pve-firewall replicates ebtables chains and rules from nat and brouting tables into the filter table.
proxmox-ve: 6.2-2 (running kernel: 5.4.78-2-pve)
pve-manager: 6.2-12 (running version: 6.2-12/b287dd27)
pve-firewall: 4.1-3
...for full package list look at pveversion.txt in attachment
root@CLIPVE03:~# ebtables-save
# Generated by ebtables-save v1.0 (legacy) on Tue 27 Apr 2021 03:42:44 PM CEST
*nat
: PREROUTING ACCEPT
: OUTPUT ACCEPT
: POSTROUTING ACCEPT
: vxlan666
*broute
: BROUTING ACCEPT
*filter
: INPUT ACCEPT
: FORWARD DROP
: OUTPUT ACCEPT
: BROUTING ACCEPT #<=== WTF !
: POSTROUTING ACCEPT #<=== WTF !
: PREROUTING ACCEPT #<=== WTF !
: vxlan666 #<=== WTF !
none of the following options inserted individually or together solves the problem.
set cluster->firewall to NO
set cluster->ebtables to NO
set host->firewall to NO
stopping the pve-firewall service seems to be the only way to solve this problem.
PVE 5.3 is NOT affected (pve-firewall: 3.0-16)
is there a fixed pve-firewall package?
proxmox-ve: 6.2-2 (running kernel: 5.4.78-2-pve)
pve-manager: 6.2-12 (running version: 6.2-12/b287dd27)
pve-firewall: 4.1-3
...for full package list look at pveversion.txt in attachment
root@CLIPVE03:~# ebtables-save
# Generated by ebtables-save v1.0 (legacy) on Tue 27 Apr 2021 03:42:44 PM CEST
*nat
: PREROUTING ACCEPT
: OUTPUT ACCEPT
: POSTROUTING ACCEPT
: vxlan666
*broute
: BROUTING ACCEPT
*filter
: INPUT ACCEPT
: FORWARD DROP
: OUTPUT ACCEPT
: BROUTING ACCEPT #<=== WTF !
: POSTROUTING ACCEPT #<=== WTF !
: PREROUTING ACCEPT #<=== WTF !
: vxlan666 #<=== WTF !
none of the following options inserted individually or together solves the problem.
set cluster->firewall to NO
set cluster->ebtables to NO
set host->firewall to NO
stopping the pve-firewall service seems to be the only way to solve this problem.
PVE 5.3 is NOT affected (pve-firewall: 3.0-16)
is there a fixed pve-firewall package?
Last edited:
