Hi,
I've been testing the nftables Tech Preview feature in combination with SDN VNet Firewall and ran into an issue with SNAT not being applied.
Environment:
- Proxmox VE 9.1.0 (kernel 6.17.13-2-pve)
- pve-manager 9.1.6
- pve-firewall 6.0.4
- SDN Simple Zone with one VNet
- DHCP enabled, SNAT enabled on the VNet
- nftables enabled on the node (Tech Preview)
- VNet Firewall enabled
Problem:
When nftables is enabled, DNS resolution fails inside VMs. Investigating with tcpdump showed that DNS requests leave the host correctly, but responses never reach the VM. The conntrack table shows entries marked as [UNREPLIED], confirming that return traffic is not being matched.
Root Cause (found in SimplePlugin.pm):
Looking at the source code in /usr/share/perl5/PVE/Network/SDN/Zones/SimplePlugin.pm, the SNAT implementation only generates iptables rules:
push @iface_config, "post-up $iptables -t nat -A POSTROUTING -s '$cidr' -o $outiface -j SNAT --to-source $outip";
There is no equivalent nftables implementation. As a result, when nftables is active, no NAT/SNAT rule is generated at all — confirmed by checking "nft list ruleset" which shows no nat/masquerade rules for the SDN subnet.
With iptables everything works as expected. With nftables, SNAT is silently missing.
Question:
Is this a known limitation of the current nftables Tech Preview? Are there plans to implement SNAT for nftables in SimplePlugin.pm?
Thanks!
I've been testing the nftables Tech Preview feature in combination with SDN VNet Firewall and ran into an issue with SNAT not being applied.
Environment:
- Proxmox VE 9.1.0 (kernel 6.17.13-2-pve)
- pve-manager 9.1.6
- pve-firewall 6.0.4
- SDN Simple Zone with one VNet
- DHCP enabled, SNAT enabled on the VNet
- nftables enabled on the node (Tech Preview)
- VNet Firewall enabled
Problem:
When nftables is enabled, DNS resolution fails inside VMs. Investigating with tcpdump showed that DNS requests leave the host correctly, but responses never reach the VM. The conntrack table shows entries marked as [UNREPLIED], confirming that return traffic is not being matched.
Root Cause (found in SimplePlugin.pm):
Looking at the source code in /usr/share/perl5/PVE/Network/SDN/Zones/SimplePlugin.pm, the SNAT implementation only generates iptables rules:
push @iface_config, "post-up $iptables -t nat -A POSTROUTING -s '$cidr' -o $outiface -j SNAT --to-source $outip";
There is no equivalent nftables implementation. As a result, when nftables is active, no NAT/SNAT rule is generated at all — confirmed by checking "nft list ruleset" which shows no nat/masquerade rules for the SDN subnet.
With iptables everything works as expected. With nftables, SNAT is silently missing.
Question:
Is this a known limitation of the current nftables Tech Preview? Are there plans to implement SNAT for nftables in SimplePlugin.pm?
Thanks!
