[pve-devel] making the firewall more robust?

[Stefan Priebe - Profihost AG]

Am 29.11.2016 um 10:24 schrieb Fabian Grünbichler:
> On Tue, Nov 29, 2016 at 10:10:53AM +0100, Stefan Priebe - Profihost AG wrote:
>> Hello,
>>
>> today i've noticed that the firewall is nearly inactive on a node.
>>
>> systemctl status says:
>> Nov 29 10:07:05 node2 pve-firewall[2534]: status update error:
>> ipset_restore_cmdlist: ipset v6.23: Error in line 3: The value of the
>> CIDR parameter of the IP address is invalid
>> Nov 29 10:07:14 node2 pve-firewall[2534]: status update error:
>> ipset_restore_cmdlist: ipset v6.23: Error in line 3: The value of the
>> CIDR parameter of the IP address is invalid
>> Nov 29 10:07:24 node2 pve-firewall[2534]: status update error:
>> ipset_restore_cmdlist: ipset v6.23: Error in line 3: The value of the
>> CIDR parameter of the IP address is invalid
>>
>> So it seems that the whole firewall breaks if there is somewhere
>> something wrong.
>>
>> I think especially for the firewall it's important to jsut skip that
>> line but process all other values.
>>
>> How is your opinion? Any idea how to "fix" that?
> 
> that bug should already be fixed in git AFAIK.

Which one? Cannot find the commit. I'm ruinning pve-firewall 2.0-31

> there are two problems with partially applying firewall rules:
> - we don't know which rules are invalid (because of course we try to
>   generate valid rules, errors like the above are clearly bugs ;)) - we
>   could guess based on some error message by the underlying tools, but
>   that is error prone
> - applying some rules but not all can have as catastrophic consequences
>   as not applying any (e.g., if you miss a single ACCEPT rule because of
>   a bug, you might not be able to access your cluster at all!)

OK sure. But then we should may be send an email to root in case of a
failure? Currently nobody knows if such a failure happens. Also the
pve-firewall daemon does not fail itself. So even systemd says
pve-firewall is up and running.

Greets,
Stefan