[pve-devel] applied: [PATCH proxmox-firewall 1/1] vnet firewall: create chains in host table only if host fw is enabled

Thomas Lamprecht t.lamprecht at proxmox.com
Sat Oct 4 14:58:43 CEST 2025


On Fri, 05 Sep 2025 14:13:47 +0200, Stefan Hanreich wrote:
> If the host firewall is not enabled, but the vnet firewall is enabled
> for at least one vnet, then the firewall tries to create the chains
> required for the vnet firewall in the cluster / host table, which is
> unnecessary. This leads to an error in the generated nftables ruleset,
> causing the firewall to not get applied.
> 
> In order to fix this, skip generating the bridge chains in the inet
> table when the cluster/host firewall is disabled, since they're only
> required for managing the traffic flowing from host <-> bridge ports.
> If the host firewall is disabled, then we do not need to create rules
> for traffic from host <-> bridge port in the first place.
> 
> [...]

Applied, thanks!

[1/1] vnet firewall: create chains in host table only if host fw is enabled
      commit: fdbcd7dea5ab49430acf100bd70ad6ed062c52a5




More information about the pve-devel mailing list