[pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown error 524

Alexandre DERUMIER aderumier at odiso.com
Thu Jun 19 06:07:26 CEST 2014 

>>OK got it. My iptables comment module had 0 bytes on my test machine and
>>wasn't loadable. Never used it before.

Oh, ok!

----- Mail original ----- 

De: "Stefan Priebe" <s.priebe at profihost.ag> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Mercredi 18 Juin 2014 19:43:33 
Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown error 524 

Am 18.06.2014 21:13, schrieb Stefan Priebe: 
> 
> Am 18.06.2014 17:06, schrieb Alexandre DERUMIER: 
>>>> # ipset save 
>>>> create PVEFW-0-management hash:net family inet hashsize 64 maxelem 64 
>>>> add PVEFW-0-management 10.255.0.0/24 
>>>> create PVEFW-0-venet0 hash:net family inet hashsize 64 maxelem 64 
>> 
>> I just try to import your ipset + iptables rules, and no problem .... 
>> I don't understand. 
>> 
>> do you have other custom rules in input|output|forward ? 
>> 
>> (#iptables-save result ?) 

OK got it. My iptables comment module had 0 bytes on my test machine and 
wasn't loadable. Never used it before. 

Thanks for all your useful help. 

Stefan 


>> 
>> ----- Mail original ----- 
>> 
>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
>> À: "Alexandre DERUMIER" <aderumier at odiso.com> 
>> Cc: pve-devel at pve.proxmox.com 
>> Envoyé: Mercredi 18 Juin 2014 10:22:48 
>> Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown 
>> error 524 
>> 
>> Am 18.06.2014 10:03, schrieb Alexandre DERUMIER: 
>>> This is strange, I just try to apply the full ruleset on my test 
>>> server, and it's apply fine. 
>>> 
>>> can you post the output of 
>>> 
>>> #ipset save 
>>> 
>>> ? 
>> # ipset save 
>> create PVEFW-0-management hash:net family inet hashsize 64 maxelem 64 
>> add PVEFW-0-management 10.255.0.0/24 
>> create PVEFW-0-venet0 hash:net family inet hashsize 64 maxelem 64 
>> 
>> 
>>> ----- Mail original ----- 
>>> 
>>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
>>> À: "Alexandre DERUMIER" <aderumier at odiso.com> 
>>> Cc: pve-devel at pve.proxmox.com 
>>> Envoyé: Mercredi 18 Juin 2014 09:46:34 
>>> Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown 
>>> error 524 
>>> 
>>> Hi, 
>>> 
>>> Am 18.06.2014 08:59, schrieb Alexandre DERUMIER: 
>>>> try my patch #pve-firewall compile --full 
>>>> 
>>>> it should display the generate rules, and error message from 
>>>> iptables-restore 
>>> 
>>> This is the output with patch applied: 
>>> http://pastebin.com/raw.php?i=rvt127kw 
>>> 
>>> What i'm wondering is that these rulese also do things on my normal 
>>> interfaces where i already run custom firewall rules. 
>>> 
>>> The next thing i tried was disabling the cluster firewall in hope that 
>>> this results in firewall rules ONLY for the VMs. 
>>> 
>>> I think there should be a way to skip all those global rules for the hw 
>>> nodes and only apply rules for VMs. 
>>> 
>>> Stefan 
>>> 
>>> 
>>>> ----- Mail original ----- 
>>>> 
>>>> De: "Stefan Priebe" <s.priebe at profihost.ag> 
>>>> À: "Alexandre DERUMIER" <aderumier at odiso.com> 
>>>> Cc: pve-devel at pve.proxmox.com 
>>>> Envoyé: Mercredi 18 Juin 2014 08:33:26 
>>>> Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown 
>>>> error 524 
>>>> 
>>>> Am 18.06.2014 03:16, schrieb Alexandre DERUMIER: 
>>>>>>> The output is very long! Do you need everything? 
>>>>> 
>>>>> how many rules do you have created ? are you talking about MB of 
>>>>> output ? 
>>>>> 
>>>>> if it's too big, you can send them to my email directly 
>>>> 
>>>> NO i didn't even have rules set that's the funny thing and why i don't 
>>>> know why all traffic is blocked. 
>>>> 
>>>> But generally i see no rules under 
>>>> iptables -L -vnx 
>>>> 
>>>> Most probably due to: 
>>>> Jun 18 08:32:55 cloud3-1351 pve-firewall[7944]: status update error: 
>>>> command '/sbin/iptables-restore -n' failed: exit code 1 
>>>> 
>>>> Stefan 
>>>> 
>>>>> ----- Mail original ----- 
>>>>> 
>>>>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
>>>>> À: "Alexandre DERUMIER" <aderumier at odiso.com> 
>>>>> Cc: pve-devel at pve.proxmox.com 
>>>>> Envoyé: Mardi 17 Juin 2014 15:09:57 
>>>>> Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: 
>>>>> Unknown error 524 
>>>>> 
>>>>> Am 17.06.2014 10:38, schrieb Alexandre DERUMIER: 
>>>>>>>> Jun 17 10:28:04 cloud3-1351 pve-firewall[7944]: status update 
>>>>>>>> error: 
>>>>>>>> command '/sbin/iptables-restore -n' failed: exit code 1 
>>>>>> 
>>>>>> something seem wrong in generate rules 
>>>>>> 
>>>>>> can you do a 
>>>>>> 
>>>>>> #pve-firewall compile 
>>>>>> 
>>>>>> to see generated rules ? 
>>>>> 
>>>>> The output is very long! Do you need everything? 
>>>>> 
>>>>> Stefan 
>>>>> 
>>>>>> ----- Mail original ----- 
>>>>>> 
>>>>>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
>>>>>> À: "Alexandre DERUMIER" <aderumier at odiso.com> 
>>>>>> Cc: pve-devel at pve.proxmox.com 
>>>>>> Envoyé: Mardi 17 Juin 2014 10:28:32 
>>>>>> Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: 
>>>>>> Unknown error 524 
>>>>>> 
>>>>>> Log says: 
>>>>>> Jun 17 10:27:59 cloud3-1351 dnsmasq-dhcp[8437]: DHCP packet 
>>>>>> received on 
>>>>>> fwbr2004i0 which has no address 
>>>>>> Jun 17 10:28:02 cloud3-1351 dnsmasq-dhcp[8437]: DHCPDISCOVER(vmbr0) 
>>>>>> c2:3e:63:19:6c:bf 
>>>>>> Jun 17 10:28:02 cloud3-1351 dnsmasq-dhcp[8437]: DHCPOFFER(vmbr0) 
>>>>>> 10.10.28.3 c2:3e:63:19:6c:bf 
>>>>>> Jun 17 10:28:04 cloud3-1351 pve-firewall[7944]: status update error: 
>>>>>> command '/sbin/iptables-restore -n' failed: exit code 1 
>>>>>> 
>>>>>> Am 17.06.2014 10:26, schrieb Stefan Priebe - Profihost AG: 
>>>>>>> OK adding an empty 
>>>>>>> netpoll pdo controller to the veth device in the kernel fixes the 
>>>>>>> problem. 
>>>>>>> 
>>>>>>> The veth device does not support netpoll. 
>>>>>>> 
>>>>>>> Without the netconsole driver i can start the VM. But if the 
>>>>>>> firewall is 
>>>>>>> enabled i've not network - even with Input Policy and Output 
>>>>>>> Policy set 
>>>>>>> to ACCEPT. 
>>>>>>> 
>>>>>>> What should i check now? 
>>>>>>> 
>>>>>>> Stefan 
>>>>>>> Am 16.06.2014 11:49, schrieb Alexandre DERUMIER: 
>>>>>>>>>> I think this should get cleaned in that case? 
>>>>>>>> 
>>>>>>>> currently the cleanup is done: 
>>>>>>>> 
>>>>>>>> at vm shutdown 
>>>>>>>> at vm start 
>>>>>>>> when you disable|enable firewall on netX through api 
>>>>>>>> 
>>>>>>>> but indeed we can improve that (I'll try to have a look at it) 
>>>>>>>> 
>>>>>>>> 
>>>>>>>>>> I just don't get why it works for vmbr1 but not for vmbr0. 
>>>>>>>> 
>>>>>>>> can you try to manually add 
>>>>>>>> 
>>>>>>>> #brctl addif fwln2004i0 fwbr2004i0 
>>>>>>>> #brctl addif fwpr2004p0 vmbr0 
>>>>>>>> 
>>>>>>>> ? 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> ----- Mail original ----- 
>>>>>>>> 
>>>>>>>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
>>>>>>>> À: "Alexandre DERUMIER" <aderumier at odiso.com> 
>>>>>>>> Cc: pve-devel at pve.proxmox.com 
>>>>>>>> Envoyé: Lundi 16 Juin 2014 11:40:59 
>>>>>>>> Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: 
>>>>>>>> Unknown error 524 
>>>>>>>> 
>>>>>>>> Am 16.06.2014 11:37, schrieb Alexandre DERUMIER: 
>>>>>>>>>>> What is the difference between the normal tap device without 
>>>>>>>>>>> firewall - 
>>>>>>>>>>> which works fine for me on vmbr0 and vmbr1 and the firewall 
>>>>>>>>>>> tap one? 
>>>>>>>>> 
>>>>>>>>> They are not difference. 
>>>>>>>>> 
>>>>>>>>> we just need a dedicated bridge (fwbrxxx) by firewalled tap 
>>>>>>>>> interface, 
>>>>>>>>> and this bridge is plugged to vmbrX through a veth pair( fwprxxxx) 
>>>>>>>> 
>>>>>>>> I just don't get why it works for vmbr1 but not for vmbr0. 
>>>>>>>> 
>>>>>>>> I don't see a difference. 
>>>>>>>> 
>>>>>>>> Generally if adding the bridge fails for whatever reason there 
>>>>>>>> is a lot 
>>>>>>>> of unremoved stuff: 
>>>>>>>> 
>>>>>>>> [: ~]# ip a l | grep fwbr 
>>>>>>>> 14: fwbr2004i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc 
>>>>>>>> noqueue 
>>>>>>>> state UP 
>>>>>>>> 16: fwln2004i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc 
>>>>>>>> pfifo_fast master fwbr2004i0 state UP qlen 1000 
>>>>>>>> 
>>>>>>>> [: ~]# ifconfig| grep ^fw 
>>>>>>>> fwbr2004i0 Link encap:Ethernet HWaddr d2:74:33:d9:50:92 
>>>>>>>> fwln2004i0 Link encap:Ethernet HWaddr d2:74:33:d9:50:92 
>>>>>>>> fwpr2004p0 Link encap:Ethernet HWaddr b2:47:35:28:2c:de 
>>>>>>>> 
>>>>>>>> I think this should get cleaned in that case? 
>>>>>>>> 
>>>>>>>> Stefan 
>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> ----- Mail original ----- 
>>>>>>>>> 
>>>>>>>>> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
>>>>>>>>> À: "Alexandre DERUMIER" <aderumier at odiso.com> 
>>>>>>>>> Cc: pve-devel at pve.proxmox.com 
>>>>>>>>> Envoyé: Lundi 16 Juin 2014 11:29:00 
>>>>>>>>> Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: 
>>>>>>>>> Unknown error 524 
>>>>>>>>> 
>>>>>>>>> What is the difference between the normal tap device without 
>>>>>>>>> firewall - 
>>>>>>>>> which works fine for me on vmbr0 and vmbr1 and the firewall tap 
>>>>>>>>> one? 
>>>>>>>>> 
>>>>>>>>> Stefan 
>>>>>>>>> Am 16.06.2014 11:10, schrieb Stefan Priebe - Profihost AG: 
>>>>>>>>>> Hi, 
>>>>>>>>>> 
>>>>>>>>>> i get the same problem with the official redhat PVE Kernel. 
>>>>>>>>>> 
>>>>>>>>>> What i don't understand is that it works fine with vmbr1 but 
>>>>>>>>>> not with 
>>>>>>>>>> vmbr0. 
>>>>>>>>>> 
>>>>>>>>>> Interfaces file on host: 
>>>>>>>>>> 
>>>>>>>>>> auto vmbr0 
>>>>>>>>>> iface vmbr0 inet static 
>>>>>>>>>> address XX.XX.XX.XX 
>>>>>>>>>> netmask 255.255.255.128 
>>>>>>>>>> gateway XX.XX.XX.XX 
>>>>>>>>>> bridge_ports bond0 
>>>>>>>>>> bridge_stp off 
>>>>>>>>>> bridge_fd 0 
>>>>>>>>>> 
>>>>>>>>>> auto vmbr1 
>>>>>>>>>> iface vmbr1 inet manual 
>>>>>>>>>> bridge_ports bond1 
>>>>>>>>>> bridge_stp off 
>>>>>>>>>> bridge_fd 0 
>>>>>>>>>> 
>>>>>>>>>> Stefan 
>>>>>>>>>> 
>>>>>>>>>> Am 16.06.2014 09:50, schrieb Alexandre DERUMIER: 
>>>>>>>>>>>>> Do i need a special kernel feature? 
>>>>>>>>>>> I don't think. 
>>>>>>>>>>> It's just create a veth pair, then plug them in bridge. 
>>>>>>>>>>> 
>>>>>>>>>>> I check my logs, I don't have theses 
>>>>>>>>>>> 
>>>>>>>>>>> "netpoll: (null): fwpr2004p0 doesn't support polling, aborting " 
>>>>>>>>>>> 
>>>>>>>>>>> do you use a custom kernel ? 
>>>>>>>>>> 
>>>>>>>>>> Stefan 
>>>>>>>>>> 
>>>>>>> _______________________________________________ 
>>>>>>> pve-devel mailing list 
>>>>>>> pve-devel at pve.proxmox.com 
>>>>>>> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
>>>>>>>

More information about the pve-devel mailing list