hi,
sometime the firewall status is 'no changes', like:
sometime the firewall status is pending changes, like:
I confirm that there is no updating rules!
use the pvetest and pve-no-subscription package, it's same issue.
in the pve v3, use the same rules, it's no problem!
so, how to debug this issue?
thanks.
# pveversion -v
proxmox-ve: 4.1-48 (running kernel: 4.4.6-1-pve)
pve-manager: 4.1-34 (running version: 4.1-34/8887b0fd)
pve-kernel-4.4.6-1-pve: 4.4.6-48
lvm2: 2.02.116-pve2
corosync-pve: 2.3.5-2
libqb0: 1.0-1
pve-cluster: 4.0-39
qemu-server: 4.0-72
pve-firmware: 1.1-8
libpve-common-perl: 4.0-59
libpve-access-control: 4.0-16
libpve-storage-perl: 4.0-50
pve-libspice-server1: 0.12.5-2
vncterm: 1.2-1
pve-qemu-kvm: 2.5-13
pve-container: 1.0-61
pve-firewall: 2.0-25
pve-ha-manager: 1.0-28
ksm-control-daemon: 1.2-1
glusterfs-client: 3.5.2-2+deb8u1
lxc-pve: 1.1.5-7
lxcfs: 2.0.0-pve2
cgmanager: 0.39-pve1
criu: 1.6.0-1
zfsutils: 0.6.5-pve9~jessie
openvswitch-switch: 2.3.2-3
sometime the firewall status is 'no changes', like:
Code:
# pve-firewall compile
ipset cmdlist:
exists PVEFW-0-management-v4 (18beyoXOE3m4WmJuahn8nk7kBHk)
create PVEFW-0-management-v4 hash:net family inet hashsize 64 maxelem 64
add PVEFW-0-management-v4 127.0.0.0/8
exists PVEFW-0-management-v6 (H5WO/Pkuyz4e7OLB2uiMpG0Bsn0)
create PVEFW-0-management-v6 hash:net family inet6 hashsize 64 maxelem 64
......
exists veth254i4-OUT (lgq/N8vP+4QAXFwBmKPLGXs4MEs)
-A veth254i4-OUT -p udp --dport 547 --sport 546 -g PVEFW-SET-ACCEPT-MARK
-A veth254i4-OUT -m mac ! --mac-source 32:32:33:66:35:39 -j DROP
-A veth254i4-OUT -j MARK --set-mark 0x00000000/0x80000000
-A veth254i4-OUT -p icmpv6 --icmpv6-type router-solicitation -g PVEFW-SET-ACCEPT-MARK
-A veth254i4-OUT -p icmpv6 --icmpv6-type router-advertisement -g PVEFW-SET-ACCEPT-MARK
-A veth254i4-OUT -p icmpv6 --icmpv6-type neighbor-solicitation -g PVEFW-SET-ACCEPT-MARK
-A veth254i4-OUT -p icmpv6 --icmpv6-type neighbor-advertisement -g PVEFW-SET-ACCEPT-MARK
-A veth254i4-OUT -j GROUP-allowport-OUT
-A veth254i4-OUT -m mark --mark 0x80000000/0x80000000 -j RETURN
-A veth254i4-OUT -g PVEFW-SET-ACCEPT-MARK
no changes
# pve-firewall status
Status: enabled/runningsometime the firewall status is pending changes, like:
Code:
# pve-firewall status
Status: enabled/running (pending changes)
# pve-firewall compile
ipset cmdlist:
exists PVEFW-0-management-v4 (18beyoXOE3m4WmJuahn8nk7kBHk)
create PVEFW-0-management-v4 hash:net family inet hashsize 64 maxelem 64
add PVEFW-0-management-v4 127.0.0.0/8
exists PVEFW-0-management-v6 (H5WO/Pkuyz4e7OLB2uiMpG0Bsn0)
create PVEFW-0-management-v6 hash:net family inet6 hashsize 64 maxelem 64
......
exists tap254i4-OUT (dOimRgRhEQNa0M88qvQw1fMo6ZU)
-A tap254i4-OUT -p udp --dport 547 --sport 546 -g PVEFW-SET-ACCEPT-MARK
-A tap254i4-OUT -m mac ! --mac-source 62:61:30:39:62:62 -j DROP
-A tap254i4-OUT -p icmpv6 --icmpv6-type router-advertisement -j DROP
-A tap254i4-OUT -j MARK --set-mark 0x00000000/0x80000000
-A tap254i4-OUT -p icmpv6 --icmpv6-type router-solicitation -g PVEFW-SET-ACCEPT-MARK
-A tap254i4-OUT -p icmpv6 --icmpv6-type neighbor-solicitation -g PVEFW-SET-ACCEPT-MARK
-A tap254i4-OUT -p icmpv6 --icmpv6-type neighbor-advertisement -g PVEFW-SET-ACCEPT-MARK
-A tap254i4-OUT -j GROUP-allowport-OUT
-A tap254i4-OUT -m mark --mark 0x80000000/0x80000000 -j RETURN
-A tap254i4-OUT -g PVEFW-SET-ACCEPT-MARK
detected changesI confirm that there is no updating rules!
use the pvetest and pve-no-subscription package, it's same issue.
in the pve v3, use the same rules, it's no problem!
so, how to debug this issue?
thanks.
# pveversion -v
proxmox-ve: 4.1-48 (running kernel: 4.4.6-1-pve)
pve-manager: 4.1-34 (running version: 4.1-34/8887b0fd)
pve-kernel-4.4.6-1-pve: 4.4.6-48
lvm2: 2.02.116-pve2
corosync-pve: 2.3.5-2
libqb0: 1.0-1
pve-cluster: 4.0-39
qemu-server: 4.0-72
pve-firmware: 1.1-8
libpve-common-perl: 4.0-59
libpve-access-control: 4.0-16
libpve-storage-perl: 4.0-50
pve-libspice-server1: 0.12.5-2
vncterm: 1.2-1
pve-qemu-kvm: 2.5-13
pve-container: 1.0-61
pve-firewall: 2.0-25
pve-ha-manager: 1.0-28
ksm-control-daemon: 1.2-1
glusterfs-client: 3.5.2-2+deb8u1
lxc-pve: 1.1.5-7
lxcfs: 2.0.0-pve2
cgmanager: 0.39-pve1
criu: 1.6.0-1
zfsutils: 0.6.5-pve9~jessie
openvswitch-switch: 2.3.2-3
