Hi everyone,
I recently transitioned to the new nftables firewall backend on a cluster running PVE 9.1.9. After enabling it, the
Example of a Rule that triggers the crash:
In this case, the parser sees
The command will fail immediately upon hitting the syntax error, letting you know which
I hope this helps the devs refine the lexer and saves others some time during the nftables migration!
I recently transitioned to the new nftables firewall backend on a cluster running PVE 9.1.9. After enabling it, the
proxmox-firewall service failed to load the ruleset, resulting in a loop of the following error in the logs:error updating firewall rules: expected an option starting with '-'The System Environment:
- PVE Manager Version: 9.1.9
- Kernel: 7.0.0-3-pve
- Firewall Backend: nftables (proxmox-firewall)
The Discovery: Nested Hashes (#) in Comments
After debugging with the internal compiler, I discovered that the new Rust-based parser crashes when it encounters a second hash symbol (#) within a comment field. The parser seemingly stops treating the line as a comment at the second # and tries to interpret the subsequent text as a rule option.Example of a Rule that triggers the crash:
IN ACCEPT -p tcp -dport 99900 -log nolog # Rule description #port993In this case, the parser sees
#port223, thinks port223 is a command/option, and because it doesn't start with a hyphen (-), it throws the "expected an option" error.The Solution:
Remove any additional# symbols from your comment fields.- Broken:
-log nolog # My Comment #123 - Fixed:
-log nolog # My Comment 123
How to Isolate the Broken File:
If you are hitting this error, you can find the specific "poisoned" file by running the compiler manually in the terminal:/usr/libexec/proxmox/proxmox-firewall compileThe command will fail immediately upon hitting the syntax error, letting you know which
.fw file in /etc/pve/firewall/ needs cleaning.I hope this helps the devs refine the lexer and saves others some time during the nftables migration!