proxmox-mirrors/proxmox-firewall
1
0
Fork 0
mirror of https://git.proxmox.com/git/proxmox-firewall synced 2025-10-04 04:47:33 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix: firewall: apply nf_conntrack_allow_invalid to all chains

Browse Source 
... on the guest table. There is no reason to not respect that option
on those two chains. These two were missed in the referenced commit.

Signed-off-by: Hannes Laimer <h.laimer@proxmox.com>
Fixes: 64dc344b ("firewall: apply `nt_conntrack_allow_invalid` option to guest table")
Tested-by: Stefan Hanreich <s.hanreich@proxmox.com>
Reviewed-by: Stefan Hanreich <s.hanreich@proxmox.com>
This commit is contained in:
Hannes Laimer 2025-03-12 14:20:24 +01:00 committed by Wolfgang Bumiller
parent efef5c53e4
commit ab2709bf51
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
proxmox-firewall/resources/proxmox-firewall.nft
View File

@ -356,7 +356,7 @@ table bridge proxmox-firewall-guests {
}
chain pre-vm-out {
meta protocol != arp ct state vmap { established : accept, related : accept, invalid : drop }
meta protocol != arp ct state vmap { established : accept, related : accept, invalid : jump invalid-conntrack }
}
chain vm-out {
@ -384,7 +384,7 @@ table bridge proxmox-firewall-guests {
chain before-bridge {
meta protocol arp accept
meta protocol != arp ct state vmap { established : accept, related : accept, invalid : drop }
meta protocol != arp ct state vmap { established : accept, related : accept, invalid : jump invalid-conntrack }
}
chain forward {