IPSet not working for accepting cluster traffic

[thomas-worm]

Hello,


I noticed that in Proxmox 8.0.3 some functionality in cluster brokes after activating the firewall.
So I want to create an IPset `cluster-001` with `host-001`, `host-002`, `host-003` (all are alias for the cluster node ips).

When creating a rule `IN ACCEPT source +dc/cluster-001 destination +dc/cluster` and enabling it, the iptables rules won't generate.

If I create rules
`IN ACCEPT source host-001`
`IN ACCEPT source host-002`
`IN ACCEPT source host-003`

it works fine. But I don't want to make a rule for each host, I'd like to use a central edited IPSet as cluster nodes list.


How can I fix this?


Best regards,
Thomas

 

[patrick7]

are you seeing

value does not look like a valid IP address or CIDR network
no such alias 'xxx'


if you run pve-firewall status?

I've inserted a "die $cidr" on /usr/share/perl5/PVE/Firewall.pm:3008 and executed a "pve-firewall status" again, and it throws aliases to me. So somehow the alias resolving is *not* working.

By the way, "pve-firewall status" is nice, but if it throws errors, it would be very nice to know what the problem is, not only that there is a problem.

I think this is a major issue! Rules are not generating anymore.