRCinAU

Renowned Member
May 4, 2020
190
52
68
crc.id.au
Hi all,

I've just done a fresh install of PVE 9.0.6, and noticed that when I add macro rules to a guests firewall - such as the HTTP / HTTPS macros, I can't seem to locate any rule that is created in the nftables firewall.

I'm checking with `nft list ruleset` - and the guest chain doesn't seem to have any rules related to macros.

If I turn off the use of nftables, the expected iptables rules appear.

Can anyone reproduce this?
 
Just tested this on my machine with a guest and the HTTP macro and the rule seemed to appear:

Code: 
        chain guest-106-in {
                jump pre-vm-in
                jump allow-dhcp-in
                jump allow-ndp-in
                ct mark set 0x0000006a
                tcp dport 80 accept
                drop
        }

Could you post the firewall configuration file of the guest (/etc/pve/firewall/<vmid>.fw) + the output of nft list ruleset ?
 
Interestingly, I left the firewall rules as they were and then enabled nftables - and all the created rules were there as expected.

I added a macro rule, and saw its output just fine. It was almost instant.

Interestingly, when I wrote this post, I had waited several minutes for the rule to show up in the output of `nft list ruleset` - but it never showed...

I'll keep an eye on it as I migrate / create new VMs on this newly installed system and report back if I notice anything else strange...
 
Please do, if you find any irregularities or issues you can always mention me. Make sure to check systemctl status proxmox-firewall beforehand, as it might give clues if something is going wrong!
 
  • Like
Reactions: CRCinAU
@shanreich - I have noticed an issue with the nftables firewall where this rule seems to be repeated thousands of times:

Code: 
meta protocol != arp ct state vmap { invalid : jump invalid-conntrack, established : accept, related : accept }

Some logging shows that there might be a problem here with it inserting the same rule endlessly:
Code: 
root@mel-dc:~# systemctl status proxmox-firewall.service
● proxmox-firewall.service - Proxmox nftables firewall
     Loaded: loaded (/usr/lib/systemd/system/proxmox-firewall.service; enabled; preset: enabled)
     Active: active (running) since Tue 2025-09-09 16:55:41 AEST; 20h ago
 Invocation: edfe5d1e622d435bbf1cfd4f8f4afac6
   Main PID: 1632 (proxmox-firewal)
      Tasks: 1 (limit: 154233)
     Memory: 23.1M (peak: 38.7M, swap: 0B, swap peak: 740K)
        CPU: 16min 51.561s
     CGroup: /system.slice/proxmox-firewall.service
             └─1632 /usr/libexec/proxmox/proxmox-firewall start

Sep 10 13:32:01 mel-dc proxmox-firewall[1632]: error updating firewall rules: cannot execute nftables commands
Sep 10 13:32:06 mel-dc proxmox-firewall[1632]: error updating firewall rules: cannot execute nftables commands
Sep 10 13:32:11 mel-dc proxmox-firewall[1632]: error updating firewall rules: cannot execute nftables commands
Sep 10 13:32:16 mel-dc proxmox-firewall[1632]: error updating firewall rules: cannot execute nftables commands
Sep 10 13:32:21 mel-dc proxmox-firewall[1632]: error updating firewall rules: cannot execute nftables commands
Sep 10 13:32:27 mel-dc proxmox-firewall[1632]: error updating firewall rules: cannot execute nftables commands
Sep 10 13:32:32 mel-dc proxmox-firewall[1632]: error updating firewall rules: cannot execute nftables commands
Sep 10 13:32:37 mel-dc proxmox-firewall[1632]: error updating firewall rules: cannot execute nftables commands
Sep 10 13:32:42 mel-dc proxmox-firewall[1632]: error updating firewall rules: cannot execute nftables commands
Sep 10 13:32:47 mel-dc proxmox-firewall[1632]: error updating firewall rules: cannot execute nftables commands

Trying to get a rough idea of the scale:
Code: 
root@mel-dc:~# nft list ruleset | grep 'arp ct state vmap' | wc -l
10499
 
That is usually caused either by legacy ipset / alias names that have no scope (e.g. +ipset instead of +dc/ipset) in your firewall configuration or by overlapping IP ranges in IPSets.
 
Thanks for the tip - I did manage to find a missing security group on one of the VMs I imported from elsewhere.

From looking at the firewall on each VM, the UI didn't indicate in anyway that the security group was missing. It was the only problem I managed to locate.

I seem to remember that missing dc / guest scoping seems to turn part of the firewall rule line red - but it doesn't seem this happens on security groups?
 
CRCinAU said:
I seem to remember that missing dc / guest scoping seems to turn part of the firewall rule line red - but it doesn't seem this happens on security groups?
Click to expand...
This might be an oversight, usually this is validated by the config parser. I'll see if I can identify any issues there.
 
You must log in or register to reply here.
Top Bottom