`pve-firewall status` stuck on "Status: enabled/running (pending changes)"

[JulienMru]

Dear all,

I have a cluster of 6 nodes, two of which having an issue with `pve-firewall status` stuck on "Status: enabled/running (pending changes)". Firewall is enabled on the Datacenter, on the node and on the VMs.

I attached the output of `pve-firewall compile`: do you have any idea of what's wrong?

The firewall is not working (ie. no packets filtered), possibly because of this error.

root@node5:~# pveversion -v
proxmox-ve: 4.4-107 (running kernel: 4.4.44-1-pve)
pve-manager: 4.4-22 (running version: 4.4-22/2728f613)
pve-kernel-4.4.35-1-pve: 4.4.35-77
pve-kernel-4.4.44-1-pve: 4.4.44-84
pve-kernel-4.4.98-6-pve: 4.4.98-107
pve-kernel-4.4.49-1-pve: 4.4.49-86
lvm2: 2.02.116-pve3
corosync-pve: 2.4.2-2~pve4+1
libqb0: 1.0.1-1
pve-cluster: 4.0-54
qemu-server: 4.0-115
pve-firmware: 1.1-11
libpve-common-perl: 4.0-96
libpve-access-control: 4.0-23
libpve-storage-perl: 4.0-76
pve-libspice-server1: 0.12.8-2
vncterm: 1.3-2
pve-docs: 4.4-4
pve-qemu-kvm: 2.9.1-9~pve4
pve-container: 1.0-104
pve-firewall: 2.0-33
pve-ha-manager: 1.0-41
ksm-control-daemon: 1.2-1
glusterfs-client: 3.5.2-2+deb8u3
lxc-pve: 2.0.7-4
lxcfs: 2.0.6-pve1
criu: 1.6.0-1
novnc-pve: 0.5-9
smartmontools: 6.5+svn4324-1~pve80
zfsutils: 0.6.5.9-pve15~bpo80
openvswitch-switch: 2.6.0-2

Best regards.

 

[Tim Riggs]

I'm experiencing the same issue.
Here is what i'm seeing in /var/log/daemon.log before and after running pve-firewall reload

Apr  8 16:32:06 srv7-prox-dac pve-firewall[23595]: status update error: iptables_restore_cmdlist: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Apr  8 16:32:16 srv7-prox-dac pve-firewall[23595]: status update error: iptables_restore_cmdlist: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Apr  8 16:32:26 srv7-prox-dac pve-firewall[23595]: status update error: iptables_restore_cmdlist: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Apr  8 16:32:36 srv7-prox-dac pve-firewall[23595]: status update error: iptables_restore_cmdlist: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Apr  8 16:32:46 srv7-prox-dac pve-firewall[23595]: status update error: iptables_restore_cmdlist: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Apr  8 16:32:46 srv7-prox-dac systemd[1]: Started Session 371 of user root.
Apr  8 16:32:52 srv7-prox-dac systemd[1]: Reloading Proxmox VE firewall.
Apr  8 16:32:52 srv7-prox-dac pve-firewall[29249]: send HUP to 23595
Apr  8 16:32:52 srv7-prox-dac pve-firewall[23595]: received signal HUP
Apr  8 16:32:52 srv7-prox-dac pve-firewall[23595]: server shutdown (restart)
Apr  8 16:32:52 srv7-prox-dac systemd[1]: Reloaded Proxmox VE firewall.
Apr  8 16:32:53 srv7-prox-dac pve-firewall[23595]: restarting server
Apr  8 16:32:53 srv7-prox-dac pve-firewall[23595]: status update error: iptables_restore_cmdlist: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Apr  8 16:33:00 srv7-prox-dac systemd[1]: Starting Proxmox VE replication runner...
Apr  8 16:33:01 srv7-prox-dac systemd[1]: Started Proxmox VE replication runner.
Apr  8 16:33:03 srv7-prox-dac pve-firewall[23595]: status update error: iptables_restore_cmdlist: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Apr  8 16:33:13 srv7-prox-dac pve-firewall[23595]: status update error: iptables_restore_cmdlist: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Apr  8 16:33:23 srv7-prox-dac pve-firewall[23595]: status update error: iptables_restore_cmdlist: Try `iptables-restore -h' or 'iptables-restore --help' for more information.

Not sure how to troubleshoot from here.

 

[Tim Riggs]

This ended up resolving itself for me after apt-get update and a node reboot.

 

[wbumiller]

A quick glance over the compile.txt shows a rather long multiport line (in the 'cpanel' group's input). pve-firewall >= 3.0-6 should actually complain about this when entering it, see if it works when you remove it, if that helps, split it into multiple rules.

 

[JulienMru]

Wow wbumiller That was the issue. Thanks a lot for your insight.

Is there anyway to debug this kind of issue without having to ask for your help?

 

[wbumiller]

There's a long term plan to try to test rules better when applying them to find a way to somehow mark them on the UI or at least show specifically which rule doesn't work in the logs, but the low level tools make this quite difficult/inconvenient so for now this isn't happening - we're trying to catch issues while rules are being added, but as you noticed not all limitations have been covered yet.

 

[JulienMru]

Thanks for the follow-up.

 

[Virtualizer]

Dear, we have the same phenomen now on 2 hosts with proxmox 5.2-2 on the old proxmox 4.x this problems comes not up!

Uname -a:
Linux pm21-host 4.15.17-3-pve #1 SMP PVE 4.15.17-13 (Mon, 18 Jun 2018 17:15:04 +0200) x86_64 GNU/Linux

The problem is, in this situation the firewall not blocks the bad traffic!