[pve-devel] [PATCH proxmox-firewall 1/2] fix: firewall: apply `nt_conntrack_allow_invalid` to all chains

Hannes Laimer h.laimer at proxmox.com
Wed Mar 12 11:18:08 CET 2025



On 3/4/25 13:24, Stefan Hanreich wrote:
> default-in is also checking for conntrack status, so we should put this

I think `default-in` is currently noop'ing[1] ct state invalid, am I
missing something? I though maybe there's a reason for that, so I
left it as is, as with the change we'd drop there with invalid ct
state.

[1] 
https://git.proxmox.com/?p=proxmox-firewall.git;a=blob;f=proxmox-firewall/resources/proxmox-firewall.nft;h=2dd7c48bc68b3ddf404e53a1c7be9e624227be13;hb=refs/heads/master#l208
> there as well. Other than that consider this:





More information about the pve-devel mailing list