Firewall does not support IP Aliases

[mbrav]

Hi, very excited for the new PVE 8.2 Firewall based on nftables and written in Rust! Went ahead and upgraded PVE to 8.2, enabled nftables (tech preview) Yes in Web UI then the FW rules stopped working.

It seems that proxmox-firewall does not support alias resolution 😿 .

Here is the service output:

 ╰─λ systemctl status proxmox-firewall.service
× proxmox-firewall.service - Proxmox nftables firewall
     Loaded: loaded (/lib/systemd/system/proxmox-firewall.service; enabled; preset: enabled)
     Active: failed (Result: exit-code) since Thu 2024-04-25 20:44:12 MSK; 10min ago
   Duration: 9ms
    Process: 1424 ExecStart=/usr/libexec/proxmox/proxmox-firewall (code=exited, status=101)
   Main PID: 1424 (code=exited, status=101)
        CPU: 4ms

Apr 25 20:44:12 pve1 systemd[1]: Started proxmox-firewall.service - Proxmox nftables firewall.
Apr 25 20:44:12 pve1 proxmox-firewall[1424]: thread 'main' panicked at 'cluster firewall config is valid: Invalid address in IPSet: gtr_nic1', proxmox-firewall/src/config.rs:187:58
Apr 25 20:44:12 pve1 proxmox-firewall[1424]: note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
Apr 25 20:44:12 pve1 systemd[1]: proxmox-firewall.service: Main process exited, code=exited, status=101/n/a
Apr 25 20:44:12 pve1 systemd[1]: proxmox-firewall.service: Failed with result 'exit-code'.

To investigate further, I ran the binary with full backtrace:

RUST_BACKTRACE=full /usr/libexec/proxmox/proxmox-firewall

Output:

 × RUST_BACKTRACE=full /usr/libexec/proxmox/proxmox-firewall
thread 'main' panicked at 'cluster firewall config is valid: Invalid address in IPSet: pc_nic1', proxmox-firewall/src/config.rs:187:58
stack backtrace:
   0:     0x619df3dd0a6a - <unknown>
   1:     0x619df3e0b3cf - <unknown>
   2:     0x619df3dda865 - <unknown>
   3:     0x619df3dd0825 - <unknown>
   4:     0x619df3dd7dce - <unknown>
   5:     0x619df3dd7a89 - <unknown>
   6:     0x619df3dd8321 - <unknown>
   7:     0x619df3dd0d99 - <unknown>
   8:     0x619df3dd0b76 - <unknown>
   9:     0x619df3dd8022 - <unknown>
  10:     0x619df3ca8073 - <unknown>
  11:     0x619df3ca7fa3 - <unknown>
  12:     0x619df3c98db8 - <unknown>
  13:     0x619df3c9a275 - <unknown>
  14:     0x619df3ccbb85 - <unknown>
  15:     0x619df3cb2c54 - <unknown>
  16:     0x619df3caa263 - <unknown>
  17:     0x619df3caa419 - <unknown>
  18:     0x619df3dd7f21 - <unknown>
  19:     0x619df3deae9b - <unknown>
  20:     0x619df3cb359c - <unknown>
  21:     0x76799960624a - <unknown>
  22:     0x767999606305 - __libc_start_main
  23:     0x619df3ca8521 - <unknown>
  24:                0x0 - <unknown>

As it turns out, pc_nic1 is an IP alias configured through Proxmox (more specifically, it was provisioned with Terraform, but lets stay on topic 😃), which proxmox-firewall does not resolve.

Will probably get Rusty over the weekend and dable with the code to see if I can get aliases working 🦀

[Fabian-Gruenbichler]

this is a read-only mirror of our source code. please see our community forum and bug tracker for reporting issues.

the new firewall does not support legacy aliases/ipsets (without a prefix like dc/ or guest/). either wait for a fixed version, or edit your firewall settings once for each config file to trigger a read/modify/write cycle that adds those prefixes :)