[pve-devel] making the firewall more robust?
Stefan Priebe - Profihost AG
s.priebe at profihost.ag
Tue Nov 29 10:46:34 CET 2016
Am 29.11.2016 um 10:24 schrieb Fabian Grünbichler:
> On Tue, Nov 29, 2016 at 10:10:53AM +0100, Stefan Priebe - Profihost AG wrote:
>> Hello,
>>
>> today i've noticed that the firewall is nearly inactive on a node.
>>
>> systemctl status says:
>> Nov 29 10:07:05 node2 pve-firewall[2534]: status update error:
>> ipset_restore_cmdlist: ipset v6.23: Error in line 3: The value of the
>> CIDR parameter of the IP address is invalid
>> Nov 29 10:07:14 node2 pve-firewall[2534]: status update error:
>> ipset_restore_cmdlist: ipset v6.23: Error in line 3: The value of the
>> CIDR parameter of the IP address is invalid
>> Nov 29 10:07:24 node2 pve-firewall[2534]: status update error:
>> ipset_restore_cmdlist: ipset v6.23: Error in line 3: The value of the
>> CIDR parameter of the IP address is invalid
>>
>> So it seems that the whole firewall breaks if there is somewhere
>> something wrong.
>>
>> I think especially for the firewall it's important to jsut skip that
>> line but process all other values.
>>
>> How is your opinion? Any idea how to "fix" that?
>
> that bug should already be fixed in git AFAIK.
Which one? Cannot find the commit. I'm ruinning pve-firewall 2.0-31
> there are two problems with partially applying firewall rules:
> - we don't know which rules are invalid (because of course we try to
> generate valid rules, errors like the above are clearly bugs ;)) - we
> could guess based on some error message by the underlying tools, but
> that is error prone
> - applying some rules but not all can have as catastrophic consequences
> as not applying any (e.g., if you miss a single ACCEPT rule because of
> a bug, you might not be able to access your cluster at all!)
OK sure. But then we should may be send an email to root in case of a
failure? Currently nobody knows if such a failure happens. Also the
pve-firewall daemon does not fail itself. So even systemd says
pve-firewall is up and running.
Greets,
Stefan
More information about the pve-devel
mailing list