[SOLVED] invalid ipset name

L

liberodark

Member
Apr 26, 2021
105
21
23
31
Hi,

I currently have a modified PVE 8.1.x
And I'm stuck on a small problem defining via ipset.
I can't use my firewall as I would like.My configuration works on a classic PVE.
But here I tell myself that I probably forgot a defconfig side for the kernel.
Do you have any ideas or recommendations on this?

Best Regards


1706267761282.png

Code: 
Jan 26 12:15:58 sv1 pve-firewall[4109]: /etc/pve/firewall/cluster.fw (line 25) - errors in rule parameters: IN HTTPS(ACCEPT) -source +dc/whitelist -log nolog
Jan 26 12:15:58 sv1 pve-firewall[4109]:   source: invalid ipset name '+dc/whitelist'
Jan 26 12:16:08 sv1 pve-firewall[4109]: /etc/pve/firewall/cluster.fw (line 21) - errors in rule parameters: IN Ping(ACCEPT) -source +dc/whitelist -log nolog
Jan 26 12:16:08 sv1 pve-firewall[4109]:   source: invalid ipset name '+dc/whitelist'
Jan 26 12:16:08 sv1 pve-firewall[4109]: /etc/pve/firewall/cluster.fw (line 22) - errors in rule parameters: IN ACCEPT -source +dc/whitelist -p tcp -dport 800>
Jan 26 12:16:08 sv1 pve-firewall[4109]:   source: invalid ipset name '+dc/whitelist'
Jan 26 12:16:08 sv1 pve-firewall[4109]: /etc/pve/firewall/cluster.fw (line 23) - errors in rule parameters: IN SSH(ACCEPT) -source +dc/whitelist -log nolog
Jan 26 12:16:08 sv1 pve-firewall[4109]:   source: invalid ipset name '+dc/whitelist'
Jan 26 12:16:08 sv1 pve-firewall[4109]: /etc/pve/firewall/cluster.fw (line 25) - errors in rule parameters: IN HTTPS(ACCEPT) -source +dc/whitelist -log nolog
Jan 26 12:16:08 sv1 pve-firewall[4109]:   source: invalid ipset name '+dc/whitelist'
 
Last edited:
Yes, unfortunately I don't have much choice.
And then it allows me to work better on PVE.
I understand that you have no idea on this subject.
But ultimately what I'm trying to understand is the root cause of my problem.
Really this post is just intended to perhaps call out to someone who had the same problem or perhaps direct me towards a possible solution.
In any case, thank you for your response. @sb-jw
 
There currently is a bug with editing firewall rules that contain IPs / CIDRs, I have already provided a fix [1] on the mailinglist - so it should be included in a future update. Maybe there is also something in relation to IPSets? That could explain the UI error you are seeing. You can currently circumvent it by deleting the Source / Destination entry and re-selecting it.

Nevertheless, the second error you posted (invalid ipset name '+dc/whitelist') looks like you created an IPSet and then renamed / deleted it? How does your firewall config look like currently? Could you post it (/etc/pve/firewall/cluster.fw)?

sb-jw said:
The question here is ultimately, what changes have you made?
Click to expand...
This, of course, would be interesting to know as well...

[1] https://lists.proxmox.com/pipermail/pve-devel/2024-January/061388.html
 
Last edited:
Hi, @shanreich
My principal change is on kernel im not using ubuntu kernel.
But ipset values have been correctly set on defconfig file.

This is my config here :

Code: 
[OPTIONS]

enable: 1

[IPSET whitelist]

10.x.x.x

[RULES]

GROUP security

[group security]

IN Ping(ACCEPT) -source +dc/whitelist -log nolog
IN ACCEPT -source +dc/whitelist -p tcp -dport 8006 -log nolog
IN SSH(ACCEPT) -source +dc/whitelist -log nolog
IN DROP -log info
IN HTTPS(ACCEPT) -source +dc/whitelist -log nolog

Best Regards
 
Last edited:
The config looks fine to me, what's the current version of your pve-firewall package? Please post the output of `pveversion -v`

For the UI error: Do you have any errors in the console of your browser? (F12)
 
liberodark said:
im on pve-firewall: 4.1-4
Click to expand...
That is very likely the issue - the support for scoped IPSets only got added in 5.0.1

Since you said you are on PVE 8.1: How did you install / update this version? It seems like you have outdated packages. 8.1 should ship with 5.0.x

How do your apt sources file look like? Do you have newer packages available?
 
Hi,

Ok i see the issue is probably that need to upgrade pve-firewall to 5.x

that my all packages :

Code: 
proxmox-ve: 8.1.0 (running kernel: 5.15.0-pve)
pve-manager: 8.1.3
corosync: 3.1.7-pve3
glusterfs-client: 11.1-3
ifupdown2: 3.2.0-1+pmx7
libjs-extjs: 7.0.0-3
libknet1: 1.28-1
libproxmox-acme-perl: 1.1.0
libproxmox-backup-qemu0: 1.4.1
libproxmox-rs-perl: 0.3.1
libpve-access-control: 8.0.7
libpve-apiclient-perl: 3.1-3
libpve-common-perl: 8.1.0-1
libpve-guest-common-perl: 5.0.6
libpve-http-server-perl: 5.0.5
libpve-rs-perl: 0.8.7
libpve-storage-perl: 8.0.5
libspice-server1: 0.15.1-1
lvm2: 2.03.16-3
lxc-pve: 5.0.2-4
lxcfs: 5.0.4-1+b1
novnc-pve: 1.4.0-2
proxmox-mail-forward: 0.2.2
proxmox-mini-journalreader: 1.4.0
proxmox-widget-toolkit: 4.1.3
pve-cluster: 8.0.5
pve-container: 5.0.8
pve-docs: 8.1.3
pve-edk2-firmware: not correctly installed
pve-firewall: 4.1-4
pve-ha-manager: 4.0.3
pve-i18n: 3.0.2
pve-qemu-kvm: 8.1.2-6
pve-xtermjs: 5.3.0-3
qemu-server: 8.0.11+riscv64
smartmontools: 7.4-2
spiceterm: 3.3.0
vncterm: 1.8.0
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back