`pve-firewall status` stuck on "Status: enabled/running (pending changes)"

Jan 24, 2017
8
0
1
38
Dear all,

I have a cluster of 6 nodes, two of which having an issue with `pve-firewall status` stuck on "Status: enabled/running (pending changes)". Firewall is enabled on the Datacenter, on the node and on the VMs.

I attached the output of `pve-firewall compile`: do you have any idea of what's wrong?

The firewall is not working (ie. no packets filtered), possibly because of this error.

Code:
root@node5:~# pveversion -v
proxmox-ve: 4.4-107 (running kernel: 4.4.44-1-pve)
pve-manager: 4.4-22 (running version: 4.4-22/2728f613)
pve-kernel-4.4.35-1-pve: 4.4.35-77
pve-kernel-4.4.44-1-pve: 4.4.44-84
pve-kernel-4.4.98-6-pve: 4.4.98-107
pve-kernel-4.4.49-1-pve: 4.4.49-86
lvm2: 2.02.116-pve3
corosync-pve: 2.4.2-2~pve4+1
libqb0: 1.0.1-1
pve-cluster: 4.0-54
qemu-server: 4.0-115
pve-firmware: 1.1-11
libpve-common-perl: 4.0-96
libpve-access-control: 4.0-23
libpve-storage-perl: 4.0-76
pve-libspice-server1: 0.12.8-2
vncterm: 1.3-2
pve-docs: 4.4-4
pve-qemu-kvm: 2.9.1-9~pve4
pve-container: 1.0-104
pve-firewall: 2.0-33
pve-ha-manager: 1.0-41
ksm-control-daemon: 1.2-1
glusterfs-client: 3.5.2-2+deb8u3
lxc-pve: 2.0.7-4
lxcfs: 2.0.6-pve1
criu: 1.6.0-1
novnc-pve: 0.5-9
smartmontools: 6.5+svn4324-1~pve80
zfsutils: 0.6.5.9-pve15~bpo80
openvswitch-switch: 2.6.0-2
Best regards.
 

Attachments

Tim Riggs

New Member
Apr 8, 2018
2
0
1
27
I'm experiencing the same issue.
Here is what i'm seeing in /var/log/daemon.log before and after running pve-firewall reload
Code:
Apr  8 16:32:06 srv7-prox-dac pve-firewall[23595]: status update error: iptables_restore_cmdlist: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Apr  8 16:32:16 srv7-prox-dac pve-firewall[23595]: status update error: iptables_restore_cmdlist: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Apr  8 16:32:26 srv7-prox-dac pve-firewall[23595]: status update error: iptables_restore_cmdlist: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Apr  8 16:32:36 srv7-prox-dac pve-firewall[23595]: status update error: iptables_restore_cmdlist: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Apr  8 16:32:46 srv7-prox-dac pve-firewall[23595]: status update error: iptables_restore_cmdlist: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Apr  8 16:32:46 srv7-prox-dac systemd[1]: Started Session 371 of user root.
Apr  8 16:32:52 srv7-prox-dac systemd[1]: Reloading Proxmox VE firewall.
Apr  8 16:32:52 srv7-prox-dac pve-firewall[29249]: send HUP to 23595
Apr  8 16:32:52 srv7-prox-dac pve-firewall[23595]: received signal HUP
Apr  8 16:32:52 srv7-prox-dac pve-firewall[23595]: server shutdown (restart)
Apr  8 16:32:52 srv7-prox-dac systemd[1]: Reloaded Proxmox VE firewall.
Apr  8 16:32:53 srv7-prox-dac pve-firewall[23595]: restarting server
Apr  8 16:32:53 srv7-prox-dac pve-firewall[23595]: status update error: iptables_restore_cmdlist: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Apr  8 16:33:00 srv7-prox-dac systemd[1]: Starting Proxmox VE replication runner...
Apr  8 16:33:01 srv7-prox-dac systemd[1]: Started Proxmox VE replication runner.
Apr  8 16:33:03 srv7-prox-dac pve-firewall[23595]: status update error: iptables_restore_cmdlist: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Apr  8 16:33:13 srv7-prox-dac pve-firewall[23595]: status update error: iptables_restore_cmdlist: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Apr  8 16:33:23 srv7-prox-dac pve-firewall[23595]: status update error: iptables_restore_cmdlist: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Not sure how to troubleshoot from here.
 

wbumiller

Proxmox Staff Member
Staff member
Jun 23, 2015
652
90
48
A quick glance over the compile.txt shows a rather long multiport line (in the 'cpanel' group's input). pve-firewall >= 3.0-6 should actually complain about this when entering it, see if it works when you remove it, if that helps, split it into multiple rules.
 
  • Like
Reactions: JulienMru

wbumiller

Proxmox Staff Member
Staff member
Jun 23, 2015
652
90
48
There's a long term plan to try to test rules better when applying them to find a way to somehow mark them on the UI or at least show specifically which rule doesn't work in the logs, but the low level tools make this quite difficult/inconvenient so for now this isn't happening - we're trying to catch issues while rules are being added, but as you noticed not all limitations have been covered yet.
 

Virtualizer

Active Member
Dec 19, 2011
90
3
28
Dear, we have the same phenomen now on 2 hosts with proxmox 5.2-2 on the old proxmox 4.x this problems comes not up!

Uname -a:
Linux pm21-host 4.15.17-3-pve #1 SMP PVE 4.15.17-13 (Mon, 18 Jun 2018 17:15:04 +0200) x86_64 GNU/Linux

The problem is, in this situation the firewall not blocks the bad traffic!
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!