PVE-Firewall Proxmox 4.1 - pending changes

[shartenauer]

Hello together,

I have problems with the new Proxmox 4.1 and the pve-firewall.

After enabling the firewall in datacenter, I got this message on console
pve-firewall status
Status: enabled/running (pending changes)

"pending changes" doesn't disappear

There are no firewall rules defined.
Last week with version 4.0 I had no problems.

Best regards
Stephan

pveversion -v
proxmox-ve: 4.1-26 (running kernel: 4.2.6-1-pve)
pve-manager: 4.1-1 (running version: 4.1-1/2f9650d4)
pve-kernel-4.2.6-1-pve: 4.2.6-26
pve-kernel-4.2.3-2-pve: 4.2.3-22
lvm2: 2.02.116-pve2
corosync-pve: 2.3.5-2
libqb0: 0.17.2-1
pve-cluster: 4.0-29
qemu-server: 4.0-41
pve-firmware: 1.1-7
libpve-common-perl: 4.0-41
libpve-access-control: 4.0-10
libpve-storage-perl: 4.0-38
pve-libspice-server1: 0.12.5-2
vncterm: 1.2-1
pve-qemu-kvm: 2.4-17
pve-container: 1.0-33
pve-firewall: 2.0-14
pve-ha-manager: 1.0-14
ksm-control-daemon: not correctly installed
glusterfs-client: 3.5.2-2+deb8u1
lxc-pve: 1.1.5-5
lxcfs: 0.13-pve1
cgmanager: 0.39-pve1
criu: 1.6.0-1

 

[dietmar]

What is the output of

# iptables-save

and

# pve-firewall compile

 

[shartenauer]

Hello Dietmar,

now I have inserted my firewall rules.

here is the output of iptables-save and pve-firewall compile.

Best regards
Stephan

 

[dietmar]

seems there is a problem with the ipv6 management ipset:

update PVEFW-0-management-v6 (BrYnFffvMVEbr8z/QjfAHunsoZA)
    create PVEFW-0-management-v6 hash:net family inet6 hashsize 64 maxelem 64
    add PVEFW-0-management-v6 2a01:4f8:171:11b0::0000/64

so what is the output of

# ipset save

 

[shartenauer]

Hello Dietmar,

ipset save
create PVEFW-0-management-v4 hash:net family inet hashsize 64 maxelem 64
add PVEFW-0-management-v4 127.0.0.0/8
create PVEFW-0-management-v6 hash:net family inet6 hashsize 64 maxelem 64

Now I got my additional IPs from Hetzner and changed the file interfaces.
After that the problem is solved.

Thank you very much.
Stephan