nfatbles statful or statsless?

Maher Khalil · May 27, 2024

Hello,
I would like to know if nftables is statefull or stateless?

spirit · May 27, 2024

Maher Khalil said:
Hello,
I would like to know if nftables is statefull or stateless?

like iptables, statefull.

(until you specify to disable conntrack, like "iptables -t raw -I PREROUTING -j NOTRACK" for example)

Maher Khalil · May 27, 2024

Hello
Thank you for your answer
when I activate the nftables and in vm set outbound traffic for a port to block keeping the inbound of the same port to enabled, the traffic will stop.
I am using nftables and firewall with default settings. while if I disabled nftables it works fine. do you know what is the issue?

shanreich · May 27, 2024

Maher Khalil said:
Hello
Thank you for your answer
when I activate the nftables and in vm set outbound traffic for a port to block keeping the inbound of the same port to enabled, the traffic will stop.
I am using nftables and firewall with default settings. while if I disabled nftables it works fine. do you know what is the issue?

You will need to add a CT rule to your firewall chain, otherwise nftables is stateless:

Code:

ct state established,related accept

spirit · May 27, 2024

Maher Khalil said:
Hello
Thank you for your answer
when I activate the nftables and in vm set outbound traffic for a port to block keeping the inbound of the same port to enabled, the traffic will stop.
I am using nftables and firewall with default settings. while if I disabled nftables it works fine. do you know what is the issue?

with the new proxmox nftables implementation ?

if yes ,can you send the result of

"nft list table bridge proxmox-firewall-guests"

?

Maher Khalil · May 27, 2024

shanreich said:
ct state established,related accept

Is it a command line?

Maher Khalil · May 27, 2024

spirit said:
with the new proxmox nftables implementation ?

Yes

shanreich · May 27, 2024

spirit said:
with the new proxmox nftables implementation ?

ah, i though we were talking just about nftables in general not the firewall implementation - my mistake. The proxmox implementation is stateful.

Did you already upgrade to proxmox-firewall 0.4.2 ? There was a bug with conntrack that has been fixed in this version.

Maher Khalil · May 27, 2024

shanreich said:
Did you already upgrade to proxmox-firewall 0.4.2 ? There was a bug with conntrack that has been fixed in this version.

Here is the installed nft version nftables v1.0.6 (Lester Gooch #5). how to get the version of proxmox-firewall?

Maher Khalil · May 27, 2024

shanreich said:
ct state established,related accept

i added this part manually to the configuration

Maher Khalil · May 28, 2024

shanreich said:
ah, i though we were talking just about nftables in general not the firewall implementation - my mistake. The proxmox implementation is stateful.

Did you already upgrade to proxmox-firewall 0.4.2 ? There was a bug with conntrack that has been fixed in this version.

I found it statless. I already upgraded proxmox to up to date

Maher Khalil · May 28, 2024

shanreich said:
Did you already upgrade to proxmox-firewall 0.4.2 ? There was a bug with conntrack that has been fixed in this version.

yes, i have that version mentioned below
ii proxmox-firewall 0.4.2 amd64 Proxmox's nftables-based firewall written in rust

Maher Khalil · May 28, 2024

I got this in system log. so i disabled nftables
###############################################
proxmox_firewall: error updating firewall rules: cannot execute nftables commandsMay 28 00:20:17 host-104 proxmox-firewall[76896]: proxmox_firewall: error updating firewall rules: cannot execute nftables commandsMay 28 00:20:22 host-104 proxmox-firewall[76896]: proxmox_firewall: error updating firewall rules: cannot execute nftables commandsMay 28 00:20:27 host-104 proxmox-firewall[76896]: proxmox_firewall: error updating firewall rules: cannot execute nftables commandsMay 28 00:20:32 host-104 proxmox-firewall[76896]: proxmox_firewall: error updating firewall rules: cannot execute nftables commandsMay 28 00:20:37 host-104 proxmox-firewall[76896]: proxmox_firewall: error updating firewall rules: cannot execute nftables commands
#####################################################

shanreich · May 28, 2024

Would it be possible for you to provide me with more detailed logs? Then I could take a look at your issue. You can run the firewall in foreground shortly with the following command:

Code:

RUST_LOG=trace /usr/libexec/proxmox/proxmox-firewall 2> firewall_log_$(hostname).txt

After running it, you can immediately cancel it with CTRL + C and provide me with the created file.

Maher Khalil · May 28, 2024

Do I need to enable nftables firstly or only I need to run your command?

shanreich · May 28, 2024

Maher Khalil said:
Do I need to enable nftables firstly or only I need to run your command?

You will need to enable nftables first in order for this to work

Maher Khalil · May 28, 2024

I will provide it today later on because I left the office

Maher Khalil · May 28, 2024

shanreich said:
Code:

RUST_LOG=trace /usr/libexec/proxmox/proxmox-firewall 2> firewall_log_$(hostname).txt

Hello,
Here is the log as requested
######################################################
[2024-05-28T20:15:43Z DEBUG proxmox_firewall] cmd #2818 {"add":{"rule":{"family":"bridge","table":"proxmox-firewall-guests","chain":"guest-864-out","expr":[{"jump":{"target":"allow-ndp-out"}}]}}}
[2024-05-28T20:15:43Z DEBUG proxmox_firewall] cmd #2819 {"add":{"rule":{"family":"bridge","table":"proxmox-firewall-guests","chain":"guest-864-out","expr":[{"jump":{"target":"allow-ra-out"}}]}}}
[2024-05-28T20:15:43Z DEBUG proxmox_firewall] cmd #2820 {"add":{"rule":{"family":"bridge","table":"proxmox-firewall-guests","chain":"guest-864-out","expr":[{"match":{"op":"==","left":{"payload":{"protocol":"ether","field":"type"}},"right":"arp"}},{"accept":null}]}}}
[2024-05-28T20:15:43Z DEBUG proxmox_firewall] cmd #2821 {"add":{"element":{"family":"bridge","table":"proxmox-firewall-guests","name":"vm-map-in","elem":[["tap864i0",{"goto":{"target":"guest-864-in"}}]]}}}
[2024-05-28T20:15:43Z DEBUG proxmox_firewall] cmd #2822 {"add":{"rule":{"family":"bridge","table":"proxmox-firewall-guests","chain":"guest-864-in","expr":[{"accept":null}]}}}
[2024-05-28T20:15:43Z DEBUG proxmox_firewall] cmd #2823 {"add":{"element":{"family":"bridge","table":"proxmox-firewall-guests","name":"vm-map-out","elem":[["tap864i0",{"goto":{"target":"guest-864-out"}}]]}}}
[2024-05-28T20:15:43Z DEBUG proxmox_firewall] cmd #2824 {"add":{"rule":{"family":"bridge","table":"proxmox-firewall-guests","chain":"guest-864-out","expr":[{"accept":null}]}}}
[2024-05-28T20:15:43Z ERROR proxmox_firewall] error updating firewall rules: cannot execute nftables commands
[2024-05-28T20:15:43Z INFO proxmox_firewall] firewall update time: 105ms
[2024-05-28T20:15:48Z INFO proxmox_firewall] removing existing firewall rules
###########################################################################################################

shanreich · May 29, 2024

That's only a small part of the logs - if you could somehow send me the whole file that would help a lot.

Maher Khalil · May 29, 2024

shanreich said:
That's only a small part of the logs - if you could somehow send me the whole file that would help a lot.

Hello,
Can you provide your email to send the file to you

nfatbles statful or statsless?

Member

Distinguished Member

Member

Proxmox Staff Member

Distinguished Member

Member

Member

Proxmox Staff Member

Member

Member

Member

Member

Member

Proxmox Staff Member

Member

Proxmox Staff Member

Member

Member

Proxmox Staff Member

Member