nfatbles statful or statsless?

Maher Khalil said:
The file is sent to you.
I you need anything, please let me know
Click to expand...
thank you very much! it will take a while to read through the logs since there are ~3000 commands, hopefully I'll be able to quickly find the issue.
 
The issue is with the ipfilter-net0 of guest 864. You have CIDRs specified there that overlap (the 2604:xxxx and ::/1) is that intended? The CIDR ::/1 in combination with 8000::/1 allows all possible IPv6 addresses anyway, so the ipfilter does effectively nothing. You could either narrow that down more or disable it altogether - then it should work.

Nevertheless I will still look into a patch that allows overlapping ranges, since it should be possible that nftables merges them automatically.
 
I
shanreich said:
The issue is with the ipfilter-net0 of guest 864. You have CIDRs specified there that overlap (the 2604:xxxx and ::/1) is that intended? The CIDR ::/1 in combination with 8000::/1 allows all possible IPv6 addresses anyway, so the ipfilter does effectively nothing. You could either narrow that down more or disable it altogether - then it should work.
Click to expand...
Understand this point but I have other servers without this enabling IPv6 filtering and nftables behaves the same way
 
Maher Khalil said:
Understand this point but I have other servers without this enabling IPv6 filtering and nftables behaves the same way
Click to expand...
On the server for which you sent me the logs, at least that seems to be the issue. Have you tried with IP Filtering disabled for that VM? Does it work then?

If you want me to take a look at the other servers as well, feel free to send me the respective nftables debug output as well and I will take a look at it.
 
What if I disabled the slaac and only keep if filtering for single assigned IPv6 then test again. Is it ok?
 
That should also work - if it doesn't please try turning off IP Filtering altogether and check again.

Can you send me the configuration of the guest? Also: Is the IP Filter auto-generated or did you create the ipfilter-net0 IPSet manually (in the Web UI click on the VM/CT -> Firewall -> IPSet -> check if 'ipfilter-net0' exists there)
 
shanreich said:
Can you send me the configuration of the guest? Also: Is the IP Filter auto-generated or did you create the ipfilter-net0 IPSet manually (in the Web UI click on the VM/CT -> Firewall -> IPSet -> check if 'ipfilter-net0' exists there)
Click to expand...
Hello,
IP filter is auto generated. and it is found on the configuration.
The issue appears last time after host reboot only with nftables activated. 4 servers with nftables were activated keep connected and disconnected and so on. the issue fixed by disabling the nftables.
For now these 4 servers are in production, I will not be able to continue testing. soon, we will get more servers, I will test these issues beofre pushing them to production.
I appreciate your help
Thank you very much
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back