pve-firewall replicates ebtables chains and rules from nat and brouting tables into the filter table.

auranext

Well-Known Member
Jun 5, 2018
54
2
48
123
pve-firewall replicates ebtables chains and rules from nat and brouting tables into the filter table.

proxmox-ve: 6.2-2 (running kernel: 5.4.78-2-pve)
pve-manager: 6.2-12 (running version: 6.2-12/b287dd27)
pve-firewall: 4.1-3
...for full package list look at pveversion.txt in attachment


root@CLIPVE03:~# ebtables-save
# Generated by ebtables-save v1.0 (legacy) on Tue 27 Apr 2021 03:42:44 PM CEST
*nat
: PREROUTING ACCEPT
: OUTPUT ACCEPT
: POSTROUTING ACCEPT
: vxlan666

*broute
: BROUTING ACCEPT

*filter
: INPUT ACCEPT
: FORWARD DROP
: OUTPUT ACCEPT
: BROUTING ACCEPT #<=== WTF !
: POSTROUTING ACCEPT #<=== WTF !
: PREROUTING ACCEPT #<=== WTF !
: vxlan666 #<=== WTF !

none of the following options inserted individually or together solves the problem.
set cluster->firewall to NO
set cluster->ebtables to NO
set host->firewall to NO

stopping the pve-firewall service seems to be the only way to solve this problem.
PVE 5.3 is NOT affected (pve-firewall: 3.0-16)


is there a fixed pve-firewall package?
 

Attachments

Last edited:
Thanks for raising the issue - I managed to reproduce it and will look into it.
Would you please open a bug report over at https://bugzilla.proxmox.com pointing to this thread for easier tracking.
If possible please also explain what your use-case is and how you set the ebtables -t nat rules in your setup.

Thanks!
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!