No rules with nftables backend

K

kissze

Renowned Member
Sep 29, 2010
12
2
68
Budapest
Hello,

I have a 3 node PVE cluster, switched to nftables backend (because of conntrack issues with iptables). The pve-firewall restarted on every node, but its not creating any rule on the third node.
The network configuration is the same regarding interface names, etc.
How can i debug the pve-firewall itself to see that why its not creating the nft rules?

Thanks,
Zoltan
 
What is the output of

Code: 
systemctl status {pve,proxmox}-firewall
 
Stefan, nevermind :)
The proxmox-firewall service was in failed state. I restarted it, and voila, the nft ruleset is created.

This was the original status:

Code: 
root@officepve3:~# systemctl status {pve,proxmox}-firewall
● pve-firewall.service - Proxmox VE firewall
     Loaded: loaded (/lib/systemd/system/pve-firewall.service; enabled; preset: enabled)
     Active: active (running) since Sat 2025-03-15 20:56:10 CET; 1 day 14h ago
    Process: 1684242 ExecStartPre=/usr/bin/update-alternatives --set ebtables /usr/sbin/ebtables-legacy (code=exited, status=0/SUCCESS)
    Process: 1684243 ExecStartPre=/usr/bin/update-alternatives --set iptables /usr/sbin/iptables-legacy (code=exited, status=0/SUCCESS)
    Process: 1684244 ExecStartPre=/usr/bin/update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy (code=exited, status=0/SUCCESS)
    Process: 1684245 ExecStart=/usr/sbin/pve-firewall start (code=exited, status=0/SUCCESS)
   Main PID: 1684248 (pve-firewall)
      Tasks: 1 (limit: 77071)
     Memory: 95.6M
        CPU: 39min 23.056s
     CGroup: /system.slice/pve-firewall.service
             └─1684248 pve-firewall

Mar 15 20:56:09 officepve3 systemd[1]: Starting pve-firewall.service - Proxmox VE firewall...
Mar 15 20:56:10 officepve3 pve-firewall[1684248]: starting server
Mar 15 20:56:10 officepve3 systemd[1]: Started pve-firewall.service - Proxmox VE firewall.

× proxmox-firewall.service - Proxmox nftables firewall
     Loaded: loaded (/lib/systemd/system/proxmox-firewall.service; enabled; preset: enabled)
     Active: failed (Result: exit-code) since Wed 2024-11-27 16:21:27 CET; 3 months 18 days ago
   Duration: 28min 15.290s
   Main PID: 1884 (code=exited, status=101)
        CPU: 3.345s

Nov 27 15:53:12 officepve3 systemd[1]: Started proxmox-firewall.service - Proxmox nftables firewall.
Nov 27 16:21:27 officepve3.office.adertis.cloud proxmox-firewall[1884]: thread 'main' panicked at 'able to read cluster firewall config: unable to open configuration file at /etc/pve/firewall/cluster.fw
Nov 27 16:21:27 officepve3.office.adertis.cloud proxmox-firewall[1884]: Caused by:
Nov 27 16:21:27 officepve3.office.adertis.cloud proxmox-firewall[1884]:     Software caused connection abort (os error 103)', proxmox-firewall/src/config.rs:63:51
Nov 27 16:21:27 officepve3.office.adertis.cloud proxmox-firewall[1884]: note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
Nov 27 16:21:27 officepve3.office.adertis.cloud systemd[1]: proxmox-firewall.service: Main process exited, code=exited, status=101/n/a
Nov 27 16:21:27 officepve3.office.adertis.cloud systemd[1]: proxmox-firewall.service: Failed with result 'exit-code'.
Nov 27 16:21:27 officepve3.office.adertis.cloud systemd[1]: proxmox-firewall.service: Consumed 3.345s CPU time.

It was in failed state since we installed this node i think.
It would be good if PVE will do a restart if were chaging the backend.

And sorry, i dont think about proxmox-firewall, just restarted the pve-firewall service. Its a bit confusing that there are 2 services.

Thanks,
Zoltan
 
You must log in or register to reply here.
Top Bottom