[pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown error 524

Stefan Priebe - Profihost AG s.priebe at profihost.ag
Wed Jun 18 09:46:34 CEST 2014 

Hi,

Am 18.06.2014 08:59, schrieb Alexandre DERUMIER:
> try my patch #pve-firewall compile --full
> 
> it should display the generate rules, and error message from iptables-restore

This is the output with patch applied:
http://pastebin.com/raw.php?i=rvt127kw

What i'm wondering is that these rulese also do things on my normal
interfaces where i already run custom firewall rules.

The next thing i tried was disabling the cluster firewall in hope that
this results in firewall rules ONLY for the VMs.

I think there should be a way to skip all those global rules for the hw
nodes and only apply rules for VMs.

Stefan


> ----- Mail original ----- 
> 
> De: "Stefan Priebe" <s.priebe at profihost.ag> 
> À: "Alexandre DERUMIER" <aderumier at odiso.com> 
> Cc: pve-devel at pve.proxmox.com 
> Envoyé: Mercredi 18 Juin 2014 08:33:26 
> Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown error 524 
> 
> Am 18.06.2014 03:16, schrieb Alexandre DERUMIER: 
>>>> The output is very long! Do you need everything? 
>>
>> how many rules do you have created ? are you talking about MB of output ? 
>>
>> if it's too big, you can send them to my email directly 
> 
> NO i didn't even have rules set that's the funny thing and why i don't 
> know why all traffic is blocked. 
> 
> But generally i see no rules under 
> iptables -L -vnx 
> 
> Most probably due to: 
> Jun 18 08:32:55 cloud3-1351 pve-firewall[7944]: status update error: 
> command '/sbin/iptables-restore -n' failed: exit code 1 
> 
> Stefan 
> 
>> ----- Mail original ----- 
>>
>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
>> À: "Alexandre DERUMIER" <aderumier at odiso.com> 
>> Cc: pve-devel at pve.proxmox.com 
>> Envoyé: Mardi 17 Juin 2014 15:09:57 
>> Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown error 524 
>>
>> Am 17.06.2014 10:38, schrieb Alexandre DERUMIER: 
>>>>> Jun 17 10:28:04 cloud3-1351 pve-firewall[7944]: status update error: 
>>>>> command '/sbin/iptables-restore -n' failed: exit code 1 
>>>
>>> something seem wrong in generate rules 
>>>
>>> can you do a 
>>>
>>> #pve-firewall compile 
>>>
>>> to see generated rules ? 
>>
>> The output is very long! Do you need everything? 
>>
>> Stefan 
>>
>>> ----- Mail original ----- 
>>>
>>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
>>> À: "Alexandre DERUMIER" <aderumier at odiso.com> 
>>> Cc: pve-devel at pve.proxmox.com 
>>> Envoyé: Mardi 17 Juin 2014 10:28:32 
>>> Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown error 524 
>>>
>>> Log says: 
>>> Jun 17 10:27:59 cloud3-1351 dnsmasq-dhcp[8437]: DHCP packet received on 
>>> fwbr2004i0 which has no address 
>>> Jun 17 10:28:02 cloud3-1351 dnsmasq-dhcp[8437]: DHCPDISCOVER(vmbr0) 
>>> c2:3e:63:19:6c:bf 
>>> Jun 17 10:28:02 cloud3-1351 dnsmasq-dhcp[8437]: DHCPOFFER(vmbr0) 
>>> 10.10.28.3 c2:3e:63:19:6c:bf 
>>> Jun 17 10:28:04 cloud3-1351 pve-firewall[7944]: status update error: 
>>> command '/sbin/iptables-restore -n' failed: exit code 1 
>>>
>>> Am 17.06.2014 10:26, schrieb Stefan Priebe - Profihost AG: 
>>>> OK adding an empty 
>>>> netpoll pdo controller to the veth device in the kernel fixes the problem. 
>>>>
>>>> The veth device does not support netpoll. 
>>>>
>>>> Without the netconsole driver i can start the VM. But if the firewall is 
>>>> enabled i've not network - even with Input Policy and Output Policy set 
>>>> to ACCEPT. 
>>>>
>>>> What should i check now? 
>>>>
>>>> Stefan 
>>>> Am 16.06.2014 11:49, schrieb Alexandre DERUMIER: 
>>>>>>> I think this should get cleaned in that case? 
>>>>>
>>>>> currently the cleanup is done: 
>>>>>
>>>>> at vm shutdown 
>>>>> at vm start 
>>>>> when you disable|enable firewall on netX through api 
>>>>>
>>>>> but indeed we can improve that (I'll try to have a look at it) 
>>>>>
>>>>>
>>>>>>> I just don't get why it works for vmbr1 but not for vmbr0. 
>>>>>
>>>>> can you try to manually add 
>>>>>
>>>>> #brctl addif fwln2004i0 fwbr2004i0 
>>>>> #brctl addif fwpr2004p0 vmbr0 
>>>>>
>>>>> ? 
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> ----- Mail original ----- 
>>>>>
>>>>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
>>>>> À: "Alexandre DERUMIER" <aderumier at odiso.com> 
>>>>> Cc: pve-devel at pve.proxmox.com 
>>>>> Envoyé: Lundi 16 Juin 2014 11:40:59 
>>>>> Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown error 524 
>>>>>
>>>>> Am 16.06.2014 11:37, schrieb Alexandre DERUMIER: 
>>>>>>>> What is the difference between the normal tap device without firewall - 
>>>>>>>> which works fine for me on vmbr0 and vmbr1 and the firewall tap one? 
>>>>>>
>>>>>> They are not difference. 
>>>>>>
>>>>>> we just need a dedicated bridge (fwbrxxx) by firewalled tap interface, 
>>>>>> and this bridge is plugged to vmbrX through a veth pair( fwprxxxx) 
>>>>>
>>>>> I just don't get why it works for vmbr1 but not for vmbr0. 
>>>>>
>>>>> I don't see a difference. 
>>>>>
>>>>> Generally if adding the bridge fails for whatever reason there is a lot 
>>>>> of unremoved stuff: 
>>>>>
>>>>> [: ~]# ip a l | grep fwbr 
>>>>> 14: fwbr2004i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue 
>>>>> state UP 
>>>>> 16: fwln2004i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc 
>>>>> pfifo_fast master fwbr2004i0 state UP qlen 1000 
>>>>>
>>>>> [: ~]# ifconfig| grep ^fw 
>>>>> fwbr2004i0 Link encap:Ethernet HWaddr d2:74:33:d9:50:92 
>>>>> fwln2004i0 Link encap:Ethernet HWaddr d2:74:33:d9:50:92 
>>>>> fwpr2004p0 Link encap:Ethernet HWaddr b2:47:35:28:2c:de 
>>>>>
>>>>> I think this should get cleaned in that case? 
>>>>>
>>>>> Stefan 
>>>>>
>>>>>>
>>>>>> ----- Mail original ----- 
>>>>>>
>>>>>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
>>>>>> À: "Alexandre DERUMIER" <aderumier at odiso.com> 
>>>>>> Cc: pve-devel at pve.proxmox.com 
>>>>>> Envoyé: Lundi 16 Juin 2014 11:29:00 
>>>>>> Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown error 524 
>>>>>>
>>>>>> What is the difference between the normal tap device without firewall - 
>>>>>> which works fine for me on vmbr0 and vmbr1 and the firewall tap one? 
>>>>>>
>>>>>> Stefan 
>>>>>> Am 16.06.2014 11:10, schrieb Stefan Priebe - Profihost AG: 
>>>>>>> Hi, 
>>>>>>>
>>>>>>> i get the same problem with the official redhat PVE Kernel. 
>>>>>>>
>>>>>>> What i don't understand is that it works fine with vmbr1 but not with 
>>>>>>> vmbr0. 
>>>>>>>
>>>>>>> Interfaces file on host: 
>>>>>>>
>>>>>>> auto vmbr0 
>>>>>>> iface vmbr0 inet static 
>>>>>>> address XX.XX.XX.XX 
>>>>>>> netmask 255.255.255.128 
>>>>>>> gateway XX.XX.XX.XX 
>>>>>>> bridge_ports bond0 
>>>>>>> bridge_stp off 
>>>>>>> bridge_fd 0 
>>>>>>>
>>>>>>> auto vmbr1 
>>>>>>> iface vmbr1 inet manual 
>>>>>>> bridge_ports bond1 
>>>>>>> bridge_stp off 
>>>>>>> bridge_fd 0 
>>>>>>>
>>>>>>> Stefan 
>>>>>>>
>>>>>>> Am 16.06.2014 09:50, schrieb Alexandre DERUMIER: 
>>>>>>>>>> Do i need a special kernel feature? 
>>>>>>>> I don't think. 
>>>>>>>> It's just create a veth pair, then plug them in bridge. 
>>>>>>>>
>>>>>>>> I check my logs, I don't have theses 
>>>>>>>>
>>>>>>>> "netpoll: (null): fwpr2004p0 doesn't support polling, aborting " 
>>>>>>>>
>>>>>>>> do you use a custom kernel ? 
>>>>>>>
>>>>>>> Stefan 
>>>>>>>
>>>> _______________________________________________ 
>>>> pve-devel mailing list 
>>>> pve-devel at pve.proxmox.com 
>>>> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
>>>>

More information about the pve-devel mailing list