[pve-devel] applied: [PATCH proxmox-firewall 1/1] fix #6831: move conntrack statement to forward chain

Thomas Lamprecht t.lamprecht at proxmox.com
Sat Oct 4 14:58:42 CEST 2025


On Tue, 23 Sep 2025 14:26:43 +0200, Stefan Hanreich wrote:
> The conntrack statement was included in the host-forward chain, which
> is managed by the firewall daemon. It gets flushed in every iteration
> of the daemon, but the rule is never re-created in the daemon. This
> caused conntracked flows that are routed by the PVE host to not get
> accepted. Generally, the ruleset is constructed in a way that all
> chains that are managed by the firewall daemon are empty by default -
> this was the only exception. Move the ct state statement to the
> appropriate chain. Since the forward chain is in the inet table which
> never sees ARP traffic in the first place, remove the respective
> statement matching on ARP. This is most likely copied from the bridge
> table where this modifier is indeed necessary, since there ARP traffic
> is visible.
> 
> [...]

Applied, thanks!

[1/1] fix #6831: move conntrack statement to forward chain
      commit: 70c65c07db51659070c3fe6f24bfe8f4b6479045




More information about the pve-devel mailing list