[pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown error 524
Stefan Priebe
s.priebe at profihost.ag
Wed Jun 18 21:43:33 CEST 2014
Am 18.06.2014 21:13, schrieb Stefan Priebe:
>
> Am 18.06.2014 17:06, schrieb Alexandre DERUMIER:
>>>> # ipset save
>>>> create PVEFW-0-management hash:net family inet hashsize 64 maxelem 64
>>>> add PVEFW-0-management 10.255.0.0/24
>>>> create PVEFW-0-venet0 hash:net family inet hashsize 64 maxelem 64
>>
>> I just try to import your ipset + iptables rules, and no problem ....
>> I don't understand.
>>
>> do you have other custom rules in input|output|forward ?
>>
>> (#iptables-save result ?)
OK got it. My iptables comment module had 0 bytes on my test machine and
wasn't loadable. Never used it before.
Thanks for all your useful help.
Stefan
>>
>> ----- Mail original -----
>>
>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
>> À: "Alexandre DERUMIER" <aderumier at odiso.com>
>> Cc: pve-devel at pve.proxmox.com
>> Envoyé: Mercredi 18 Juin 2014 10:22:48
>> Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown
>> error 524
>>
>> Am 18.06.2014 10:03, schrieb Alexandre DERUMIER:
>>> This is strange, I just try to apply the full ruleset on my test
>>> server, and it's apply fine.
>>>
>>> can you post the output of
>>>
>>> #ipset save
>>>
>>> ?
>> # ipset save
>> create PVEFW-0-management hash:net family inet hashsize 64 maxelem 64
>> add PVEFW-0-management 10.255.0.0/24
>> create PVEFW-0-venet0 hash:net family inet hashsize 64 maxelem 64
>>
>>
>>> ----- Mail original -----
>>>
>>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
>>> À: "Alexandre DERUMIER" <aderumier at odiso.com>
>>> Cc: pve-devel at pve.proxmox.com
>>> Envoyé: Mercredi 18 Juin 2014 09:46:34
>>> Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown
>>> error 524
>>>
>>> Hi,
>>>
>>> Am 18.06.2014 08:59, schrieb Alexandre DERUMIER:
>>>> try my patch #pve-firewall compile --full
>>>>
>>>> it should display the generate rules, and error message from
>>>> iptables-restore
>>>
>>> This is the output with patch applied:
>>> http://pastebin.com/raw.php?i=rvt127kw
>>>
>>> What i'm wondering is that these rulese also do things on my normal
>>> interfaces where i already run custom firewall rules.
>>>
>>> The next thing i tried was disabling the cluster firewall in hope that
>>> this results in firewall rules ONLY for the VMs.
>>>
>>> I think there should be a way to skip all those global rules for the hw
>>> nodes and only apply rules for VMs.
>>>
>>> Stefan
>>>
>>>
>>>> ----- Mail original -----
>>>>
>>>> De: "Stefan Priebe" <s.priebe at profihost.ag>
>>>> À: "Alexandre DERUMIER" <aderumier at odiso.com>
>>>> Cc: pve-devel at pve.proxmox.com
>>>> Envoyé: Mercredi 18 Juin 2014 08:33:26
>>>> Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown
>>>> error 524
>>>>
>>>> Am 18.06.2014 03:16, schrieb Alexandre DERUMIER:
>>>>>>> The output is very long! Do you need everything?
>>>>>
>>>>> how many rules do you have created ? are you talking about MB of
>>>>> output ?
>>>>>
>>>>> if it's too big, you can send them to my email directly
>>>>
>>>> NO i didn't even have rules set that's the funny thing and why i don't
>>>> know why all traffic is blocked.
>>>>
>>>> But generally i see no rules under
>>>> iptables -L -vnx
>>>>
>>>> Most probably due to:
>>>> Jun 18 08:32:55 cloud3-1351 pve-firewall[7944]: status update error:
>>>> command '/sbin/iptables-restore -n' failed: exit code 1
>>>>
>>>> Stefan
>>>>
>>>>> ----- Mail original -----
>>>>>
>>>>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
>>>>> À: "Alexandre DERUMIER" <aderumier at odiso.com>
>>>>> Cc: pve-devel at pve.proxmox.com
>>>>> Envoyé: Mardi 17 Juin 2014 15:09:57
>>>>> Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0:
>>>>> Unknown error 524
>>>>>
>>>>> Am 17.06.2014 10:38, schrieb Alexandre DERUMIER:
>>>>>>>> Jun 17 10:28:04 cloud3-1351 pve-firewall[7944]: status update
>>>>>>>> error:
>>>>>>>> command '/sbin/iptables-restore -n' failed: exit code 1
>>>>>>
>>>>>> something seem wrong in generate rules
>>>>>>
>>>>>> can you do a
>>>>>>
>>>>>> #pve-firewall compile
>>>>>>
>>>>>> to see generated rules ?
>>>>>
>>>>> The output is very long! Do you need everything?
>>>>>
>>>>> Stefan
>>>>>
>>>>>> ----- Mail original -----
>>>>>>
>>>>>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
>>>>>> À: "Alexandre DERUMIER" <aderumier at odiso.com>
>>>>>> Cc: pve-devel at pve.proxmox.com
>>>>>> Envoyé: Mardi 17 Juin 2014 10:28:32
>>>>>> Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0:
>>>>>> Unknown error 524
>>>>>>
>>>>>> Log says:
>>>>>> Jun 17 10:27:59 cloud3-1351 dnsmasq-dhcp[8437]: DHCP packet
>>>>>> received on
>>>>>> fwbr2004i0 which has no address
>>>>>> Jun 17 10:28:02 cloud3-1351 dnsmasq-dhcp[8437]: DHCPDISCOVER(vmbr0)
>>>>>> c2:3e:63:19:6c:bf
>>>>>> Jun 17 10:28:02 cloud3-1351 dnsmasq-dhcp[8437]: DHCPOFFER(vmbr0)
>>>>>> 10.10.28.3 c2:3e:63:19:6c:bf
>>>>>> Jun 17 10:28:04 cloud3-1351 pve-firewall[7944]: status update error:
>>>>>> command '/sbin/iptables-restore -n' failed: exit code 1
>>>>>>
>>>>>> Am 17.06.2014 10:26, schrieb Stefan Priebe - Profihost AG:
>>>>>>> OK adding an empty
>>>>>>> netpoll pdo controller to the veth device in the kernel fixes the
>>>>>>> problem.
>>>>>>>
>>>>>>> The veth device does not support netpoll.
>>>>>>>
>>>>>>> Without the netconsole driver i can start the VM. But if the
>>>>>>> firewall is
>>>>>>> enabled i've not network - even with Input Policy and Output
>>>>>>> Policy set
>>>>>>> to ACCEPT.
>>>>>>>
>>>>>>> What should i check now?
>>>>>>>
>>>>>>> Stefan
>>>>>>> Am 16.06.2014 11:49, schrieb Alexandre DERUMIER:
>>>>>>>>>> I think this should get cleaned in that case?
>>>>>>>>
>>>>>>>> currently the cleanup is done:
>>>>>>>>
>>>>>>>> at vm shutdown
>>>>>>>> at vm start
>>>>>>>> when you disable|enable firewall on netX through api
>>>>>>>>
>>>>>>>> but indeed we can improve that (I'll try to have a look at it)
>>>>>>>>
>>>>>>>>
>>>>>>>>>> I just don't get why it works for vmbr1 but not for vmbr0.
>>>>>>>>
>>>>>>>> can you try to manually add
>>>>>>>>
>>>>>>>> #brctl addif fwln2004i0 fwbr2004i0
>>>>>>>> #brctl addif fwpr2004p0 vmbr0
>>>>>>>>
>>>>>>>> ?
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> ----- Mail original -----
>>>>>>>>
>>>>>>>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
>>>>>>>> À: "Alexandre DERUMIER" <aderumier at odiso.com>
>>>>>>>> Cc: pve-devel at pve.proxmox.com
>>>>>>>> Envoyé: Lundi 16 Juin 2014 11:40:59
>>>>>>>> Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0:
>>>>>>>> Unknown error 524
>>>>>>>>
>>>>>>>> Am 16.06.2014 11:37, schrieb Alexandre DERUMIER:
>>>>>>>>>>> What is the difference between the normal tap device without
>>>>>>>>>>> firewall -
>>>>>>>>>>> which works fine for me on vmbr0 and vmbr1 and the firewall
>>>>>>>>>>> tap one?
>>>>>>>>>
>>>>>>>>> They are not difference.
>>>>>>>>>
>>>>>>>>> we just need a dedicated bridge (fwbrxxx) by firewalled tap
>>>>>>>>> interface,
>>>>>>>>> and this bridge is plugged to vmbrX through a veth pair( fwprxxxx)
>>>>>>>>
>>>>>>>> I just don't get why it works for vmbr1 but not for vmbr0.
>>>>>>>>
>>>>>>>> I don't see a difference.
>>>>>>>>
>>>>>>>> Generally if adding the bridge fails for whatever reason there
>>>>>>>> is a lot
>>>>>>>> of unremoved stuff:
>>>>>>>>
>>>>>>>> [: ~]# ip a l | grep fwbr
>>>>>>>> 14: fwbr2004i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
>>>>>>>> noqueue
>>>>>>>> state UP
>>>>>>>> 16: fwln2004i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
>>>>>>>> pfifo_fast master fwbr2004i0 state UP qlen 1000
>>>>>>>>
>>>>>>>> [: ~]# ifconfig| grep ^fw
>>>>>>>> fwbr2004i0 Link encap:Ethernet HWaddr d2:74:33:d9:50:92
>>>>>>>> fwln2004i0 Link encap:Ethernet HWaddr d2:74:33:d9:50:92
>>>>>>>> fwpr2004p0 Link encap:Ethernet HWaddr b2:47:35:28:2c:de
>>>>>>>>
>>>>>>>> I think this should get cleaned in that case?
>>>>>>>>
>>>>>>>> Stefan
>>>>>>>>
>>>>>>>>>
>>>>>>>>> ----- Mail original -----
>>>>>>>>>
>>>>>>>>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
>>>>>>>>> À: "Alexandre DERUMIER" <aderumier at odiso.com>
>>>>>>>>> Cc: pve-devel at pve.proxmox.com
>>>>>>>>> Envoyé: Lundi 16 Juin 2014 11:29:00
>>>>>>>>> Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0:
>>>>>>>>> Unknown error 524
>>>>>>>>>
>>>>>>>>> What is the difference between the normal tap device without
>>>>>>>>> firewall -
>>>>>>>>> which works fine for me on vmbr0 and vmbr1 and the firewall tap
>>>>>>>>> one?
>>>>>>>>>
>>>>>>>>> Stefan
>>>>>>>>> Am 16.06.2014 11:10, schrieb Stefan Priebe - Profihost AG:
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>> i get the same problem with the official redhat PVE Kernel.
>>>>>>>>>>
>>>>>>>>>> What i don't understand is that it works fine with vmbr1 but
>>>>>>>>>> not with
>>>>>>>>>> vmbr0.
>>>>>>>>>>
>>>>>>>>>> Interfaces file on host:
>>>>>>>>>>
>>>>>>>>>> auto vmbr0
>>>>>>>>>> iface vmbr0 inet static
>>>>>>>>>> address XX.XX.XX.XX
>>>>>>>>>> netmask 255.255.255.128
>>>>>>>>>> gateway XX.XX.XX.XX
>>>>>>>>>> bridge_ports bond0
>>>>>>>>>> bridge_stp off
>>>>>>>>>> bridge_fd 0
>>>>>>>>>>
>>>>>>>>>> auto vmbr1
>>>>>>>>>> iface vmbr1 inet manual
>>>>>>>>>> bridge_ports bond1
>>>>>>>>>> bridge_stp off
>>>>>>>>>> bridge_fd 0
>>>>>>>>>>
>>>>>>>>>> Stefan
>>>>>>>>>>
>>>>>>>>>> Am 16.06.2014 09:50, schrieb Alexandre DERUMIER:
>>>>>>>>>>>>> Do i need a special kernel feature?
>>>>>>>>>>> I don't think.
>>>>>>>>>>> It's just create a veth pair, then plug them in bridge.
>>>>>>>>>>>
>>>>>>>>>>> I check my logs, I don't have theses
>>>>>>>>>>>
>>>>>>>>>>> "netpoll: (null): fwpr2004p0 doesn't support polling, aborting "
>>>>>>>>>>>
>>>>>>>>>>> do you use a custom kernel ?
>>>>>>>>>>
>>>>>>>>>> Stefan
>>>>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> pve-devel mailing list
>>>>>>> pve-devel at pve.proxmox.com
>>>>>>> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>>>>>>>
More information about the pve-devel
mailing list