VE 8.2: proxmox-firewall panicked

[alex123]

Hi,

after the update to 8.2 I can see a new service/package was installed: proxmox-firewall. Its set to enabled/autostart by default. However, this service fails to start in my environment:

root@xxxxxxxxxxx:~# systemctl status proxmox-firewall
× proxmox-firewall.service - Proxmox nftables firewall
     Loaded: loaded (/lib/systemd/system/proxmox-firewall.service; enabled; preset: enabled)
     Active: failed (Result: exit-code) since Wed 2024-04-24 16:55:38 CEST; 1s ago
   Duration: 2ms
    Process: 8404 ExecStart=/usr/libexec/proxmox/proxmox-firewall (code=exited, status=101)
   Main PID: 8404 (code=exited, status=101)
        CPU: 1ms


Apr 24 16:55:38 xxxxxxxxxxx systemd[1]: Started proxmox-firewall.service - Proxmox nftables firewall.
Apr 24 16:55:38 xxxxxxxxxxx proxmox-firewall[8404]: thread 'main' panicked at 'cluster firewall config is valid: invalid ip address or CIDR: "_v6"', proxmox-firewall/src/config.rs:187:58
Apr 24 16:55:38 xxxxxxxxxxx proxmox-firewall[8404]: note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
Apr 24 16:55:38 xxxxxxxxxxx systemd[1]: proxmox-firewall.service: Main process exited, code=exited, status=101/n/a
Apr 24 16:55:38 xxxxxxxxxxx systemd[1]: proxmox-firewall.service: Failed with result 'exit-code'.

I did not opt in to the nftables preview. Can I go ahead with the deactivation of this service?

Thanks!
Alex

 

[shanreich]

Yes you can deactivate the service as long as you are not using the nftables firewall.

 

[shanreich]

This should be fixed with 0.3.1 [1]. It might make sense to update and reenable the service, otherwise if it becomes the default at some point in the future you might get caught off guard when it is still disabled.

[1] https://git.proxmox.com/?p=proxmox-firewall.git;a=commit;h=b46ad3eedc5433e651d768ab3c1c5fd3a7df5a5c

 

[Matthias K]

Hi,
i have a different problem but also with input proxmox-firewall expects:

thread 'main' panicked at 'cluster firewall config is valid: Invalid address in IPSet: cluster-network-building', proxmox-firewall/src/config.rs:187:58

where cluster-network-building is an Alias to a public x.y.z.64/29
Does proxmox-firewall only accept addresses and no networks as part of an IPSet?
Regards,
Matthias

 

[shanreich]

It should also accept an alias, but we changed the format of aliases to be namespaced ~1 year ago, so they either should have dc/ or guest/ as prefix - it seems like this is not the case in your IPSet. If you have not edited your firewall configuration since the change your configuration will not contain those namespaces. So you would have to edit the IPSet and re-select the alias so it gets generated with the proper prefix.

 

[Matthias K]

It should also accept an alias, but we changed the format of aliases to be namespaced ~1 year ago, so they either should have dc/ or guest/ as prefix - it seems like this is not the case in your IPSet. If you have not edited your firewall configuration since the change your configuration will not contain those namespaces. So you would have to edit the IPSet and re-select the alias so it gets generated with the proper prefix.

Oh yeah, that cluster did not change much since creation, so i missed that one.
Works as described: re-adding for ipsets, re-selecting for rules.
Thanks!

 

[alex123]

So I can confirm 0.3.1 fixes my underscore naming issue.
But I face the crash with the missing dc/ / guest/ prefix now as well.

Are there changes planned to make proxmox-firewall more failproof or atleast trigger some kind of alert, when this service fails? Otherwise it will just leave the VMs/servers unprotected without anyone noticing.
I also guess there are many installations who did not adopt the new alias format. Is there some kind of auto migration planned? Or some hint that the format in use is outdated? https://lists.proxmox.com/pipermail/pve-devel/2023-June/057284.html the patch for pve-firewall provides backwards compatibility. Would be nice to see this with proxmox-firewall as well.

I also prefer a service that will not crash because one or another rule is not correctly understood.

Thanks!

 

[shanreich]

Are there changes planned to make proxmox-firewall more failproof or atleast trigger some kind of alert, when this service fails? Otherwise it will just leave the VMs/servers unprotected without anyone noticing.

Yes, I am working on a patch for addressing this, the fact that it crashes was not my intention.

Since the proxmox-firewall is currently opt-in only there is no issue of your host being unprotected if you did not explicitly switch to the nftables firewall. The old pve-firewall is still doing its job in the meanwhile.

 

[fireon]

It should also accept an alias, but we changed the format of aliases to be namespaced ~1 year ago, so they either should have dc/ or guest/ as prefix - it seems like this is not the case in your IPSet. If you have not edited your firewall configuration since the change your configuration will not contain those namespaces. So you would have to edit the IPSet and re-select the alias so it gets generated with the proper prefix.

worked, thanks

 

[bertd2]

It should also accept an alias, but we changed the format of aliases to be namespaced ~1 year ago, so they either should have dc/ or guest/ as prefix - it seems like this is not the case in your IPSet. If you have not edited your firewall configuration since the change your configuration will not contain those namespaces. So you would have to edit the IPSet and re-select the alias so it gets generated with the proper prefix.

I could not find documentation on how to do this (but that may be my lack of google-fu). Did I overlook something in the upgrade notes?

Through trial and error I found that I can redefine IPSets that use aliases, which put me on the right track for knowing what changes to make to /etc/pve/firewall/cluster.fw. The dc/ prefix has to be added to all alias references in [IPSET ] and [RULES ] stanzas, for the terminally curious.

 

[Gilou]

Yeah, I was impacted by that as well on a legacy rule using a legacy ipset (+management => dc/management) and that made proxmox-firewall fail. Fixing it made it start nicely.