pve-firewall[3770]: status update error: unable to open file '/proc/sys/net/bridge/bridge-nf-call-ip

[Eugene Piatenko]

Hello people!

I have some strange problem with new Proxmox install.
I installed Proxmox latest version (Virtual Environment 4.4-12/e71b7a74) on latest Debian Jessie 8.7
and when I enable Firewall in Datacenter (screenshot #1)
firewall fails to start,

# pve-firewall status
Status: enabled/running (pending changes)

And in syslog (screenshot #2):

Feb 15 19:00:53 vc-proxmox-1 pve-firewall[3770]: status update error: unable to open file '/proc/sys/net/bridge/bridge-nf-call-iptables' - No such file or directory

Please help, what is wrong, I repeated it on clean system (again, Debian Jessie 8.7)

Some additional info:

root@vc-proxmox-1:~# cat /etc/network/interfaces
# network interface settings; autogenerated
# Please do NOT modify this file directly, unless you know what
# you're doing.
#
# If you want to manage part of the network configuration manually,
# please utilize the 'source' or 'source-directory' directives to do
# so.
# PVE will preserve these directives, but will NOT its network
# configuration from sourced files, so do not attempt to move any of
# the PVE managed interfaces into external files!

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp

auto vmbr200
iface vmbr200 inet static
address 10.0.200.1
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0

post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.0.200.0/24' -o eth0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.0.200.0/24' -o eth0 -j MASQUERADE


source-directory /etc/network/interfaces.d

And also

root@vc-proxmox-1:~# dpkg --get-selections |grep bridge-utils
bridge-utils install

I will send login/pass to virtual server on request (you can do anything, it's new empty server).
nothing special, clean install and just enabled firewall...

Thanks a LOT!


P.S. I tried also to do

# modprobe br_netfilter

found it on some forums and firewall starts, but actually,
after this firewall blocks all traffic from my Guest VM...

 

[dietmar]

what is the output of

# pveversion -v

 

[Eugene Piatenko]

root@vc-proxmox-1:~# pveversion -v
proxmox-ve: 4.4-79 (running kernel: 4.5.7-std-3)
pve-manager: 4.4-12 (running version: 4.4-12/e71b7a74)
pve-kernel-4.4.35-2-pve: 4.4.35-79
lvm2: 2.02.116-pve3
corosync-pve: 2.4.0-1
libqb0: 1.0-1
pve-cluster: 4.0-48
qemu-server: 4.0-108
pve-firmware: 1.1-10
libpve-common-perl: 4.0-91
libpve-access-control: 4.0-23
libpve-storage-perl: 4.0-73
pve-libspice-server1: 0.12.8-1
vncterm: 1.2-1
pve-docs: 4.4-3
pve-qemu-kvm: 2.7.1-1
pve-container: 1.0-93
pve-firewall: 2.0-33
pve-ha-manager: 1.0-40
ksm-control-daemon: 1.2-1
glusterfs-client: 3.5.2-2+deb8u3
lxc-pve: 2.0.7-1
lxcfs: 2.0.6-pve1
criu: 1.6.0-1
novnc-pve: 0.5-8
smartmontools: 6.5+svn4324-1~pve80

It was installed by https://pve.proxmox.com/wiki/Install_Proxmox_VE_on_Debian_Jessie
2 more notes,
I did not create vmbr0, I have dhcp on eth0 and did not want to change it,
and by the way, in syslog above, it always show

Feb 15 21:21:15 vc-proxmox-1 pveproxy[3984]: Use of uninitialized value $spages in int at /usr/share/perl5/PVE/ProcFSTools.pm line 212.
Feb 15 21:21:15 vc-proxmox-1 pvestatd[3966]: Use of uninitialized value $spages in int at /usr/share/perl5/PVE/ProcFSTools.pm line 212.
Feb 15 21:21:15 vc-proxmox-1 pvestatd[3966]: Use of uninitialized value $spages in int at /usr/share/perl5/PVE/ProcFSTools.pm line 212.
Feb 15 21:21:20 vc-proxmox-1 pveproxy[3985]: Use of uninitialized value $spages in int at /usr/share/perl5/PVE/ProcFSTools.pm line 212.

even if I disable KSM, I attached 2 more screenshots

I can give root access to the server (by email for example) if you interesting in...

Thanks!

 

[dietmar]

You do not run the correct kernel!

 

[Eugene Piatenko]

Thanks for the answer!

1. Changed kernel to 4.4.38 - I do not have an option to use 4.4.35 on server (

root@vc-proxmox-1:~# pveversion -v
proxmox-ve: 4.4-79 (running kernel: 4.4.38-std-2)
pve-manager: 4.4-12 (running version: 4.4-12/e71b7a74)
pve-kernel-4.4.35-2-pve: 4.4.35-79
lvm2: 2.02.116-pve3
corosync-pve: 2.4.0-1
libqb0: 1.0-1
pve-cluster: 4.0-48
qemu-server: 4.0-108
pve-firmware: 1.1-10
libpve-common-perl: 4.0-91
libpve-access-control: 4.0-23
libpve-storage-perl: 4.0-73
pve-libspice-server1: 0.12.8-1
vncterm: 1.2-1
pve-docs: 4.4-3
pve-qemu-kvm: 2.7.1-1
pve-container: 1.0-93
pve-firewall: 2.0-33
pve-ha-manager: 1.0-40
ksm-control-daemon: 1.2-1
glusterfs-client: 3.5.2-2+deb8u3
lxc-pve: 2.0.7-1
lxcfs: 2.0.6-pve1
criu: 1.6.0-1
novnc-pve: 0.5-8
smartmontools: 6.5+svn4324-1~pve80

2. Rebooted, same story... same errors...
Attaching 2 screenshots.


Is it required to use exactly 4.4.35 linux kernel? 4.4.38 is not ok?
So in this case let's say I cannot use Proxmox normally?

Or it will work but I should avoid usage of Firewall and KSM only?

Thanks

 

[manu]

@eugene:
Is your bridge active at the momment you're starting the firewall ? It could be that these /proc entries are missing because the linux bridge kernel module had not loaded yet.

brctl show

should show you a list of create bridges

 

[fabian]

Is it required to use exactly 4.4.35 linux kernel? 4.4.38 is not ok?
So in this case let's say I cannot use Proxmox normally?

if you don't run our kernel (pve-kernel-XXX) then you need to make sure all the config flags and features are set correctly, and you need to be aware that you are running an unsupported version. why don't you just use the regular pve kernel?