status update error: iptables_restore_cmdlist

[Machine Manager]

I don't know when this issue started, but I have IPv6 disabled via grub by using "ipv6.disable=1" on
GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub.

My syslog is being flooded with the following messages:

Nov 19 10:53:24 pve pve-firewall[1053]: status update error: iptables_restore_cmdlist: Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.

I've found this old thread, but it seems the issue is supposed to be fixed by now: https://forum.proxmox.com/threads/pve-firewall-problem.53822/

There is also this old article from Red Hat: https://access.redhat.com/solutions/3138851

Maybe it is a regression?

 

[shrdlicka]

Hi,
Looks like we are not checking if ipv6 is disabled in the kernel at boot. I got the same error when disabling ipv6 via the boot parameter. I would recommend you disable IPv6 via /etc/sysctl.conf and add those two lines:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

You can load the changes either via a reboot or via executing sysctl -p.

Regards

 

[Machine Manager]

Following your instructions in conjunction with the GRUB option I get the following error:

$ sysctl -p

/proc/sys/net/ipv6/conf/all/disable_ipv6: No such file or directory
/proc/sys/net/ipv6/conf/default/disable_ipv6: No such file or directory

I had to remove the GRUB option, so the system created the ipv6 sub-directory and then no errors.

 

[Stoiko Ivanov]

see https://pve.proxmox.com/pve-docs/chapter-sysadmin.html#_disabling_ipv6_on_the_node

completely disabling the ipv6 module (by using "ipv6.disable=1" on GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub.) is not supported, as it breaks quite a lot of things

remove that entry from grub-config (run update-grub) and reboot - /etc/sysctl.conf should work better as @shrdlicka mentioned

I hope this helps!

 

[endurance]

I can confirm using grub to disable creates issues learned it the hard way I should have read the docs before.
Using the proposed way seems to create no issues (at least none I currently see).

 

[Stoiko Ivanov]

I can confirm using grub to disable creates issues

technically you can also set the sysctl on the kernel cmdline with grub [0,1] (since kernel 5.8 afaict) - but that would be 'sysctl.net.ipv6.conf.all.disable_ipv6=1' and I would still recommend going with /etc/sysctl.conf

Using the proposed way seems to create no issues (at least none I currently see).

We did quite a bit of testing with that 1.5 years ago - and it seemed working well to us - if anything pops up - let us know

In any case - glad you resolved your issue!

[0] https://unix.stackexchange.com/ques...et-sysctl-using-kernel-command-line-parameter
[1] https://www.kernel.org/doc/Documentation/admin-guide/kernel-parameters.txt

 

[Machine Manager]

technically you can also set the sysctl on the kernel cmdline with grub [0,1] (since kernel 5.8 afaict) - but that would be 'sysctl.net.ipv6.conf.all.disable_ipv6=1' and I would still recommend going with /etc/sysctl.conf

I think `sysctl.net.ipv6.conf.all.disable_ipv6` is not the correct parameter.

We did quite a bit of testing with that 1.5 years ago - and it seemed working well to us - if anything pops up - let us know

In any case - glad you resolved your issue!

[0] https://unix.stackexchange.com/ques...et-sysctl-using-kernel-command-line-parameter
[1] https://www.kernel.org/doc/Documentation/admin-guide/kernel-parameters.txt

One issue I've noticed is the LXC containers still get IPv6 assigned to their ethernet devices, which can be verified running `ip a` in their console. On the other hand, using the GRUB option does not let the containers get IPv6 assigned to their devices.

So, if one decides to completely disable IPv6 on the network, then it is necessary to add the `sysctl` configuration to every single container, which is at least annoying.

 

[bryzgalov]

~# diff /usr/share/perl5/PVE/Firewall.pm.orig /usr/share/perl5/PVE/Firewall.pm.ipv6-disabled
1913c1913
< run_command(['ip6tables-restore', '-T', $table, '-n'], input => $cmdlist, errmsg => "iptables_restore_cmdlist");
---
> #run_command(['ip6tables-restore', '-T', $table, '-n'], input => $cmdlist, errmsg => "iptables_restore_cmdlist");

After making changes reboot or (/usr/sbin/pve-firewall stop;/usr/sbin/pve-firewall start)