pve-firewall with nftables enabled: pending changes

Monero101 · Mar 7, 2025

I'm having issue with pve-firewall having "pending changes" as soon as I enable nftables at the host level

Code:

pve-firewall status
Status: enabled/running (pending changes)

Restarting pve-firewall does not help
Deleting all VNet firewall rules does not help

Linux x3 6.8.12-4-pve #1 SMP PREEMPT_DYNAMIC PMX 6.8.12-4 (2024-11-06T15:04Z) x86_64 GNU/Linux

Code:

nft --version
nftables v1.0.6 (Lester Gooch #5)

Code:

systemctl status pve-firewall proxmox-firewall
● pve-firewall.service - Proxmox VE firewall
     Loaded: loaded (/lib/systemd/system/pve-firewall.service; enabled; preset: enabled)
     Active: active (running) since Fri 2025-03-07 14:59:04 CET; 8min ago
    Process: 1433741 ExecStartPre=/usr/bin/update-alternatives --set ebtables /usr/sbin/ebtables-legacy (code=exited, status=0/SUCCE>
    Process: 1433743 ExecStartPre=/usr/bin/update-alternatives --set iptables /usr/sbin/iptables-legacy (code=exited, status=0/SUCCE>
    Process: 1433744 ExecStartPre=/usr/bin/update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy (code=exited, status=0/SUC>
    Process: 1433745 ExecStart=/usr/sbin/pve-firewall start (code=exited, status=0/SUCCESS)
   Main PID: 1433748 (pve-firewall)
      Tasks: 1 (limit: 76816)
     Memory: 98.5M
        CPU: 10.872s
     CGroup: /system.slice/pve-firewall.service
             └─1433748 pve-firewall

Mar 07 14:59:03 chant3 systemd[1]: Starting pve-firewall.service - Proxmox VE firewall...
Mar 07 14:59:04 chant3 pve-firewall[1433748]: starting server
Mar 07 14:59:04 chant3 systemd[1]: Started pve-firewall.service - Proxmox VE firewall.

● proxmox-firewall.service - Proxmox nftables firewall
     Loaded: loaded (/lib/systemd/system/proxmox-firewall.service; enabled; preset: enabled)
     Active: active (running) since Fri 2025-03-07 14:59:06 CET; 8min ago
   Main PID: 1433808 (proxmox-firewal)
      Tasks: 1 (limit: 76816)
     Memory: 944.0K
        CPU: 3.315s
     CGroup: /system.slice/proxmox-firewall.service
             └─1433808 /usr/libexec/proxmox/proxmox-firewall

Mar 07 14:59:06 chant3 systemd[1]: Started proxmox-firewall.service - Proxmox nftables firewall.

MarkusKo · Mar 7, 2025

do you use the SDN feature? then you may have to apply the changes in Datacenter -> SDN -> "Apply"

Monero101 · Mar 7, 2025

MarkusKo said:
do you use the SDN feature? then you may have to apply the changes in Datacenter -> SDN -> "Apply"

I do and I always apply after changes. I deleted all SDN firewall rules but it doesn't help either

kissze · Mar 17, 2025

Here is the same, but the firewall rules are created and its working (checked with nft list ruleset).
Also, i have pve 8.2 currently, i will try to upgrade the cluster.

itNGO · Mar 22, 2025

Same here on 3 nodes with 8.3.5
Even after fresh reboot

Code:

pve-firewall status
Status: enabled/running (pending changes)

Search

Search

pve-firewall with nftables enabled: pending changes

Monero101

New Member

MarkusKo

Member

Monero101

New Member

kissze

Renowned Member

itNGO

Renowned Member

We value your privacy