iptables-restore issue possibly making firewall unusable

[wahmed]

Hello,
Recently i am noticing the following error in one of the Proxmox node syslog:

pve-firewall[1869]: status update error: iptables_restore_cmdlist: Try `iptables-restore -h' or 'iptables-restore --help' for more information.

I think this error breaking the firewall in this node. Because none of the rules getting applied. All nodes has identical configuration and up to date. What is this cause and solution to make the firewall usable again?
The error itself is not very descriptive. I ran the suggested command 'iptables-restore -h' but it only shows available command.

 

[dietmar]

What version do you run exactly? And what is the output of

# pve-firewall compile

Does that show any errors?

 

[wahmed]

The version shows pve-firewall: 2.0-18
Running firewall command shows quite a bit of entries for 'create' , 'update' and 'exists'. Not entirely sure if they are errors or normal entries. The very last entry is 'detected changes'.

 

[wahmed]

I should also mention that I have IPv6 enabled in the node and working. Loopback on IPv6 is also enabled.

 

[wbumiller]

Can you try the latest pve-firewall package from pvetest (2.0-21)? There's a chance it gives you a better error message, otherwise we'll have to dig a little deeper.

 

[wahmed]

is the latest pve-firewall 2.0-21 not available in subscription level repo?

 

[dietmar]

is the latest pve-firewall 2.0-21 not available in subscription level repo?

It is currently in 'pvetest' (so that you can 'test')

 

[wahmed]

Looks like i found the problem of this issue. Any presence of IPv6 rules causes the syslog to be flooded wuith iptable_cmdlist_restore error. As soon as i disabled all IPv6 rules error disappeared. This also means i cannot use the IPv6 rules at this moment. Is it a known error which will be fixed or fixed in the test?

 

[wbumiller]

It would be good to know which rule in particular causes this. There's no general problem known that would apply to "all" rules and I'm using ipv6 firewall rules on various machines without issues.

 

[baptistemm]

Hi there,
I continue this thread because I'm currently facing the same error and I discovered no iptables policies defined in proxmox are applied.
pve-firewall compile doesn't throw errors.

Any suggestion appreciated

edit: As reported by the original author of this thread disabling the only ipv6 rule I had (cluster-wide) make the problem vanishing. I'm open to any support in the event you want to debug it.

 

[wbumiller]

Is it possible some iptables kernel module was not loaded and you had upgraded the running kernel package before activating the firewall the first time?
Can you provide the output of `pve-firwall compile`? And perhaps apply some of the printed lines manually and see if one in particular fails? (Ie. add the chains via `ip6tables -N "name"`, and try running the ipv6 related `-A` lines from `pve-firewall compile` as command prefixed with `ip6tables `

 

[baptistemm]

Hi wbumiller

I doubt this could be a module problem, I see this error for a while, and I upgraded the kernel and rebooted a couple of times since.

The output of 'pve-firewall compile' with IPv6 policy enabled is at http://paste.debian.net/844541/ (I can't post it inline as this is too big). I see there is two sections 'create PVEFW-HOST-IN' with 2 differents hashes behind when an ip6 policy is present. with only ipv4 the verb 'create' is replaced with exists in the 2nd section . Could it be a problem ?

You can find the diff between ipv4-only and ipv4-ipv6 at http://paste.debian.net/844598/

When I try to apply an ipv6 policy I get this error.

root@cactus:~# ip6tables -A PVEFW-HOST-IN -p ipv6 --dport 51413 -j RETURN
ip6tables v1.4.21: unknown option "--dport"
Try `ip6tables -h' or 'ip6tables --help' for more information.

 

[wbumiller]

Ah I see. That's something we need to catch. I wonder why IPv6 is even in the protocol list that way. Ports aren't part of IPv6, but the underlying protocol (tcp, udp), so this should be recognized as an invalid rule.