[pve-devel] making the firewall more robust?

Stefan Priebe - Profihost AG s.priebe at profihost.ag
Tue Nov 29 10:23:56 CET 2016


In this case an employee managed to create the following ipset:

# cat /var/lib/pve-firewall/ipsetcmdlist1
destroy PVEFW-120-letsencrypt-v4_swap
create PVEFW-120-letsencrypt-v4_swap hash:net family inet hashsize 64
maxelem 64
add PVEFW-120-letsencrypt-v4_swap 0.0.0.0/0
swap PVEFW-120-letsencrypt-v4_swap PVEFW-120-letsencrypt-v4
flush PVEFW-120-letsencrypt-v4_swap
destroy PVEFW-120-letsencrypt-v4_swap

which fails:
ipset_restore_cmdlist: ipset v6.23: Error in line 3: The value of the
CIDR parameter of the IP address is invalid

Stefan

Am 29.11.2016 um 10:10 schrieb Stefan Priebe - Profihost AG:
> Hello,
> 
> today i've noticed that the firewall is nearly inactive on a node.
> 
> systemctl status says:
> Nov 29 10:07:05 node2 pve-firewall[2534]: status update error:
> ipset_restore_cmdlist: ipset v6.23: Error in line 3: The value of the
> CIDR parameter of the IP address is invalid
> Nov 29 10:07:14 node2 pve-firewall[2534]: status update error:
> ipset_restore_cmdlist: ipset v6.23: Error in line 3: The value of the
> CIDR parameter of the IP address is invalid
> Nov 29 10:07:24 node2 pve-firewall[2534]: status update error:
> ipset_restore_cmdlist: ipset v6.23: Error in line 3: The value of the
> CIDR parameter of the IP address is invalid
> 
> So it seems that the whole firewall breaks if there is somewhere
> something wrong.
> 
> I think especially for the firewall it's important to jsut skip that
> line but process all other values.
> 
> How is your opinion? Any idea how to "fix" that?
> 
> Greets,
> Stefan
> 



More information about the pve-devel mailing list