net.bridge.bridge-nf-call-iptables and PVE Firewall

D

Don Daniello

Active Member
Jan 28, 2012
60
7
28
In most cases where IPs are routed through the PVE host, the bridge-nf-call-* settings do not need to be enabled for PVE Firewall to work.

However, we have recently switched to using a vlan-aware bridge on the host and configure the VLAN ID directly in Proxmox for each container/VM interface.
This is quick and easy with vRack (OVH) or vSwitch (Hetzner).

Because of a file /etc/sysctl.d/pve.conf containing the following, the firewall rules didn't apply to guests in this setup.
Code: 
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
net.bridge.bridge-nf-filter-vlan-tagged = 0
fs.aio-max-nr = 1048576

I couldn't trace that file to any package (via apt-file search pve.conf) and I'm not sure if it's dropped by the PVE installer or an "addon" from the way OVH and Hetzner install Proxmox automatically.

It would be helpful to know where these settings are coming from and to document their existence if they come from Proxmox. Maybe Proxmox should check for their values, knowing that in some setups the firewall just won't work.
 
Where did you configure the firewall rules?
The pve.conf file is part of the PVE installer.
All except the bridge-nf-filter-vlan-tagged one are set to '1' as soon as the guest firewall is enabled.
 
@mira
The firewall rules are obviously configured via the PVE web interface, it is the PVE firewall after all.
If bridge-nf-filter-vlan-tagged doesn't get set then the setup I described above wouldn't have firewall operational.

However, I queried the status of all those sysctl settings and they all reported to be 0. And I restarted pvefirewall repeatedly first to make sure it get reapply whatever it wants if it hasn't already.
 
There are 4 separate firewall options: Datacenter level, Node level, VM level and then the NIC (on/off).
So where exactly did you set the rules?
 
I enabled it at all those levels and set the rules at the VM level. There are other rules set at other levels but I'm not expecting those to apply now.
 
Please provide some more information about the rules you configured and what exactly you're trying to do.

Also, do the rules compile? (pve-firewall compile)
 
Last edited:
The rules do compile. Everything is applied fine from PVE side of things. I can see the rules configured in iptables, nftables, ipset, etc.

The only problem is that the kernel does not even process packets through them because of net.bridge.bridge-nf-call-iptables=0.
There should be a mechanism that changes those sysctl values to 1 for the firewall to work in non-routed setups.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back