[pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown error 524

Alexandre DERUMIER aderumier at odiso.com
Wed Jun 18 17:06:17 CEST 2014 

>># ipset save 
>>create PVEFW-0-management hash:net family inet hashsize 64 maxelem 64 
>>add PVEFW-0-management 10.255.0.0/24 
>>create PVEFW-0-venet0 hash:net family inet hashsize 64 maxelem 64 

I just try to import your ipset + iptables rules, and no problem ....
I don't understand.

do you have other custom rules in input|output|forward ?

(#iptables-save result ?)



----- Mail original ----- 

De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Mercredi 18 Juin 2014 10:22:48 
Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown error 524 

Am 18.06.2014 10:03, schrieb Alexandre DERUMIER: 
> This is strange, I just try to apply the full ruleset on my test server, and it's apply fine. 
> 
> can you post the output of 
> 
> #ipset save 
> 
> ? 
# ipset save 
create PVEFW-0-management hash:net family inet hashsize 64 maxelem 64 
add PVEFW-0-management 10.255.0.0/24 
create PVEFW-0-venet0 hash:net family inet hashsize 64 maxelem 64 


> ----- Mail original ----- 
> 
> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
> À: "Alexandre DERUMIER" <aderumier at odiso.com> 
> Cc: pve-devel at pve.proxmox.com 
> Envoyé: Mercredi 18 Juin 2014 09:46:34 
> Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown error 524 
> 
> Hi, 
> 
> Am 18.06.2014 08:59, schrieb Alexandre DERUMIER: 
>> try my patch #pve-firewall compile --full 
>> 
>> it should display the generate rules, and error message from iptables-restore 
> 
> This is the output with patch applied: 
> http://pastebin.com/raw.php?i=rvt127kw 
> 
> What i'm wondering is that these rulese also do things on my normal 
> interfaces where i already run custom firewall rules. 
> 
> The next thing i tried was disabling the cluster firewall in hope that 
> this results in firewall rules ONLY for the VMs. 
> 
> I think there should be a way to skip all those global rules for the hw 
> nodes and only apply rules for VMs. 
> 
> Stefan 
> 
> 
>> ----- Mail original ----- 
>> 
>> De: "Stefan Priebe" <s.priebe at profihost.ag> 
>> À: "Alexandre DERUMIER" <aderumier at odiso.com> 
>> Cc: pve-devel at pve.proxmox.com 
>> Envoyé: Mercredi 18 Juin 2014 08:33:26 
>> Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown error 524 
>> 
>> Am 18.06.2014 03:16, schrieb Alexandre DERUMIER: 
>>>>> The output is very long! Do you need everything? 
>>> 
>>> how many rules do you have created ? are you talking about MB of output ? 
>>> 
>>> if it's too big, you can send them to my email directly 
>> 
>> NO i didn't even have rules set that's the funny thing and why i don't 
>> know why all traffic is blocked. 
>> 
>> But generally i see no rules under 
>> iptables -L -vnx 
>> 
>> Most probably due to: 
>> Jun 18 08:32:55 cloud3-1351 pve-firewall[7944]: status update error: 
>> command '/sbin/iptables-restore -n' failed: exit code 1 
>> 
>> Stefan 
>> 
>>> ----- Mail original ----- 
>>> 
>>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
>>> À: "Alexandre DERUMIER" <aderumier at odiso.com> 
>>> Cc: pve-devel at pve.proxmox.com 
>>> Envoyé: Mardi 17 Juin 2014 15:09:57 
>>> Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown error 524 
>>> 
>>> Am 17.06.2014 10:38, schrieb Alexandre DERUMIER: 
>>>>>> Jun 17 10:28:04 cloud3-1351 pve-firewall[7944]: status update error: 
>>>>>> command '/sbin/iptables-restore -n' failed: exit code 1 
>>>> 
>>>> something seem wrong in generate rules 
>>>> 
>>>> can you do a 
>>>> 
>>>> #pve-firewall compile 
>>>> 
>>>> to see generated rules ? 
>>> 
>>> The output is very long! Do you need everything? 
>>> 
>>> Stefan 
>>> 
>>>> ----- Mail original ----- 
>>>> 
>>>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
>>>> À: "Alexandre DERUMIER" <aderumier at odiso.com> 
>>>> Cc: pve-devel at pve.proxmox.com 
>>>> Envoyé: Mardi 17 Juin 2014 10:28:32 
>>>> Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown error 524 
>>>> 
>>>> Log says: 
>>>> Jun 17 10:27:59 cloud3-1351 dnsmasq-dhcp[8437]: DHCP packet received on 
>>>> fwbr2004i0 which has no address 
>>>> Jun 17 10:28:02 cloud3-1351 dnsmasq-dhcp[8437]: DHCPDISCOVER(vmbr0) 
>>>> c2:3e:63:19:6c:bf 
>>>> Jun 17 10:28:02 cloud3-1351 dnsmasq-dhcp[8437]: DHCPOFFER(vmbr0) 
>>>> 10.10.28.3 c2:3e:63:19:6c:bf 
>>>> Jun 17 10:28:04 cloud3-1351 pve-firewall[7944]: status update error: 
>>>> command '/sbin/iptables-restore -n' failed: exit code 1 
>>>> 
>>>> Am 17.06.2014 10:26, schrieb Stefan Priebe - Profihost AG: 
>>>>> OK adding an empty 
>>>>> netpoll pdo controller to the veth device in the kernel fixes the problem. 
>>>>> 
>>>>> The veth device does not support netpoll. 
>>>>> 
>>>>> Without the netconsole driver i can start the VM. But if the firewall is 
>>>>> enabled i've not network - even with Input Policy and Output Policy set 
>>>>> to ACCEPT. 
>>>>> 
>>>>> What should i check now? 
>>>>> 
>>>>> Stefan 
>>>>> Am 16.06.2014 11:49, schrieb Alexandre DERUMIER: 
>>>>>>>> I think this should get cleaned in that case? 
>>>>>> 
>>>>>> currently the cleanup is done: 
>>>>>> 
>>>>>> at vm shutdown 
>>>>>> at vm start 
>>>>>> when you disable|enable firewall on netX through api 
>>>>>> 
>>>>>> but indeed we can improve that (I'll try to have a look at it) 
>>>>>> 
>>>>>> 
>>>>>>>> I just don't get why it works for vmbr1 but not for vmbr0. 
>>>>>> 
>>>>>> can you try to manually add 
>>>>>> 
>>>>>> #brctl addif fwln2004i0 fwbr2004i0 
>>>>>> #brctl addif fwpr2004p0 vmbr0 
>>>>>> 
>>>>>> ? 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> ----- Mail original ----- 
>>>>>> 
>>>>>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
>>>>>> À: "Alexandre DERUMIER" <aderumier at odiso.com> 
>>>>>> Cc: pve-devel at pve.proxmox.com 
>>>>>> Envoyé: Lundi 16 Juin 2014 11:40:59 
>>>>>> Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown error 524 
>>>>>> 
>>>>>> Am 16.06.2014 11:37, schrieb Alexandre DERUMIER: 
>>>>>>>>> What is the difference between the normal tap device without firewall - 
>>>>>>>>> which works fine for me on vmbr0 and vmbr1 and the firewall tap one? 
>>>>>>> 
>>>>>>> They are not difference. 
>>>>>>> 
>>>>>>> we just need a dedicated bridge (fwbrxxx) by firewalled tap interface, 
>>>>>>> and this bridge is plugged to vmbrX through a veth pair( fwprxxxx) 
>>>>>> 
>>>>>> I just don't get why it works for vmbr1 but not for vmbr0. 
>>>>>> 
>>>>>> I don't see a difference. 
>>>>>> 
>>>>>> Generally if adding the bridge fails for whatever reason there is a lot 
>>>>>> of unremoved stuff: 
>>>>>> 
>>>>>> [: ~]# ip a l | grep fwbr 
>>>>>> 14: fwbr2004i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue 
>>>>>> state UP 
>>>>>> 16: fwln2004i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc 
>>>>>> pfifo_fast master fwbr2004i0 state UP qlen 1000 
>>>>>> 
>>>>>> [: ~]# ifconfig| grep ^fw 
>>>>>> fwbr2004i0 Link encap:Ethernet HWaddr d2:74:33:d9:50:92 
>>>>>> fwln2004i0 Link encap:Ethernet HWaddr d2:74:33:d9:50:92 
>>>>>> fwpr2004p0 Link encap:Ethernet HWaddr b2:47:35:28:2c:de 
>>>>>> 
>>>>>> I think this should get cleaned in that case? 
>>>>>> 
>>>>>> Stefan 
>>>>>> 
>>>>>>> 
>>>>>>> ----- Mail original ----- 
>>>>>>> 
>>>>>>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
>>>>>>> À: "Alexandre DERUMIER" <aderumier at odiso.com> 
>>>>>>> Cc: pve-devel at pve.proxmox.com 
>>>>>>> Envoyé: Lundi 16 Juin 2014 11:29:00 
>>>>>>> Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown error 524 
>>>>>>> 
>>>>>>> What is the difference between the normal tap device without firewall - 
>>>>>>> which works fine for me on vmbr0 and vmbr1 and the firewall tap one? 
>>>>>>> 
>>>>>>> Stefan 
>>>>>>> Am 16.06.2014 11:10, schrieb Stefan Priebe - Profihost AG: 
>>>>>>>> Hi, 
>>>>>>>> 
>>>>>>>> i get the same problem with the official redhat PVE Kernel. 
>>>>>>>> 
>>>>>>>> What i don't understand is that it works fine with vmbr1 but not with 
>>>>>>>> vmbr0. 
>>>>>>>> 
>>>>>>>> Interfaces file on host: 
>>>>>>>> 
>>>>>>>> auto vmbr0 
>>>>>>>> iface vmbr0 inet static 
>>>>>>>> address XX.XX.XX.XX 
>>>>>>>> netmask 255.255.255.128 
>>>>>>>> gateway XX.XX.XX.XX 
>>>>>>>> bridge_ports bond0 
>>>>>>>> bridge_stp off 
>>>>>>>> bridge_fd 0 
>>>>>>>> 
>>>>>>>> auto vmbr1 
>>>>>>>> iface vmbr1 inet manual 
>>>>>>>> bridge_ports bond1 
>>>>>>>> bridge_stp off 
>>>>>>>> bridge_fd 0 
>>>>>>>> 
>>>>>>>> Stefan 
>>>>>>>> 
>>>>>>>> Am 16.06.2014 09:50, schrieb Alexandre DERUMIER: 
>>>>>>>>>>> Do i need a special kernel feature? 
>>>>>>>>> I don't think. 
>>>>>>>>> It's just create a veth pair, then plug them in bridge. 
>>>>>>>>> 
>>>>>>>>> I check my logs, I don't have theses 
>>>>>>>>> 
>>>>>>>>> "netpoll: (null): fwpr2004p0 doesn't support polling, aborting " 
>>>>>>>>> 
>>>>>>>>> do you use a custom kernel ? 
>>>>>>>> 
>>>>>>>> Stefan 
>>>>>>>> 
>>>>> _______________________________________________ 
>>>>> pve-devel mailing list 
>>>>> pve-devel at pve.proxmox.com 
>>>>> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
>>>>>

More information about the pve-devel mailing list