[SOLVED] * * * Firewall error in node syslog * * *

TGW

New Member
May 2, 2018
28
0
1
60
I am getting this error in the node syslog now, since the last subscription update today. Any help to alleviate this is greatly appreciated.

"pve-firewall[13722]: status update error: iptables_restore_cmdlist: Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information."


Package versions:
proxmox-ve: 5.2-2 (running kernel: 4.15.18-2-pve)
pve-manager: 5.2-7 (running version: 5.2-7/8d88e66a)
pve-kernel-4.15: 5.2-5
pve-kernel-4.15.18-2-pve: 4.15.18-20
pve-kernel-4.15.18-1-pve: 4.15.18-19
pve-kernel-4.15.17-1-pve: 4.15.17-9
corosync: 2.4.2-pve5
criu: 2.11.1-1~bpo90
glusterfs-client: 3.8.8-1
ksm-control-daemon: 1.2-2
libjs-extjs: 6.0.1-2
libpve-access-control: 5.0-8
libpve-apiclient-perl: 2.0-5
libpve-common-perl: 5.0-38
libpve-guest-common-perl: 2.0-17
libpve-http-server-perl: 2.0-10
libpve-storage-perl: 5.0-24
libqb0: 1.0.1-1
lvm2: 2.02.168-pve6
lxc-pve: 3.0.2+pve1-1
lxcfs: 3.0.0-1
novnc-pve: 1.0.0-2
proxmox-widget-toolkit: 1.0-19
pve-cluster: 5.0-29
pve-container: 2.0-25
pve-docs: 5.2-8
pve-firewall: 3.0-13
pve-firmware: 2.0-5
pve-ha-manager: 2.0-5
pve-i18n: 1.0-6
pve-libspice-server1: 0.12.8-3
pve-qemu-kvm: 2.11.2-1
pve-xtermjs: 1.0-5
qemu-server: 5.0-32
smartmontools: 6.5+svn4324-1
spiceterm: 3.0-5
vncterm: 1.5-3
zfsutils-linux: 0.7.9-pve1~bpo9
 
* Do the logs say anything more than the problem?
* could you post your firewall configs? (redacted if needed)
 
I am new to Proxmox, which configs are you looking for? "iptables -L -n"?
 
* the contents of '/etc/pve/firewall'
* the output of ip6tables -nvL (or ip6tables-save) - since it's that part that seems to create the error
again - make sure to remove all sensitive information - thanks
 
Sorry for the delay . . . .

Here is the response on the "ip6tables -nvL" command . . .

"ip6tables v1.6.0: can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded."

Thank you for your patience!
 
Hi,
did you by any chance disable ipv6 (via sysctl or boot-commandline)?
(please post the contents of (redacted) `/etc/default/grub` and /etc/sysctl.conf (and all files in /etc/sysctl.d/) )
 
Sorry,

Yes, I did in those mention places, as I do not use IPv6 in my network.

/etc/default/grub:
#GRUB_CMDLINE_LINUX_DEFAULT="quiet"
GRUB_CMDLINE_LINUX_DEFAULT="quiet net.ifnames=0 ipv6.disable=1"

/etc/sysctl.conf:
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

/etc/sysctl.d/
filename: 70-disable-ipv6.conf:
net.ipv6.conf.all.disable_ipv6 = 1
 
In that case the error is easily explained :) - By disabling ipv6 on the kernel-commandline ip6tables does not work anymore.
pve-firewall does not have a dedicated ip6tables - enablement switch.

Why not just use the sysctl.conf - disablement? (AFAIK it should be more or less the same (no ipv6 addresses/routing on the node))?
 
Stoiko,

Thank you! Your solution has repaired the problem. Thank you for your patience concerning this matter! Thank you for this very fine product!!!

Sandy
 
You're welcome - glad it's solved!

Please mark the Thread as solved in the subject - so that other's know what to expect - Thanks!
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!