[pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown error 524

Alexandre DERUMIER aderumier at odiso.com
Tue Jun 17 10:44:19 CEST 2014


By the way, I think we could improve,

Firewall.pm

sub iptables_restore_cmdlist {
    my ($cmdlist) = @_;

    run_command("/sbin/iptables-restore -n", input => $cmdlist);
} 


and parse the iptables-restore errors (we can have info of which line is wrong in iptables commands)


----- Mail original ----- 

De: "Alexandre DERUMIER" <aderumier at odiso.com> 
À: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Mardi 17 Juin 2014 10:38:12 
Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown error 524 

>>Jun 17 10:28:04 cloud3-1351 pve-firewall[7944]: status update error: 
>>command '/sbin/iptables-restore -n' failed: exit code 1 

something seem wrong in generate rules 

can you do a 

#pve-firewall compile 

to see generated rules ? 


----- Mail original ----- 

De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Mardi 17 Juin 2014 10:28:32 
Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown error 524 

Log says: 
Jun 17 10:27:59 cloud3-1351 dnsmasq-dhcp[8437]: DHCP packet received on 
fwbr2004i0 which has no address 
Jun 17 10:28:02 cloud3-1351 dnsmasq-dhcp[8437]: DHCPDISCOVER(vmbr0) 
c2:3e:63:19:6c:bf 
Jun 17 10:28:02 cloud3-1351 dnsmasq-dhcp[8437]: DHCPOFFER(vmbr0) 
10.10.28.3 c2:3e:63:19:6c:bf 
Jun 17 10:28:04 cloud3-1351 pve-firewall[7944]: status update error: 
command '/sbin/iptables-restore -n' failed: exit code 1 

Am 17.06.2014 10:26, schrieb Stefan Priebe - Profihost AG: 
> OK adding an empty 
> netpoll pdo controller to the veth device in the kernel fixes the problem. 
> 
> The veth device does not support netpoll. 
> 
> Without the netconsole driver i can start the VM. But if the firewall is 
> enabled i've not network - even with Input Policy and Output Policy set 
> to ACCEPT. 
> 
> What should i check now? 
> 
> Stefan 
> Am 16.06.2014 11:49, schrieb Alexandre DERUMIER: 
>>>> I think this should get cleaned in that case? 
>> 
>> currently the cleanup is done: 
>> 
>> at vm shutdown 
>> at vm start 
>> when you disable|enable firewall on netX through api 
>> 
>> but indeed we can improve that (I'll try to have a look at it) 
>> 
>> 
>>>> I just don't get why it works for vmbr1 but not for vmbr0. 
>> 
>> can you try to manually add 
>> 
>> #brctl addif fwln2004i0 fwbr2004i0 
>> #brctl addif fwpr2004p0 vmbr0 
>> 
>> ? 
>> 
>> 
>> 
>> 
>> ----- Mail original ----- 
>> 
>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
>> À: "Alexandre DERUMIER" <aderumier at odiso.com> 
>> Cc: pve-devel at pve.proxmox.com 
>> Envoyé: Lundi 16 Juin 2014 11:40:59 
>> Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown error 524 
>> 
>> Am 16.06.2014 11:37, schrieb Alexandre DERUMIER: 
>>>>> What is the difference between the normal tap device without firewall - 
>>>>> which works fine for me on vmbr0 and vmbr1 and the firewall tap one? 
>>> 
>>> They are not difference. 
>>> 
>>> we just need a dedicated bridge (fwbrxxx) by firewalled tap interface, 
>>> and this bridge is plugged to vmbrX through a veth pair( fwprxxxx) 
>> 
>> I just don't get why it works for vmbr1 but not for vmbr0. 
>> 
>> I don't see a difference. 
>> 
>> Generally if adding the bridge fails for whatever reason there is a lot 
>> of unremoved stuff: 
>> 
>> [: ~]# ip a l | grep fwbr 
>> 14: fwbr2004i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue 
>> state UP 
>> 16: fwln2004i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc 
>> pfifo_fast master fwbr2004i0 state UP qlen 1000 
>> 
>> [: ~]# ifconfig| grep ^fw 
>> fwbr2004i0 Link encap:Ethernet HWaddr d2:74:33:d9:50:92 
>> fwln2004i0 Link encap:Ethernet HWaddr d2:74:33:d9:50:92 
>> fwpr2004p0 Link encap:Ethernet HWaddr b2:47:35:28:2c:de 
>> 
>> I think this should get cleaned in that case? 
>> 
>> Stefan 
>> 
>>> 
>>> ----- Mail original ----- 
>>> 
>>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
>>> À: "Alexandre DERUMIER" <aderumier at odiso.com> 
>>> Cc: pve-devel at pve.proxmox.com 
>>> Envoyé: Lundi 16 Juin 2014 11:29:00 
>>> Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown error 524 
>>> 
>>> What is the difference between the normal tap device without firewall - 
>>> which works fine for me on vmbr0 and vmbr1 and the firewall tap one? 
>>> 
>>> Stefan 
>>> Am 16.06.2014 11:10, schrieb Stefan Priebe - Profihost AG: 
>>>> Hi, 
>>>> 
>>>> i get the same problem with the official redhat PVE Kernel. 
>>>> 
>>>> What i don't understand is that it works fine with vmbr1 but not with 
>>>> vmbr0. 
>>>> 
>>>> Interfaces file on host: 
>>>> 
>>>> auto vmbr0 
>>>> iface vmbr0 inet static 
>>>> address XX.XX.XX.XX 
>>>> netmask 255.255.255.128 
>>>> gateway XX.XX.XX.XX 
>>>> bridge_ports bond0 
>>>> bridge_stp off 
>>>> bridge_fd 0 
>>>> 
>>>> auto vmbr1 
>>>> iface vmbr1 inet manual 
>>>> bridge_ports bond1 
>>>> bridge_stp off 
>>>> bridge_fd 0 
>>>> 
>>>> Stefan 
>>>> 
>>>> Am 16.06.2014 09:50, schrieb Alexandre DERUMIER: 
>>>>>>> Do i need a special kernel feature? 
>>>>> I don't think. 
>>>>> It's just create a veth pair, then plug them in bridge. 
>>>>> 
>>>>> I check my logs, I don't have theses 
>>>>> 
>>>>> "netpoll: (null): fwpr2004p0 doesn't support polling, aborting " 
>>>>> 
>>>>> do you use a custom kernel ? 
>>>> 
>>>> Stefan 
>>>> 
> _______________________________________________ 
> pve-devel mailing list 
> pve-devel at pve.proxmox.com 
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
> 
_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 



More information about the pve-devel mailing list