[pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown error 524
Alexandre DERUMIER
aderumier at odiso.com
Wed Jun 18 05:19:11 CEST 2014
I just send a patch
#pve-firewall compile --full
it should display full iptables commands and iptables-restore error message
----- Mail original -----
De: "Alexandre DERUMIER" <aderumier at odiso.com>
À: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
Cc: pve-devel at pve.proxmox.com
Envoyé: Mercredi 18 Juin 2014 03:16:36
Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown error 524
>>The output is very long! Do you need everything?
how many rules do you have created ? are you talking about MB of output ?
if it's too big, you can send them to my email directly
----- Mail original -----
De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Mardi 17 Juin 2014 15:09:57
Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown error 524
Am 17.06.2014 10:38, schrieb Alexandre DERUMIER:
>>> Jun 17 10:28:04 cloud3-1351 pve-firewall[7944]: status update error:
>>> command '/sbin/iptables-restore -n' failed: exit code 1
>
> something seem wrong in generate rules
>
> can you do a
>
> #pve-firewall compile
>
> to see generated rules ?
The output is very long! Do you need everything?
Stefan
> ----- Mail original -----
>
> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
> À: "Alexandre DERUMIER" <aderumier at odiso.com>
> Cc: pve-devel at pve.proxmox.com
> Envoyé: Mardi 17 Juin 2014 10:28:32
> Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown error 524
>
> Log says:
> Jun 17 10:27:59 cloud3-1351 dnsmasq-dhcp[8437]: DHCP packet received on
> fwbr2004i0 which has no address
> Jun 17 10:28:02 cloud3-1351 dnsmasq-dhcp[8437]: DHCPDISCOVER(vmbr0)
> c2:3e:63:19:6c:bf
> Jun 17 10:28:02 cloud3-1351 dnsmasq-dhcp[8437]: DHCPOFFER(vmbr0)
> 10.10.28.3 c2:3e:63:19:6c:bf
> Jun 17 10:28:04 cloud3-1351 pve-firewall[7944]: status update error:
> command '/sbin/iptables-restore -n' failed: exit code 1
>
> Am 17.06.2014 10:26, schrieb Stefan Priebe - Profihost AG:
>> OK adding an empty
>> netpoll pdo controller to the veth device in the kernel fixes the problem.
>>
>> The veth device does not support netpoll.
>>
>> Without the netconsole driver i can start the VM. But if the firewall is
>> enabled i've not network - even with Input Policy and Output Policy set
>> to ACCEPT.
>>
>> What should i check now?
>>
>> Stefan
>> Am 16.06.2014 11:49, schrieb Alexandre DERUMIER:
>>>>> I think this should get cleaned in that case?
>>>
>>> currently the cleanup is done:
>>>
>>> at vm shutdown
>>> at vm start
>>> when you disable|enable firewall on netX through api
>>>
>>> but indeed we can improve that (I'll try to have a look at it)
>>>
>>>
>>>>> I just don't get why it works for vmbr1 but not for vmbr0.
>>>
>>> can you try to manually add
>>>
>>> #brctl addif fwln2004i0 fwbr2004i0
>>> #brctl addif fwpr2004p0 vmbr0
>>>
>>> ?
>>>
>>>
>>>
>>>
>>> ----- Mail original -----
>>>
>>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
>>> À: "Alexandre DERUMIER" <aderumier at odiso.com>
>>> Cc: pve-devel at pve.proxmox.com
>>> Envoyé: Lundi 16 Juin 2014 11:40:59
>>> Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown error 524
>>>
>>> Am 16.06.2014 11:37, schrieb Alexandre DERUMIER:
>>>>>> What is the difference between the normal tap device without firewall -
>>>>>> which works fine for me on vmbr0 and vmbr1 and the firewall tap one?
>>>>
>>>> They are not difference.
>>>>
>>>> we just need a dedicated bridge (fwbrxxx) by firewalled tap interface,
>>>> and this bridge is plugged to vmbrX through a veth pair( fwprxxxx)
>>>
>>> I just don't get why it works for vmbr1 but not for vmbr0.
>>>
>>> I don't see a difference.
>>>
>>> Generally if adding the bridge fails for whatever reason there is a lot
>>> of unremoved stuff:
>>>
>>> [: ~]# ip a l | grep fwbr
>>> 14: fwbr2004i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
>>> state UP
>>> 16: fwln2004i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
>>> pfifo_fast master fwbr2004i0 state UP qlen 1000
>>>
>>> [: ~]# ifconfig| grep ^fw
>>> fwbr2004i0 Link encap:Ethernet HWaddr d2:74:33:d9:50:92
>>> fwln2004i0 Link encap:Ethernet HWaddr d2:74:33:d9:50:92
>>> fwpr2004p0 Link encap:Ethernet HWaddr b2:47:35:28:2c:de
>>>
>>> I think this should get cleaned in that case?
>>>
>>> Stefan
>>>
>>>>
>>>> ----- Mail original -----
>>>>
>>>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
>>>> À: "Alexandre DERUMIER" <aderumier at odiso.com>
>>>> Cc: pve-devel at pve.proxmox.com
>>>> Envoyé: Lundi 16 Juin 2014 11:29:00
>>>> Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown error 524
>>>>
>>>> What is the difference between the normal tap device without firewall -
>>>> which works fine for me on vmbr0 and vmbr1 and the firewall tap one?
>>>>
>>>> Stefan
>>>> Am 16.06.2014 11:10, schrieb Stefan Priebe - Profihost AG:
>>>>> Hi,
>>>>>
>>>>> i get the same problem with the official redhat PVE Kernel.
>>>>>
>>>>> What i don't understand is that it works fine with vmbr1 but not with
>>>>> vmbr0.
>>>>>
>>>>> Interfaces file on host:
>>>>>
>>>>> auto vmbr0
>>>>> iface vmbr0 inet static
>>>>> address XX.XX.XX.XX
>>>>> netmask 255.255.255.128
>>>>> gateway XX.XX.XX.XX
>>>>> bridge_ports bond0
>>>>> bridge_stp off
>>>>> bridge_fd 0
>>>>>
>>>>> auto vmbr1
>>>>> iface vmbr1 inet manual
>>>>> bridge_ports bond1
>>>>> bridge_stp off
>>>>> bridge_fd 0
>>>>>
>>>>> Stefan
>>>>>
>>>>> Am 16.06.2014 09:50, schrieb Alexandre DERUMIER:
>>>>>>>> Do i need a special kernel feature?
>>>>>> I don't think.
>>>>>> It's just create a veth pair, then plug them in bridge.
>>>>>>
>>>>>> I check my logs, I don't have theses
>>>>>>
>>>>>> "netpoll: (null): fwpr2004p0 doesn't support polling, aborting "
>>>>>>
>>>>>> do you use a custom kernel ?
>>>>>
>>>>> Stefan
>>>>>
>> _______________________________________________
>> pve-devel mailing list
>> pve-devel at pve.proxmox.com
>> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>>
More information about the pve-devel
mailing list