Hello,
I'm working on trying out the new nftables proxmox-firewall on a couple nodes of our dev cluster to see how it works and I hit something I can't quite work past. Our rules are kind of a mess on our dev cluster, so it's probably going to be a good test of how the new code works.
Issues I worked past
- The first issue I ran into is that proxmox-firewall doesn't directly support the old style of IPSet references. IE: If I used
- The second issue I ran into was that I had some IPSets that had been deleted but rules still referenced. I never saw an error in the logs, but I fully expect it would have been a problem.
The issue I'm stuck at is that I'm seeing this in the logs
I have the output of
Thanks,
James
PS - this looks very similar to the following things I found in the forum:
- https://forum.proxmox.com/threads/nfatbles-statful-or-statsless.147766/
I'm working on trying out the new nftables proxmox-firewall on a couple nodes of our dev cluster to see how it works and I hit something I can't quite work past. Our rules are kind of a mess on our dev cluster, so it's probably going to be a good test of how the new code works.
Issues I worked past
- The first issue I ran into is that proxmox-firewall doesn't directly support the old style of IPSet references. IE: If I used
+my-ipset instead of +dc/my-ipset, the proxmox-firewall service would just sit there barfing out an error (error updating firewall rules: invalid IP specification: +my-ipset) instead of applying firewall rules.- The second issue I ran into was that I had some IPSets that had been deleted but rules still referenced. I never saw an error in the logs, but I fully expect it would have been a problem.
The issue I'm stuck at is that I'm seeing this in the logs
Code:
Apr 03 15:46:37 vdev-0.FQDN proxmox-firewall[1208]: proxmox_firewall: error updating firewall rules: cannot execute nftables commands
Apr 03 15:46:42 vdev-0.FQDN proxmox-firewall[1208]: proxmox_firewall: error updating firewall rules: cannot execute nftables commands
Apr 03 15:46:47 vdev-0.FQDN proxmox-firewall[1208]: proxmox_firewall: error updating firewall rules: cannot execute nftables commands
Apr 03 15:46:52 vdev-0.FQDN proxmox-firewall[1208]: proxmox_firewall: error updating firewall rules: cannot execute nftables commands
Apr 03 15:46:57 vdev-0.FQDN proxmox-firewall[1208]: proxmox_firewall: error updating firewall rules: cannot execute nftables commands
Apr 03 15:47:02 vdev-0.FQDN proxmox-firewall[1208]: proxmox_firewall: error updating firewall rules: cannot execute nftables commandsI have the output of
RUST_LOG=trace /usr/libexec/proxmox/proxmox-firewall 2> firewall_log_$(hostname).txt ready to go, but since it's not redacted, I would like to only share this in a direct-message or via email.Thanks,
James
PS - this looks very similar to the following things I found in the forum:
- https://forum.proxmox.com/threads/nfatbles-statful-or-statsless.147766/
Last edited:
