Proxmox Firewall Doesn't seem to work and errors in log

TheDragon

New Member
Jan 20, 2023
7
1
3
I'm trying to start making use of the Proxmox Firewall at Node/VM/NIC level. I've enabled the firewall at datacenter and node level initially, but the rules I've put in place don't seem to take effect, and I'm also getting these lines repeatedly in my PVE logs:

Jun 03 12:32:57 pve pve-firewall[3481]: status update error: ipset_restore_cmdlist: ipset v7.10: Error in line 32: Element cannot be added to the set: it's already added Jun 03 12:33:07 pve pve-firewall[3481]: status update error: ipset_restore_cmdlist: ipset v7.10: Error in line 14: Element cannot be added to the set: it's already added Jun 03 12:33:18 pve pve-firewall[3481]: status update error: ipset_restore_cmdlist: ipset v7.10: Error in line 14: Element cannot be added to the set: it's already added Jun 03 12:33:27 pve pve-firewall[3481]: status update error: ipset_restore_cmdlist: ipset v7.10: Error in line 14: Element cannot be added to the set: it's already added Jun 03 12:33:37 pve pve-firewall[3481]: status update error: ipset_restore_cmdlist: ipset v7.10: Error in line 32: Element cannot be added to the set: it's already added Jun 03 12:33:47 pve pve-firewall[3481]: status update error: ipset_restore_cmdlist: ipset v7.10: Error in line 4: Element cannot be added to the set: it's already added Jun 03 12:33:57 pve pve-firewall[3481]: status update error: ipset_restore_cmdlist: ipset v7.10: Error in line 32: Element cannot be added to the set: it's already added Jun 03 12:34:07 pve pve-firewall[3481]: status update error: ipset_restore_cmdlist: ipset v7.10: Error in line 22: Element cannot be added to the set: it's already added Jun 03 12:34:17 pve pve-firewall[3481]: status update error: ipset_restore_cmdlist: ipset v7.10: Error in line 27: Element cannot be added to the set: it's already added

Any assistance with this would be greatly appreciated!
 
can you send content of

cat /var/lib/pve-firewall/ipsetcmdlist2
cat /var/lib/pve-firewall/ipsetcmdlist1

?
Thanks for the reply, see below the output from ipsetcmdlist1, ipsetcmdlist2 returned nothing.

destroy PVEFW-0-admin_devices-v4_swap create PVEFW-0-router_40-v4_swap hash:net family inet hashsize 64 maxelem 64 bucketsize 12 add PVEFW-0-router_40-v4_swap 10.0.40.1/24 swap PVEFW-0-router_40-v4_swap PVEFW-0-router_40-v4 flush PVEFW-0-router_40-v4_swap destroy PVEFW-0-router_40-v4_swap create PVEFW-0-router_20-v4_swap hash:net family inet hashsize 64 maxelem 64 bucketsize 12 add PVEFW-0-router_20-v4_swap 10.0.20.1/24 swap PVEFW-0-router_20-v4_swap PVEFW-0-router_20-v4 flush PVEFW-0-router_20-v4_swap destroy PVEFW-0-router_20-v4_swap create PVEFW-17B4F8F3_swap hash:net family inet hashsize 64 maxelem 64 bucketsize 12 add PVEFW-17B4F8F3_swap 10.0.0.1/24 add PVEFW-17B4F8F3_swap 10.0.20.1/24 add PVEFW-17B4F8F3_swap 10.0.30.1/24 add PVEFW-17B4F8F3_swap 10.0.40.1/24 swap PVEFW-17B4F8F3_swap PVEFW-17B4F8F3 flush PVEFW-17B4F8F3_swap destroy PVEFW-17B4F8F3_swap create PVEFW-0-router_10-v4_swap hash:net family inet hashsize 64 maxelem 64 bucketsize 12 add PVEFW-0-router_10-v4_swap 10.0.10.1/24 swap PVEFW-0-router_10-v4_swap PVEFW-0-router_10-v4 flush PVEFW-0-router_10-v4_swap destroy PVEFW-0-router_10-v4_swap create PVEFW-0-admin_devices-v4_swap hash:net family inet hashsize 64 maxelem 64 bucketsize 12 add PVEFW-0-admin_devices-v4_swap 10.0.20.50/24 add PVEFW-0-admin_devices-v4_swap 10.0.20.51/24 swap PVEFW-0-admin_devices-v4_swap PVEFW-0-admin_devices-v4 flush PVEFW-0-admin_devices-v4_swap destroy PVEFW-0-admin_devices-v4_swap create PVEFW-0-router_30-v4_swap hash:net family inet hashsize 64 maxelem 64 bucketsize 12 add PVEFW-0-router_30-v4_swap 10.0.30.1/24 swap PVEFW-0-router_30-v4_swap PVEFW-0-router_30-v4 flush PVEFW-0-router_30-v4_swap destroy PVEFW-0-router_30-v4_swap
 
I just ran into the same issue. I had added a couple of IP addresses using CIDR notation (x.x.x.x/24) as aliases. I was able to resolve the issue by changing all of them to IP only (x.x.x.x). So my issue is closed

But I am wondering : Would it make sense to improve the GUI to avoid this kind of issue? Add a validation that prevents invalid aliases in the Firewall section?
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!