[pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown error 524

Stefan Priebe s.priebe at profihost.ag
Wed Jun 18 21:13:23 CEST 2014 

Am 18.06.2014 17:06, schrieb Alexandre DERUMIER:
>>> # ipset save
>>> create PVEFW-0-management hash:net family inet hashsize 64 maxelem 64
>>> add PVEFW-0-management 10.255.0.0/24
>>> create PVEFW-0-venet0 hash:net family inet hashsize 64 maxelem 64
>
> I just try to import your ipset + iptables rules, and no problem ....
> I don't understand.
>
> do you have other custom rules in input|output|forward ?
>
> (#iptables-save result ?)

Yes but i already tried:
iptables -F

but it stays at:
Jun 18 21:11:36 cloud3-1351 pve-firewall[7944]: status update error: 
command '/sbin/iptables-restore -n' failed: exit code 1


Is there a way to get an exact idea which rule fail?

Stefan


>
> ----- Mail original -----
>
> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
> À: "Alexandre DERUMIER" <aderumier at odiso.com>
> Cc: pve-devel at pve.proxmox.com
> Envoyé: Mercredi 18 Juin 2014 10:22:48
> Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown error 524
>
> Am 18.06.2014 10:03, schrieb Alexandre DERUMIER:
>> This is strange, I just try to apply the full ruleset on my test server, and it's apply fine.
>>
>> can you post the output of
>>
>> #ipset save
>>
>> ?
> # ipset save
> create PVEFW-0-management hash:net family inet hashsize 64 maxelem 64
> add PVEFW-0-management 10.255.0.0/24
> create PVEFW-0-venet0 hash:net family inet hashsize 64 maxelem 64
>
>
>> ----- Mail original -----
>>
>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
>> À: "Alexandre DERUMIER" <aderumier at odiso.com>
>> Cc: pve-devel at pve.proxmox.com
>> Envoyé: Mercredi 18 Juin 2014 09:46:34
>> Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown error 524
>>
>> Hi,
>>
>> Am 18.06.2014 08:59, schrieb Alexandre DERUMIER:
>>> try my patch #pve-firewall compile --full
>>>
>>> it should display the generate rules, and error message from iptables-restore
>>
>> This is the output with patch applied:
>> http://pastebin.com/raw.php?i=rvt127kw
>>
>> What i'm wondering is that these rulese also do things on my normal
>> interfaces where i already run custom firewall rules.
>>
>> The next thing i tried was disabling the cluster firewall in hope that
>> this results in firewall rules ONLY for the VMs.
>>
>> I think there should be a way to skip all those global rules for the hw
>> nodes and only apply rules for VMs.
>>
>> Stefan
>>
>>
>>> ----- Mail original -----
>>>
>>> De: "Stefan Priebe" <s.priebe at profihost.ag>
>>> À: "Alexandre DERUMIER" <aderumier at odiso.com>
>>> Cc: pve-devel at pve.proxmox.com
>>> Envoyé: Mercredi 18 Juin 2014 08:33:26
>>> Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown error 524
>>>
>>> Am 18.06.2014 03:16, schrieb Alexandre DERUMIER:
>>>>>> The output is very long! Do you need everything?
>>>>
>>>> how many rules do you have created ? are you talking about MB of output ?
>>>>
>>>> if it's too big, you can send them to my email directly
>>>
>>> NO i didn't even have rules set that's the funny thing and why i don't
>>> know why all traffic is blocked.
>>>
>>> But generally i see no rules under
>>> iptables -L -vnx
>>>
>>> Most probably due to:
>>> Jun 18 08:32:55 cloud3-1351 pve-firewall[7944]: status update error:
>>> command '/sbin/iptables-restore -n' failed: exit code 1
>>>
>>> Stefan
>>>
>>>> ----- Mail original -----
>>>>
>>>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
>>>> À: "Alexandre DERUMIER" <aderumier at odiso.com>
>>>> Cc: pve-devel at pve.proxmox.com
>>>> Envoyé: Mardi 17 Juin 2014 15:09:57
>>>> Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown error 524
>>>>
>>>> Am 17.06.2014 10:38, schrieb Alexandre DERUMIER:
>>>>>>> Jun 17 10:28:04 cloud3-1351 pve-firewall[7944]: status update error:
>>>>>>> command '/sbin/iptables-restore -n' failed: exit code 1
>>>>>
>>>>> something seem wrong in generate rules
>>>>>
>>>>> can you do a
>>>>>
>>>>> #pve-firewall compile
>>>>>
>>>>> to see generated rules ?
>>>>
>>>> The output is very long! Do you need everything?
>>>>
>>>> Stefan
>>>>
>>>>> ----- Mail original -----
>>>>>
>>>>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
>>>>> À: "Alexandre DERUMIER" <aderumier at odiso.com>
>>>>> Cc: pve-devel at pve.proxmox.com
>>>>> Envoyé: Mardi 17 Juin 2014 10:28:32
>>>>> Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown error 524
>>>>>
>>>>> Log says:
>>>>> Jun 17 10:27:59 cloud3-1351 dnsmasq-dhcp[8437]: DHCP packet received on
>>>>> fwbr2004i0 which has no address
>>>>> Jun 17 10:28:02 cloud3-1351 dnsmasq-dhcp[8437]: DHCPDISCOVER(vmbr0)
>>>>> c2:3e:63:19:6c:bf
>>>>> Jun 17 10:28:02 cloud3-1351 dnsmasq-dhcp[8437]: DHCPOFFER(vmbr0)
>>>>> 10.10.28.3 c2:3e:63:19:6c:bf
>>>>> Jun 17 10:28:04 cloud3-1351 pve-firewall[7944]: status update error:
>>>>> command '/sbin/iptables-restore -n' failed: exit code 1
>>>>>
>>>>> Am 17.06.2014 10:26, schrieb Stefan Priebe - Profihost AG:
>>>>>> OK adding an empty
>>>>>> netpoll pdo controller to the veth device in the kernel fixes the problem.
>>>>>>
>>>>>> The veth device does not support netpoll.
>>>>>>
>>>>>> Without the netconsole driver i can start the VM. But if the firewall is
>>>>>> enabled i've not network - even with Input Policy and Output Policy set
>>>>>> to ACCEPT.
>>>>>>
>>>>>> What should i check now?
>>>>>>
>>>>>> Stefan
>>>>>> Am 16.06.2014 11:49, schrieb Alexandre DERUMIER:
>>>>>>>>> I think this should get cleaned in that case?
>>>>>>>
>>>>>>> currently the cleanup is done:
>>>>>>>
>>>>>>> at vm shutdown
>>>>>>> at vm start
>>>>>>> when you disable|enable firewall on netX through api
>>>>>>>
>>>>>>> but indeed we can improve that (I'll try to have a look at it)
>>>>>>>
>>>>>>>
>>>>>>>>> I just don't get why it works for vmbr1 but not for vmbr0.
>>>>>>>
>>>>>>> can you try to manually add
>>>>>>>
>>>>>>> #brctl addif fwln2004i0 fwbr2004i0
>>>>>>> #brctl addif fwpr2004p0 vmbr0
>>>>>>>
>>>>>>> ?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ----- Mail original -----
>>>>>>>
>>>>>>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
>>>>>>> À: "Alexandre DERUMIER" <aderumier at odiso.com>
>>>>>>> Cc: pve-devel at pve.proxmox.com
>>>>>>> Envoyé: Lundi 16 Juin 2014 11:40:59
>>>>>>> Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown error 524
>>>>>>>
>>>>>>> Am 16.06.2014 11:37, schrieb Alexandre DERUMIER:
>>>>>>>>>> What is the difference between the normal tap device without firewall -
>>>>>>>>>> which works fine for me on vmbr0 and vmbr1 and the firewall tap one?
>>>>>>>>
>>>>>>>> They are not difference.
>>>>>>>>
>>>>>>>> we just need a dedicated bridge (fwbrxxx) by firewalled tap interface,
>>>>>>>> and this bridge is plugged to vmbrX through a veth pair( fwprxxxx)
>>>>>>>
>>>>>>> I just don't get why it works for vmbr1 but not for vmbr0.
>>>>>>>
>>>>>>> I don't see a difference.
>>>>>>>
>>>>>>> Generally if adding the bridge fails for whatever reason there is a lot
>>>>>>> of unremoved stuff:
>>>>>>>
>>>>>>> [: ~]# ip a l | grep fwbr
>>>>>>> 14: fwbr2004i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
>>>>>>> state UP
>>>>>>> 16: fwln2004i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
>>>>>>> pfifo_fast master fwbr2004i0 state UP qlen 1000
>>>>>>>
>>>>>>> [: ~]# ifconfig| grep ^fw
>>>>>>> fwbr2004i0 Link encap:Ethernet HWaddr d2:74:33:d9:50:92
>>>>>>> fwln2004i0 Link encap:Ethernet HWaddr d2:74:33:d9:50:92
>>>>>>> fwpr2004p0 Link encap:Ethernet HWaddr b2:47:35:28:2c:de
>>>>>>>
>>>>>>> I think this should get cleaned in that case?
>>>>>>>
>>>>>>> Stefan
>>>>>>>
>>>>>>>>
>>>>>>>> ----- Mail original -----
>>>>>>>>
>>>>>>>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
>>>>>>>> À: "Alexandre DERUMIER" <aderumier at odiso.com>
>>>>>>>> Cc: pve-devel at pve.proxmox.com
>>>>>>>> Envoyé: Lundi 16 Juin 2014 11:29:00
>>>>>>>> Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown error 524
>>>>>>>>
>>>>>>>> What is the difference between the normal tap device without firewall -
>>>>>>>> which works fine for me on vmbr0 and vmbr1 and the firewall tap one?
>>>>>>>>
>>>>>>>> Stefan
>>>>>>>> Am 16.06.2014 11:10, schrieb Stefan Priebe - Profihost AG:
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> i get the same problem with the official redhat PVE Kernel.
>>>>>>>>>
>>>>>>>>> What i don't understand is that it works fine with vmbr1 but not with
>>>>>>>>> vmbr0.
>>>>>>>>>
>>>>>>>>> Interfaces file on host:
>>>>>>>>>
>>>>>>>>> auto vmbr0
>>>>>>>>> iface vmbr0 inet static
>>>>>>>>> address XX.XX.XX.XX
>>>>>>>>> netmask 255.255.255.128
>>>>>>>>> gateway XX.XX.XX.XX
>>>>>>>>> bridge_ports bond0
>>>>>>>>> bridge_stp off
>>>>>>>>> bridge_fd 0
>>>>>>>>>
>>>>>>>>> auto vmbr1
>>>>>>>>> iface vmbr1 inet manual
>>>>>>>>> bridge_ports bond1
>>>>>>>>> bridge_stp off
>>>>>>>>> bridge_fd 0
>>>>>>>>>
>>>>>>>>> Stefan
>>>>>>>>>
>>>>>>>>> Am 16.06.2014 09:50, schrieb Alexandre DERUMIER:
>>>>>>>>>>>> Do i need a special kernel feature?
>>>>>>>>>> I don't think.
>>>>>>>>>> It's just create a veth pair, then plug them in bridge.
>>>>>>>>>>
>>>>>>>>>> I check my logs, I don't have theses
>>>>>>>>>>
>>>>>>>>>> "netpoll: (null): fwpr2004p0 doesn't support polling, aborting "
>>>>>>>>>>
>>>>>>>>>> do you use a custom kernel ?
>>>>>>>>>
>>>>>>>>> Stefan
>>>>>>>>>
>>>>>> _______________________________________________
>>>>>> pve-devel mailing list
>>>>>> pve-devel at pve.proxmox.com
>>>>>> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>>>>>>

More information about the pve-devel mailing list