Hi,
I would like to use my own firewall rules using nftables (because I like nftables so much).
Did some troubleshooting and somehow:
################ question summary
proxmox is a quemu / kvm host for vm's (I do not use docker on the host itsself)
It uses linux bridges to tie up the network
But when using nftables bridge table:
bridge filter on input and output chains work fine on proxmox: I can use ip-addresses
On forward chain in bridge filter ip-addresses do not work.
I have no idea why, please help
##################################
1. using table bridge / input / output chain works fine for the proxmox host itsself. I can use it with ip addresses and sports and dports and so on.
The rules below show counters registring bytes fine also when targetting ip-addresses. Below I am targetting ssh incoming on the proxmox host itsself. I am using the nft bridge filter because proxmox uses vmbr0 as a bridge with the outside ip-address on the bridge and not on the outside interface. So all the vm's are in the same 192.168.0.0/24 network as the outside interface.
as you can see below nftables counts packets and bytes fine in these chains
2. But filtering on ip addresses in the table / bridge forward chain:
1. makes the whole ip system unstable it seems (perhaps a resource problem, I had it once)
2. and counters do not work when using ip-addresses in the chains
so in the forward table ip addresses do not seem to work. See below some netfilter rules I am testing. More below you can see in what rules the counters go up and thus that target actual traffic I am sending in and out (ssh and ping traffic running).
As you can see further below rules with ip-addresses do not catch traffic.
the code above shows this as a result when doing
nft list ruleset
I anybody can help howto filter the bridge from the underlying proxmox system that would be great.
The rest below shows more info on the setup of the bridges and so on.
some bridge info
and ip a on one specific bridge (id 108: proxmox uses id's for vm's: which is pretty clever).
As far as I understand every vm get its own tap device, which then somehow it tied together with the " motherbridge vmbr0" via another bridge)
So my question is: why is it not counting packets when I refer to ip addresses?
according to this nftables wiki filtering in bridged using ip addresses should work:
https://wiki.nftables.org/wiki-nftables/index.php/Bridge_filtering
according to this url filering should work as well:
https://stackoverflow.com/questions/68089536/nftables-drop-arp-traffic-on-specific-bridge
But I can't get it to work with counters, and also the connections and pings just halt and become unstable.
Are there changes in the proxmox code that hinder this?
I would like to use my own firewall rules using nftables (because I like nftables so much).
Did some troubleshooting and somehow:
################ question summary
proxmox is a quemu / kvm host for vm's (I do not use docker on the host itsself)
It uses linux bridges to tie up the network
But when using nftables bridge table:
bridge filter on input and output chains work fine on proxmox: I can use ip-addresses
On forward chain in bridge filter ip-addresses do not work.
I have no idea why, please help
##################################
1. using table bridge / input / output chain works fine for the proxmox host itsself. I can use it with ip addresses and sports and dports and so on.
The rules below show counters registring bytes fine also when targetting ip-addresses. Below I am targetting ssh incoming on the proxmox host itsself. I am using the nft bridge filter because proxmox uses vmbr0 as a bridge with the outside ip-address on the bridge and not on the outside interface. So all the vm's are in the same 192.168.0.0/24 network as the outside interface.
table bridge filter {
chain input {
type filter hook input priority 0 ; policy accept;
iif enp3s0 ip saddr 192.168.0.2 tcp dport 22 counter accept comment "ssh lan bridge into proxmox "
iif enp3s0 ip saddr 192.168.0.2 tcp dport 8006 counter accept comment "port 8006 lan bridge into proxmox "
} ## end chain input
chain output {
type filter hook output priority 0 ; policy accept;
oif enp3s0 ip daddr 192.168.0.2 tcp sport 22 counter accept comment "ssh lan bridge out proxmox "
} ## end chain output
}
as you can see below nftables counts packets and bytes fine in these chains
nft list ruleset
table bridge filter {
chain input {
type filter hook input priority 0; policy accept;
iif "enp3s0" ip saddr 192.168.0.2 tcp dport 22 counter packets 11 bytes 784 accept comment "ssh lan bridge into proxmox "
iif "enp3s0" ip saddr 192.168.0.2 tcp dport 8006 counter packets 20 bytes 10292 accept comment "port 8006 lan bridge into proxmox "
}
2. But filtering on ip addresses in the table / bridge forward chain:
1. makes the whole ip system unstable it seems (perhaps a resource problem, I had it once)
2. and counters do not work when using ip-addresses in the chains
so in the forward table ip addresses do not seem to work. See below some netfilter rules I am testing. More below you can see in what rules the counters go up and thus that target actual traffic I am sending in and out (ssh and ping traffic running).
As you can see further below rules with ip-addresses do not catch traffic.
chain forward {
type filter hook forward priority 0 ; policy accept;
oifname "tap108i0" counter accept; # counter works
oifname "tap103i0" counter accept; # counter works
iif enp3s0 counter accept # counter works
oif tap108i0 counter accept; # counter does not work
oifname "tap108i0" ip daddr 192.168.0.25 counter accept; # does not work
#oifname "tap108i0" tcp dport 22 counter accept; # does not work
#ether daddr bc:24:11:bd:f0:80 drop #does not work
#ether type ip counter accept comment "ssh lan bridge ether "
iif enp3s0 oif tap108i0 counter accept comment "ssh lan bridge to hccom 25 " # does not work
ip daddr 192.168.0.25 counter accept
} ## end chain forward
the code above shows this as a result when doing
nft list ruleset
chain forward {
type filter hook forward priority 0; policy accept;
oifname "tap108i0" counter packets 9 bytes 368 accept
oifname "tap103i0" counter packets 6 bytes 284 accept
iif "enp3s0" counter packets 28 bytes 1328 accept
oif "tap108i0" counter packets 0 bytes 0 accept
oifname "tap108i0" ip daddr 192.168.0.25 counter packets 0 bytes 0 accept
iif "enp3s0" oif "tap108i0" counter packets 0 bytes 0 accept comment "ssh lan bridge to hccom 25 "
ip daddr 192.168.0.25 counter packets 0 bytes 0 accept
}
I anybody can help howto filter the bridge from the underlying proxmox system that would be great.
The rest below shows more info on the setup of the bridges and so on.
some bridge info
root@pve:~# brctl show
bridge name bridge id STP enabled interfaces
fwbr103i0 8000.363911ec9946 no fwln103i0
tap103i0
fwbr107i0 8000.1e5999978420 no fwln107i0
tap107i0
fwbr108i0 8000.aafb51f658de no fwln108i0
tap108i0
fwbr109i0 8000.8e0b48e32c5d no fwln109i0
tap109i0
fwbr111i0 8000.5eb6c143a4b8 no fwln111i0
tap111i0
vmbr0 8000.842b2baf2378 no enp3s0
fwpr103p0
fwpr107p0
fwpr108p0
fwpr109p0
fwpr111p0
and ip a on one specific bridge (id 108: proxmox uses id's for vm's: which is pretty clever).
As far as I understand every vm get its own tap device, which then somehow it tied together with the " motherbridge vmbr0" via another bridge)
17: tap108i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master fwbr108i0 state UNKNOWN group default qlen 1000
link/ether 9a:08:f7:41:cb:6f brd ff:ff:ff:ff:ff:ff
18: fwbr108i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether aa:fb:51:f6:58:de brd ff:ff:ff:ff:ff:ff
19: fwpr108p0@fwln108i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr0 state UP group default qlen 1000
link/ether a2:50:f2:e0:ff:82 brd ff:ff:ff:ff:ff:ff
20: fwln108i0@fwpr108p0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master fwbr108i0 state UP group default qlen 1000
link/ether aa:fb:51:f6:58:de brd ff:ff:ff:ff:ff:ff
So my question is: why is it not counting packets when I refer to ip addresses?
according to this nftables wiki filtering in bridged using ip addresses should work:
https://wiki.nftables.org/wiki-nftables/index.php/Bridge_filtering
according to this url filering should work as well:
https://stackoverflow.com/questions/68089536/nftables-drop-arp-traffic-on-specific-bridge
But I can't get it to work with counters, and also the connections and pings just halt and become unstable.
Are there changes in the proxmox code that hinder this?
Last edited: