Proxmox 7.1.8 Firewall ipset_restore_cmdlist

S

sozie

Member
Apr 5, 2020
33
3
13
33
Paris, France
shiftek.fr
Hello,

I'm coming to ask you for help concerning a problem on my cluster (2 Nodes) on the Firewall side.

The Firewall is activated on the DataCenter and on all the machines. When I activate rules, they don't work, and I have an error in the Syslog

Code: 
pve-firewall[1370]: status update error: ipset_restore_cmdlist: Try `ipset help' for more information.

I came across another similar topic, where the problem was related to IPv6, but abnormal at that level!


Thanks in advance for your help!
Rémi. V
 
please post `pveversion -v` (and make sure you've installed the latest updates)

Thanks
 
Hello,

Thank you for your answer. As requested, here is the list of versions. The updates have been done !

awx866lt.png


Regarding the Kernel, due to a problem obviously related to HP Gen8, the panel becomes inaccessible when I use the latest versions of it.


Thanks in advance,
Rémi.
 
I ran into the same issue today on one of my nodes running Proxmox 7 when I stopped the firewall to debug a network issue and then tried to start it again. Then I saw that the journal of the pve-firewall service was filled up with that message every 10 seconds since late November. But until I disabled and then tried reenabling the firewall today, it still worked and there were no recent changes to our rules, so I did not notice it until now.

Downgrading pve-firewall from 4.2-5 to 4.2-4 helped to get rid of the error message and the firewall rules are now applied again as they should.

My versions are:

# pveversion -v
proxmox-ve: 7.1-1 (running kernel: 5.4.106-1-pve)
pve-manager: 7.1-10 (running version: 7.1-10/6ddebafe)
pve-kernel-helper: 7.1-8
pve-kernel-5.13: 7.1-6
pve-kernel-5.13.19-3-pve: 5.13.19-6
pve-kernel-5.13.19-2-pve: 5.13.19-4
pve-kernel-5.4.106-1-pve: 5.4.106-1
ceph-fuse: 14.2.21-1
corosync: 3.1.5-pve2
criu: 3.15-1+pve-1
glusterfs-client: 9.2-1
ifupdown: 0.8.36+pve1
ksm-control-daemon: 1.4-1
libjs-extjs: 7.0.0-1
libknet1: 1.22-pve2
libproxmox-acme-perl: 1.4.1
libproxmox-backup-qemu0: 1.2.0-1
libpve-access-control: 7.1-5
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.1-2
libpve-guest-common-perl: 4.0-3
libpve-http-server-perl: 4.1-1
libpve-storage-perl: 7.0-15
libspice-server1: 0.14.3-2.1
lvm2: 2.03.11-2.1
lxc-pve: 4.0.11-1
lxcfs: 4.0.11-pve1
novnc-pve: 1.3.0-1
proxmox-backup-client: 2.1.3-1
proxmox-backup-file-restore: 2.1.3-1
proxmox-mini-journalreader: 1.3-1
proxmox-widget-toolkit: 3.4-5
pve-cluster: 7.1-3
pve-container: 4.1-3
pve-docs: 7.1-2
pve-edk2-firmware: 3.20210831-2
pve-firewall: 4.2-4
pve-firmware: 3.3-4
pve-ha-manager: 3.3-1
pve-i18n: 2.6-2
pve-qemu-kvm: 6.1.0-3
pve-xtermjs: 4.12.0-1
qemu-server: 7.1-4
smartmontools: 7.2-pve2
spiceterm: 3.2-2
swtpm: 0.7.0~rc1+2
vncterm: 1.7-1
Click to expand...

If it is relevant, I also still run kernel 5.4. instead of 5.13 since that would hang at boot for some unknown reason.

Best regards,
M.
 
  • Like
Reactions: Stoiko Ivanov
As @spirit said - likely the issue is due to the old kernel you have booted vs. the current pve-firewall code expecting output from newer versions...

2 Options:
* try installing and booting pve-kernel-5.15 (it will become the default kernel in a few months anyways and should remain the default kernel for PVE 7.X for a longer while - so it pays off to get it running)
@TheRemiDev - you could also try to temporary mitigate that by downgrading pve-firewall as @MichiK suggested
 
Thank you all for your answers.

I'm going to try Kernel 5.15 right now to see if it solves the HP Gen8 issues that are currently present with Kernel 5.13.

If it doesn't work then I will try to downgrade the pve-firewall version and let you know!
 
  • Like
Reactions: Stoiko Ivanov
Hmm - could you try the following to get around the issue with the kernel?:
* explicitly set `intel_iommu=off` on the kernel command line [0]
* following the advice at:
https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-c04565693
(disabling IOMMU support in BIOS or disable HP Shared Memory Features for all NICs in the Server)
* additionally (if none of the above help - try adding `intremap=off` to the kernel command line

Else it would help us to get a larger part of (or even the complete) log when this error occurs

[0] https://pve.proxmox.com/pve-docs/chapter-sysadmin.html#sysboot_edit_kernel_cmdline
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom