VM filters outgoing traffic using non existent ipset

danadm

Member
Mar 27, 2021
3
0
6
74
Hello,

I am not sure if I hit a bug so I try to check it before submitting the bug.

I created firewall for VM and the outgoing filter in iptables looks like this:

Code:
Chain tap101i1-OUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 PVEFW-SET-ACCEPT-MARK  udp  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]  udp spt:68 dpt:67
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC ! 22:00:C7:00:5F:D4
  688 47286 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ! match-set PVEFW-101-ipfilter-net1-v4 src
   20  1254 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            MARK and 0x7fffffff

the problem is the "! match-set PVEFW-101-ipfilter-net1-v4 src", there isn't any such a ipset, so all traffic is blocked. I can create the ipset, but I don't see in documentation, how to create it. It can be fixed by

Code:
[IPSET ipfilter-net1]

VMs own IP
in the 101.fw config file but I don't see in GUI this setting.

The pve-firewall version is 4.1-3, the system is fresh installed from proxmox no subscription repo.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!