SDN Simple Zone: SNAT not working with nftables (Tech Preview)

[nilo]

Hi,

I've been testing the nftables Tech Preview feature in combination with SDN VNet Firewall and ran into an issue with SNAT not being applied.

Environment:
- Proxmox VE 9.1.0 (kernel 6.17.13-2-pve)
- pve-manager 9.1.6
- pve-firewall 6.0.4
- SDN Simple Zone with one VNet
- DHCP enabled, SNAT enabled on the VNet
- nftables enabled on the node (Tech Preview)
- VNet Firewall enabled

Problem:
When nftables is enabled, DNS resolution fails inside VMs. Investigating with tcpdump showed that DNS requests leave the host correctly, but responses never reach the VM. The conntrack table shows entries marked as [UNREPLIED], confirming that return traffic is not being matched.

Root Cause (found in SimplePlugin.pm):
Looking at the source code in /usr/share/perl5/PVE/Network/SDN/Zones/SimplePlugin.pm, the SNAT implementation only generates iptables rules:

push @iface_config, "post-up $iptables -t nat -A POSTROUTING -s '$cidr' -o $outiface -j SNAT --to-source $outip";

There is no equivalent nftables implementation. As a result, when nftables is active, no NAT/SNAT rule is generated at all — confirmed by checking "nft list ruleset" which shows no nat/masquerade rules for the SDN subnet.

With iptables everything works as expected. With nftables, SNAT is silently missing.

Question:
Is this a known limitation of the current nftables Tech Preview? Are there plans to implement SNAT for nftables in SimplePlugin.pm?

Thanks!

 

[shanreich]

iptables NAT works in conjunction with the nftables firewall, I'm running it myself on almost all test hosts / clusters. Maybe there is some other VNet FIrewall rule potentially blocking the traffic?

Have you tried checking the nftables monitor output [1] to see which rule exactly is blocking your traffic?

[1] https://pve.proxmox.com/pve-docs/pve-admin-guide.html#pve_firewall_nft_helpful_commands

 

[PaddraighNet]

The symptoms point to a chain priority ordering issue between the nftables firewall and the NAT rules. When DNS queries go out, the SNAT/masquerade works on the outbound path. But the return DNS response arrives at the host's public IP and needs DNAT back to the VM IP before the forward chain evaluates it. If the nftables forward filter runs at a priority where it sees the packet before DNAT has translated the destination address back to the VM, it drops the packet as unexpected traffic.

Check your chain priorities with "nft list ruleset" and look at the priority values on the nat and filter chains. The nat prerouting chain should run at a lower priority number (earlier) than the forward filter chain so that DNAT happens first.

Also worth trying "nft monitor trace" to see exactly which chain and rule is dropping the return packets. That will confirm whether it is the forward filter or something else in the path.