[pve-devel] making the firewall more robust?
Stefan Priebe - Profihost AG
s.priebe at profihost.ag
Tue Nov 29 10:23:56 CET 2016
In this case an employee managed to create the following ipset:
# cat /var/lib/pve-firewall/ipsetcmdlist1
destroy PVEFW-120-letsencrypt-v4_swap
create PVEFW-120-letsencrypt-v4_swap hash:net family inet hashsize 64
maxelem 64
add PVEFW-120-letsencrypt-v4_swap 0.0.0.0/0
swap PVEFW-120-letsencrypt-v4_swap PVEFW-120-letsencrypt-v4
flush PVEFW-120-letsencrypt-v4_swap
destroy PVEFW-120-letsencrypt-v4_swap
which fails:
ipset_restore_cmdlist: ipset v6.23: Error in line 3: The value of the
CIDR parameter of the IP address is invalid
Stefan
Am 29.11.2016 um 10:10 schrieb Stefan Priebe - Profihost AG:
> Hello,
>
> today i've noticed that the firewall is nearly inactive on a node.
>
> systemctl status says:
> Nov 29 10:07:05 node2 pve-firewall[2534]: status update error:
> ipset_restore_cmdlist: ipset v6.23: Error in line 3: The value of the
> CIDR parameter of the IP address is invalid
> Nov 29 10:07:14 node2 pve-firewall[2534]: status update error:
> ipset_restore_cmdlist: ipset v6.23: Error in line 3: The value of the
> CIDR parameter of the IP address is invalid
> Nov 29 10:07:24 node2 pve-firewall[2534]: status update error:
> ipset_restore_cmdlist: ipset v6.23: Error in line 3: The value of the
> CIDR parameter of the IP address is invalid
>
> So it seems that the whole firewall breaks if there is somewhere
> something wrong.
>
> I think especially for the firewall it's important to jsut skip that
> line but process all other values.
>
> How is your opinion? Any idea how to "fix" that?
>
> Greets,
> Stefan
>
More information about the pve-devel
mailing list