[pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown error 524
Alexandre DERUMIER
aderumier at odiso.com
Tue Jun 17 10:44:19 CEST 2014
By the way, I think we could improve,
Firewall.pm
sub iptables_restore_cmdlist {
my ($cmdlist) = @_;
run_command("/sbin/iptables-restore -n", input => $cmdlist);
}
and parse the iptables-restore errors (we can have info of which line is wrong in iptables commands)
----- Mail original -----
De: "Alexandre DERUMIER" <aderumier at odiso.com>
À: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
Cc: pve-devel at pve.proxmox.com
Envoyé: Mardi 17 Juin 2014 10:38:12
Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown error 524
>>Jun 17 10:28:04 cloud3-1351 pve-firewall[7944]: status update error:
>>command '/sbin/iptables-restore -n' failed: exit code 1
something seem wrong in generate rules
can you do a
#pve-firewall compile
to see generated rules ?
----- Mail original -----
De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Mardi 17 Juin 2014 10:28:32
Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown error 524
Log says:
Jun 17 10:27:59 cloud3-1351 dnsmasq-dhcp[8437]: DHCP packet received on
fwbr2004i0 which has no address
Jun 17 10:28:02 cloud3-1351 dnsmasq-dhcp[8437]: DHCPDISCOVER(vmbr0)
c2:3e:63:19:6c:bf
Jun 17 10:28:02 cloud3-1351 dnsmasq-dhcp[8437]: DHCPOFFER(vmbr0)
10.10.28.3 c2:3e:63:19:6c:bf
Jun 17 10:28:04 cloud3-1351 pve-firewall[7944]: status update error:
command '/sbin/iptables-restore -n' failed: exit code 1
Am 17.06.2014 10:26, schrieb Stefan Priebe - Profihost AG:
> OK adding an empty
> netpoll pdo controller to the veth device in the kernel fixes the problem.
>
> The veth device does not support netpoll.
>
> Without the netconsole driver i can start the VM. But if the firewall is
> enabled i've not network - even with Input Policy and Output Policy set
> to ACCEPT.
>
> What should i check now?
>
> Stefan
> Am 16.06.2014 11:49, schrieb Alexandre DERUMIER:
>>>> I think this should get cleaned in that case?
>>
>> currently the cleanup is done:
>>
>> at vm shutdown
>> at vm start
>> when you disable|enable firewall on netX through api
>>
>> but indeed we can improve that (I'll try to have a look at it)
>>
>>
>>>> I just don't get why it works for vmbr1 but not for vmbr0.
>>
>> can you try to manually add
>>
>> #brctl addif fwln2004i0 fwbr2004i0
>> #brctl addif fwpr2004p0 vmbr0
>>
>> ?
>>
>>
>>
>>
>> ----- Mail original -----
>>
>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
>> À: "Alexandre DERUMIER" <aderumier at odiso.com>
>> Cc: pve-devel at pve.proxmox.com
>> Envoyé: Lundi 16 Juin 2014 11:40:59
>> Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown error 524
>>
>> Am 16.06.2014 11:37, schrieb Alexandre DERUMIER:
>>>>> What is the difference between the normal tap device without firewall -
>>>>> which works fine for me on vmbr0 and vmbr1 and the firewall tap one?
>>>
>>> They are not difference.
>>>
>>> we just need a dedicated bridge (fwbrxxx) by firewalled tap interface,
>>> and this bridge is plugged to vmbrX through a veth pair( fwprxxxx)
>>
>> I just don't get why it works for vmbr1 but not for vmbr0.
>>
>> I don't see a difference.
>>
>> Generally if adding the bridge fails for whatever reason there is a lot
>> of unremoved stuff:
>>
>> [: ~]# ip a l | grep fwbr
>> 14: fwbr2004i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
>> state UP
>> 16: fwln2004i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
>> pfifo_fast master fwbr2004i0 state UP qlen 1000
>>
>> [: ~]# ifconfig| grep ^fw
>> fwbr2004i0 Link encap:Ethernet HWaddr d2:74:33:d9:50:92
>> fwln2004i0 Link encap:Ethernet HWaddr d2:74:33:d9:50:92
>> fwpr2004p0 Link encap:Ethernet HWaddr b2:47:35:28:2c:de
>>
>> I think this should get cleaned in that case?
>>
>> Stefan
>>
>>>
>>> ----- Mail original -----
>>>
>>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
>>> À: "Alexandre DERUMIER" <aderumier at odiso.com>
>>> Cc: pve-devel at pve.proxmox.com
>>> Envoyé: Lundi 16 Juin 2014 11:29:00
>>> Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown error 524
>>>
>>> What is the difference between the normal tap device without firewall -
>>> which works fine for me on vmbr0 and vmbr1 and the firewall tap one?
>>>
>>> Stefan
>>> Am 16.06.2014 11:10, schrieb Stefan Priebe - Profihost AG:
>>>> Hi,
>>>>
>>>> i get the same problem with the official redhat PVE Kernel.
>>>>
>>>> What i don't understand is that it works fine with vmbr1 but not with
>>>> vmbr0.
>>>>
>>>> Interfaces file on host:
>>>>
>>>> auto vmbr0
>>>> iface vmbr0 inet static
>>>> address XX.XX.XX.XX
>>>> netmask 255.255.255.128
>>>> gateway XX.XX.XX.XX
>>>> bridge_ports bond0
>>>> bridge_stp off
>>>> bridge_fd 0
>>>>
>>>> auto vmbr1
>>>> iface vmbr1 inet manual
>>>> bridge_ports bond1
>>>> bridge_stp off
>>>> bridge_fd 0
>>>>
>>>> Stefan
>>>>
>>>> Am 16.06.2014 09:50, schrieb Alexandre DERUMIER:
>>>>>>> Do i need a special kernel feature?
>>>>> I don't think.
>>>>> It's just create a veth pair, then plug them in bridge.
>>>>>
>>>>> I check my logs, I don't have theses
>>>>>
>>>>> "netpoll: (null): fwpr2004p0 doesn't support polling, aborting "
>>>>>
>>>>> do you use a custom kernel ?
>>>>
>>>> Stefan
>>>>
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
_______________________________________________
pve-devel mailing list
pve-devel at pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
More information about the pve-devel
mailing list