Error with pve-firewall after recent update

[ronaldst]

I updated my Proxmox server today and immediately ran into problems with the firewall, locking me out from the server.

I rebooted the server hoping that would bring tings backup again, but this made me aware that it was in fact a firewall lockout. VM's and CT's are running fine.

After requesting a remote KVM session with my host I managed to find some evidence on what happened.

/var/log/apt/history.log

Commandline: apt dist-upgrade
Install: zstd:amd64 (1.3.8+dfsg-3, automatic), libproxmox-acme-perl:amd64 (1.0.2, automatic), idn:amd64 (1.33-2.2, automatic)
Upgrade: proxmox-widget-toolkit:amd64 (2.1-3, 2.1-6), libpve-access-control:amd64 (6.0-6, 6.0-7), libpve-storage-perl:amd64 (6.1-5, 6.1-7), libpve-cluster-api-perl:amd64 (6.1-4, 6.1-8), libpve-cluster-perl:amd64 (6.1-4, 6.1-8), pve-firewall:amd64 (4.0-10, 4.1-1), pve-container:amd64 (3.0-23, 3.1-4), pve-cluster:amd64 (6.1-4, 6.1-8), pve-i18n:amd64 (2.0-4, 2.1-1), pve-manager:amd64 (6.1-8, 6.1-11), libpve-guest-common-perl:amd64 (3.0-5, 3.0-10), libpve-common-perl:amd64 (6.0-17, 6.1-1), lxc-pve:amd64 (3.2.1-1, 4.0.2-1), qemu-server:amd64 (6.1-7, 6.1-19), pve-kernel-helper:amd64 (6.1-8, 6.1-9), lxcfs:amd64 (4.0.1-pve1, 4.0.3-pve2)

Once the updates are done, pve-firewall reports errors with the security groups I've made (and use) for Datacenter -firewall.

/var/log/pve-firewall.log

|May  6 12:42:01 node151 pve-firewall[1852]: /etc/pve/firewall/cluster.fw (line 25) - errors in rule parameters: GROUP netdata                                                                                                                                 │
│May  6 12:42:01 node151 pve-firewall[1852]:   action: security group 'netdata' does not exist                                                                                                                                                                 │
│May  6 12:42:01 node151 pve-firewall[1852]: /etc/pve/firewall/cluster.fw (line 26) - errors in rule parameters: GROUP proxmox                                                                                                                                 │
│May  6 12:42:01 node151 pve-firewall[1852]:   action: security group 'proxmox' does not exist                                                                                                                                                                 │
│May  6 12:42:01 node151 pve-firewall[1852]: /etc/pve/firewall/cluster.fw (line 27) - errors in rule parameters: GROUP ping                                                                                                                                    │
│May  6 12:42:01 node151 pve-firewall[1852]:   action: security group 'ping' does not exist                                                                                                                                                                    │
│May  6 12:42:01 node151 pve-firewall[1852]: restarting server                                                                                                                                                                                                 │
│May  6 12:42:01 node151 pve-firewall[1852]: /etc/pve/firewall/cluster.fw (line 25) - errors in rule parameters: GROUP netdata                                                                                                                                 │
│May  6 12:42:01 node151 pve-firewall[1852]:   action: security group 'netdata' does not exist                                                                                                                                                                 │
│May  6 12:42:01 node151 pve-firewall[1852]: /etc/pve/firewall/cluster.fw (line 26) - errors in rule parameters: GROUP proxmox                                                                                                                                 │
│May  6 12:42:01 node151 pve-firewall[1852]:   action: security group 'proxmox' does not exist                                                                                                                                                                 │
│May  6 12:42:01 node151 pve-firewall[1852]: /etc/pve/firewall/cluster.fw (line 27) - errors in rule parameters: GROUP ping                                                                                                                                    │
│May  6 12:42:01 node151 pve-firewall[1852]:   action: security group 'ping' does not exist

I disabled firewall in cluster.fw and rebooted.

What I do notice now is that when trying to add security groups to a server from the Proxmox WebUI, it returns error.




I can still manually set firewall rules for Datacenter, but not use any of the security groups. Trying to insert a group returns the error above.

However, for VM/CTs firwall settings I can add security groups without any problems.


I am not sure what I can do to recover from this.

Anyone else having issues? What may be the cause of this and how to resolve it?


Thank you.

 

[danielb]

An update has been pushed with a fix for this. See https://bugzilla.proxmox.com/show_bug.cgi?id=2719