`pve-firewall status` stuck on "Status: enabled/running (pending changes)"

Jan 24, 2017
8
0
1
41
Dear all,

I have a cluster of 6 nodes, two of which having an issue with `pve-firewall status` stuck on "Status: enabled/running (pending changes)". Firewall is enabled on the Datacenter, on the node and on the VMs.

I attached the output of `pve-firewall compile`: do you have any idea of what's wrong?

The firewall is not working (ie. no packets filtered), possibly because of this error.

Code:
root@node5:~# pveversion -v
proxmox-ve: 4.4-107 (running kernel: 4.4.44-1-pve)
pve-manager: 4.4-22 (running version: 4.4-22/2728f613)
pve-kernel-4.4.35-1-pve: 4.4.35-77
pve-kernel-4.4.44-1-pve: 4.4.44-84
pve-kernel-4.4.98-6-pve: 4.4.98-107
pve-kernel-4.4.49-1-pve: 4.4.49-86
lvm2: 2.02.116-pve3
corosync-pve: 2.4.2-2~pve4+1
libqb0: 1.0.1-1
pve-cluster: 4.0-54
qemu-server: 4.0-115
pve-firmware: 1.1-11
libpve-common-perl: 4.0-96
libpve-access-control: 4.0-23
libpve-storage-perl: 4.0-76
pve-libspice-server1: 0.12.8-2
vncterm: 1.3-2
pve-docs: 4.4-4
pve-qemu-kvm: 2.9.1-9~pve4
pve-container: 1.0-104
pve-firewall: 2.0-33
pve-ha-manager: 1.0-41
ksm-control-daemon: 1.2-1
glusterfs-client: 3.5.2-2+deb8u3
lxc-pve: 2.0.7-4
lxcfs: 2.0.6-pve1
criu: 1.6.0-1
novnc-pve: 0.5-9
smartmontools: 6.5+svn4324-1~pve80
zfsutils: 0.6.5.9-pve15~bpo80
openvswitch-switch: 2.6.0-2

Best regards.
 

Attachments

  • compile.txt
    36.9 KB · Views: 24
I'm experiencing the same issue.
Here is what i'm seeing in /var/log/daemon.log before and after running pve-firewall reload
Code:
Apr  8 16:32:06 srv7-prox-dac pve-firewall[23595]: status update error: iptables_restore_cmdlist: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Apr  8 16:32:16 srv7-prox-dac pve-firewall[23595]: status update error: iptables_restore_cmdlist: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Apr  8 16:32:26 srv7-prox-dac pve-firewall[23595]: status update error: iptables_restore_cmdlist: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Apr  8 16:32:36 srv7-prox-dac pve-firewall[23595]: status update error: iptables_restore_cmdlist: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Apr  8 16:32:46 srv7-prox-dac pve-firewall[23595]: status update error: iptables_restore_cmdlist: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Apr  8 16:32:46 srv7-prox-dac systemd[1]: Started Session 371 of user root.
Apr  8 16:32:52 srv7-prox-dac systemd[1]: Reloading Proxmox VE firewall.
Apr  8 16:32:52 srv7-prox-dac pve-firewall[29249]: send HUP to 23595
Apr  8 16:32:52 srv7-prox-dac pve-firewall[23595]: received signal HUP
Apr  8 16:32:52 srv7-prox-dac pve-firewall[23595]: server shutdown (restart)
Apr  8 16:32:52 srv7-prox-dac systemd[1]: Reloaded Proxmox VE firewall.
Apr  8 16:32:53 srv7-prox-dac pve-firewall[23595]: restarting server
Apr  8 16:32:53 srv7-prox-dac pve-firewall[23595]: status update error: iptables_restore_cmdlist: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Apr  8 16:33:00 srv7-prox-dac systemd[1]: Starting Proxmox VE replication runner...
Apr  8 16:33:01 srv7-prox-dac systemd[1]: Started Proxmox VE replication runner.
Apr  8 16:33:03 srv7-prox-dac pve-firewall[23595]: status update error: iptables_restore_cmdlist: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Apr  8 16:33:13 srv7-prox-dac pve-firewall[23595]: status update error: iptables_restore_cmdlist: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Apr  8 16:33:23 srv7-prox-dac pve-firewall[23595]: status update error: iptables_restore_cmdlist: Try `iptables-restore -h' or 'iptables-restore --help' for more information.

Not sure how to troubleshoot from here.
 
A quick glance over the compile.txt shows a rather long multiport line (in the 'cpanel' group's input). pve-firewall >= 3.0-6 should actually complain about this when entering it, see if it works when you remove it, if that helps, split it into multiple rules.
 
  • Like
Reactions: JulienMru
There's a long term plan to try to test rules better when applying them to find a way to somehow mark them on the UI or at least show specifically which rule doesn't work in the logs, but the low level tools make this quite difficult/inconvenient so for now this isn't happening - we're trying to catch issues while rules are being added, but as you noticed not all limitations have been covered yet.
 
Dear, we have the same phenomen now on 2 hosts with proxmox 5.2-2 on the old proxmox 4.x this problems comes not up!

Uname -a:
Linux pm21-host 4.15.17-3-pve #1 SMP PVE 4.15.17-13 (Mon, 18 Jun 2018 17:15:04 +0200) x86_64 GNU/Linux

The problem is, in this situation the firewall not blocks the bad traffic!
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!