nftables synproxy blocked by PVE firewall: need way to ACCEPT UNTRACKED SYN

[David123]

I’m using nftables synproxy on the host to stop SYN‑floods.


When the Proxmox firewall service is disabled everything works, but the moment I enable it every inbound TCP connection times out.


What happens

1. synproxy marks the very first SYN packet CT state UNTRACKED in the raw table.
2. That packet then enters the PVE iptables rules.
3. The default rule in PVEFW‑HOST‑IN drops it:

-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP

UNTRACKED is treated the same as INVALID here, so the SYN is discarded before nftables can respond with its SYN‑ACK. Clients retry until they time‑out.


Work‑around

Adding an early ACCEPT for UNTRACKED SYN solves the issue:

iptables -I PVEFW-HOST-OUT 1 -p tcp --tcp-flags SYN,ACK SYN,ACK \
        -m conntrack --ctstate INVALID,UNTRACKED -j ACCEPT


iptables -I PVEFW-FORWARD 1 -p tcp --tcp-flags SYN,ACK SYN,ACK \
        -m conntrack --ctstate INVALID,UNTRACKED -j ACCEPT

After that, synproxy works perfectly and conntrack stays empty during a flood.


Question

How can I express this rule in the Proxmox firewall syntax (host.fw / cluster.fw) so that it survives reloads? Something like:

[RULES]
ACCEPT  tcp  dport all  ctstate (UNTRACKED)

Thanks for any guidance or for considering adding official support for UNTRACKED in the rule parser so nftables‑synproxy can coexist with the PVE firewall.