Proxmox Firewall Doesn't seem to work and errors in log

T

TheDragon

Member
Jan 20, 2023
9
2
8
I'm trying to start making use of the Proxmox Firewall at Node/VM/NIC level. I've enabled the firewall at datacenter and node level initially, but the rules I've put in place don't seem to take effect, and I'm also getting these lines repeatedly in my PVE logs:

Jun 03 12:32:57 pve pve-firewall[3481]: status update error: ipset_restore_cmdlist: ipset v7.10: Error in line 32: Element cannot be added to the set: it's already added Jun 03 12:33:07 pve pve-firewall[3481]: status update error: ipset_restore_cmdlist: ipset v7.10: Error in line 14: Element cannot be added to the set: it's already added Jun 03 12:33:18 pve pve-firewall[3481]: status update error: ipset_restore_cmdlist: ipset v7.10: Error in line 14: Element cannot be added to the set: it's already added Jun 03 12:33:27 pve pve-firewall[3481]: status update error: ipset_restore_cmdlist: ipset v7.10: Error in line 14: Element cannot be added to the set: it's already added Jun 03 12:33:37 pve pve-firewall[3481]: status update error: ipset_restore_cmdlist: ipset v7.10: Error in line 32: Element cannot be added to the set: it's already added Jun 03 12:33:47 pve pve-firewall[3481]: status update error: ipset_restore_cmdlist: ipset v7.10: Error in line 4: Element cannot be added to the set: it's already added Jun 03 12:33:57 pve pve-firewall[3481]: status update error: ipset_restore_cmdlist: ipset v7.10: Error in line 32: Element cannot be added to the set: it's already added Jun 03 12:34:07 pve pve-firewall[3481]: status update error: ipset_restore_cmdlist: ipset v7.10: Error in line 22: Element cannot be added to the set: it's already added Jun 03 12:34:17 pve pve-firewall[3481]: status update error: ipset_restore_cmdlist: ipset v7.10: Error in line 27: Element cannot be added to the set: it's already added

Any assistance with this would be greatly appreciated!
 
spirit said:
can you send content of

cat /var/lib/pve-firewall/ipsetcmdlist2
cat /var/lib/pve-firewall/ipsetcmdlist1

?
Click to expand...
Thanks for the reply, see below the output from ipsetcmdlist1, ipsetcmdlist2 returned nothing.

destroy PVEFW-0-admin_devices-v4_swap create PVEFW-0-router_40-v4_swap hash:net family inet hashsize 64 maxelem 64 bucketsize 12 add PVEFW-0-router_40-v4_swap 10.0.40.1/24 swap PVEFW-0-router_40-v4_swap PVEFW-0-router_40-v4 flush PVEFW-0-router_40-v4_swap destroy PVEFW-0-router_40-v4_swap create PVEFW-0-router_20-v4_swap hash:net family inet hashsize 64 maxelem 64 bucketsize 12 add PVEFW-0-router_20-v4_swap 10.0.20.1/24 swap PVEFW-0-router_20-v4_swap PVEFW-0-router_20-v4 flush PVEFW-0-router_20-v4_swap destroy PVEFW-0-router_20-v4_swap create PVEFW-17B4F8F3_swap hash:net family inet hashsize 64 maxelem 64 bucketsize 12 add PVEFW-17B4F8F3_swap 10.0.0.1/24 add PVEFW-17B4F8F3_swap 10.0.20.1/24 add PVEFW-17B4F8F3_swap 10.0.30.1/24 add PVEFW-17B4F8F3_swap 10.0.40.1/24 swap PVEFW-17B4F8F3_swap PVEFW-17B4F8F3 flush PVEFW-17B4F8F3_swap destroy PVEFW-17B4F8F3_swap create PVEFW-0-router_10-v4_swap hash:net family inet hashsize 64 maxelem 64 bucketsize 12 add PVEFW-0-router_10-v4_swap 10.0.10.1/24 swap PVEFW-0-router_10-v4_swap PVEFW-0-router_10-v4 flush PVEFW-0-router_10-v4_swap destroy PVEFW-0-router_10-v4_swap create PVEFW-0-admin_devices-v4_swap hash:net family inet hashsize 64 maxelem 64 bucketsize 12 add PVEFW-0-admin_devices-v4_swap 10.0.20.50/24 add PVEFW-0-admin_devices-v4_swap 10.0.20.51/24 swap PVEFW-0-admin_devices-v4_swap PVEFW-0-admin_devices-v4 flush PVEFW-0-admin_devices-v4_swap destroy PVEFW-0-admin_devices-v4_swap create PVEFW-0-router_30-v4_swap hash:net family inet hashsize 64 maxelem 64 bucketsize 12 add PVEFW-0-router_30-v4_swap 10.0.30.1/24 swap PVEFW-0-router_30-v4_swap PVEFW-0-router_30-v4 flush PVEFW-0-router_30-v4_swap destroy PVEFW-0-router_30-v4_swap
 
Hi,
if ips like:

"10.0.20.1/24"

are single ip, you shouldn't add /24.

you could use /32 ("10.0.20.1/32") or no netmask. ("10.0.20.1")

if you need to defined a full subnet , you should use netmask, like "10.0.20.0/24"
 
  • Like
Reactions: TheDragon
I just ran into the same issue. I had added a couple of IP addresses using CIDR notation (x.x.x.x/24) as aliases. I was able to resolve the issue by changing all of them to IP only (x.x.x.x). So my issue is closed

But I am wondering : Would it make sense to improve the GUI to avoid this kind of issue? Add a validation that prevents invalid aliases in the Firewall section?
 
You must log in or register to reply here.
Top Bottom