[RESOLVED] IPSET: restore failed - firewall cannot anymore

felipe

Well-Known Member
Oct 28, 2013
222
6
58
hello,

after some time now i get this message all the time and the firewall will not reload anymore. how can i debug that?

pve-firewall[13672]: status update error: command '/usr/sbin/ipset restore' failed: exit code 1


 
Last edited:
Re: IPSET: restore failed - firewall cannot anymore

What is the output of

# pve-firewall compile
 
Re: IPSET: restore failed - firewall cannot anymore

[del]
 
Last edited:
Re: IPSET: restore failed - firewall cannot anymore

create PVEFW-0-ceph-hosts hash:net family inet hashsize 64 maxelem 64
add PVEFW-0-ceph-hosts 192.168.13.0/24
create PVEFW-0-management hash:net family inet hashsize 64 maxelem 64
add PVEFW-0-management 192.168.11.0/24
create PVEFW-0-storage-network hash:net family inet hashsize 64 maxelem 64
add PVEFW-0-storage-network 192.168.10.0/24
create PVEFW-0-venet0 hash:net family inet hashsize 64 maxelem 64
create PVEFW-0-horvath-net hash:net family inet hashsize 64 maxelem 64
add PVEFW-0-horvath-net 212.232.26.73
add PVEFW-0-horvath-net 192.168.33.35
add PVEFW-0-horvath-net 192.168.33.1
add PVEFW-0-horvath-net 192.168.33.29
add PVEFW-0-horvath-net 212.232.26.102
add PVEFW-0-horvath-net 192.168.33.34
add PVEFW-0-horvath-net 192.168.33.33
add PVEFW-0-horvath-net 192.168.33.28
add PVEFW-0-horvath-net 192.168.33.31
add PVEFW-0-horvath-net 192.168.33.30
add PVEFW-0-horvath-net 192.168.111.0/24
add PVEFW-0-horvath-net 192.168.33.32
add PVEFW-0-horvath-net 192.168.110.0/24
add PVEFW-0-horvath-net 212.232.26.51
create PVEFW-0-mailingserver-hosts hash:net family inet hashsize 64 maxelem 64
 
Re: IPSET: restore failed - firewall cannot anymore

maybe PVEFW-0-mailingserver-hosts is too long? because this ipset has also about 12 ips in the gui but they are missing in the ipset save
 
Re: IPSET: restore failed - firewall cannot anymore

yep it works now!
so there is a maximal lenght! dont know how mucho.. but seems to be short. maybe add this to the regxep pattern for the name in the gui!
 
Re: IPSET: restore failed - firewall cannot anymore

no, we have a bug with empty ipsets. The following command solves (workaround) the problem:

# ipset destroy PVEFW-0-mailingserver-hosts

But the rename also solves the problem.

Will try to find a real fix now.
 
Re: IPSET: restore failed - firewall cannot anymore

ok but the question is then WHY was the ipset emtpy? in the gui i had about 12 ips there....
maybe another bug?
 
Re: IPSET: restore failed - firewall cannot anymore

ok. when i make really long ipset names then other names are genareated for it and it works.
BUT with ipsets with exactly 19 numbers (did not check 18 or 20) allways i will get emtpy ipset even when i enter some ips.-..
 
Re: IPSET: restore failed - firewall cannot anymore

thanks!

bug is fixed now. bugfix works as expected :)
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!