nftables - corosync open too wide

ze42 · Feb 16, 2026

Hello,

I'm evaluating how to implement some network security around proxmox.

Using iptables framework, I manage to get :

Code:

-A PVEFW-HOST-IN -s 172.16.101.2/32 -d 172.16.101.1/32 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-OUT -s 172.16.101.1/32 -d 172.16.101.2/32 -p udp -m udp --dport 5404:5405 -j RETURN

But when trying to set it with nftables, I get...

Code:

                udp dport 5405-5412 accept

1. It does not filter any source, unlike iptables that properly filter out sources
2. Is applied **before** any custom rules, unlike iptables which would allow other DC level rules to apply first

shanreich · Feb 16, 2026

Indeed, pve-firewall only opens port 5404-5 - although the documentation states otherwise [1].
Would you mind opening a bug in our bugtracker [2] for this issue?

[1] https://pve.proxmox.com/pve-docs/pve-admin-guide.html#pve_firewall_default_rules
[2] https://bugzilla.proxmox.com/

ze42 · Feb 16, 2026

Opened here : https://bugzilla.proxmox.com/show_bug.cgi?id=7328

Search

Search

nftables - corosync open too wide

ze42

New Member

shanreich

Proxmox Staff Member

ze42

New Member

We value your privacy