status update error: iptables_restore_cmdlist

M

Machine Manager

Member
Oct 10, 2022
48
2
13
I don't know when this issue started, but I have IPv6 disabled via grub by using "ipv6.disable=1" on
GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub.

My syslog is being flooded with the following messages:

Code: 
Nov 19 10:53:24 pve pve-firewall[1053]: status update error: iptables_restore_cmdlist: Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.

I've found this old thread, but it seems the issue is supposed to be fixed by now: https://forum.proxmox.com/threads/pve-firewall-problem.53822/

There is also this old article from Red Hat: https://access.redhat.com/solutions/3138851

Maybe it is a regression?
 
Hi,
Looks like we are not checking if ipv6 is disabled in the kernel at boot. I got the same error when disabling ipv6 via the boot parameter. I would recommend you disable IPv6 via /etc/sysctl.conf and add those two lines:

Code: 
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

You can load the changes either via a reboot or via executing sysctl -p.

Regards
 
  • Like
Reactions: Machine Manager
Following your instructions in conjunction with the GRUB option I get the following error:

Code: 
$ sysctl -p

/proc/sys/net/ipv6/conf/all/disable_ipv6: No such file or directory
/proc/sys/net/ipv6/conf/default/disable_ipv6: No such file or directory

I had to remove the GRUB option, so the system created the ipv6 sub-directory and then no errors.
 
  • Like
Reactions: endurance
I can confirm using grub to disable creates issues :( learned it the hard way :) I should have read the docs before.
Using the proposed way seems to create no issues (at least none I currently see).
 
endurance said:
I can confirm using grub to disable creates issues :(
Click to expand...
technically you can also set the sysctl on the kernel cmdline with grub [0,1] (since kernel 5.8 afaict) - but that would be 'sysctl.net.ipv6.conf.all.disable_ipv6=1' and I would still recommend going with /etc/sysctl.conf

endurance said:
Using the proposed way seems to create no issues (at least none I currently see).
Click to expand...
We did quite a bit of testing with that 1.5 years ago - and it seemed working well to us - if anything pops up - let us know

In any case - glad you resolved your issue!

[0] https://unix.stackexchange.com/ques...et-sysctl-using-kernel-command-line-parameter
[1] https://www.kernel.org/doc/Documentation/admin-guide/kernel-parameters.txt
 
Stoiko Ivanov said:
technically you can also set the sysctl on the kernel cmdline with grub [0,1] (since kernel 5.8 afaict) - but that would be 'sysctl.net.ipv6.conf.all.disable_ipv6=1' and I would still recommend going with /etc/sysctl.conf
Click to expand...
I think `sysctl.net.ipv6.conf.all.disable_ipv6` is not the correct parameter.

Stoiko Ivanov said:
We did quite a bit of testing with that 1.5 years ago - and it seemed working well to us - if anything pops up - let us know

In any case - glad you resolved your issue!

[0] https://unix.stackexchange.com/ques...et-sysctl-using-kernel-command-line-parameter
[1] https://www.kernel.org/doc/Documentation/admin-guide/kernel-parameters.txt
Click to expand...

One issue I've noticed is the LXC containers still get IPv6 assigned to their ethernet devices, which can be verified running `ip a` in their console. On the other hand, using the GRUB option does not let the containers get IPv6 assigned to their devices.

So, if one decides to completely disable IPv6 on the network, then it is necessary to add the `sysctl` configuration to every single container, which is at least annoying.
 
~# diff /usr/share/perl5/PVE/Firewall.pm.orig /usr/share/perl5/PVE/Firewall.pm.ipv6-disabled
1913c1913
< run_command(['ip6tables-restore', '-T', $table, '-n'], input => $cmdlist, errmsg => "iptables_restore_cmdlist");
---
> #run_command(['ip6tables-restore', '-T', $table, '-n'], input => $cmdlist, errmsg => "iptables_restore_cmdlist");

After making changes reboot or (/usr/sbin/pve-firewall stop;/usr/sbin/pve-firewall start)
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom