[pve-devel] broken system / pve-firewall

Stefan Priebe - Profihost AG s.priebe at profihost.ag
Sat Mar 18 21:27:52 CET 2017 

Hello list,

i'm going crazy with a problem i don't understand.

After some time the pve-firewall stops working to me. It doesn't filter
any packets anymore. If i restart pve-firewall everything is fine again.

After digging around for some weeks i found out that the chain FORWARD
does not receive packets anymore?

It look like this - so NO packets get processed:
# iptables -L FORWARD -vnx
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source
   destination
       0        0 PVEFW-FORWARD  all  --  *      *       0.0.0.0/0
     0.0.0.0/0


Status output:
# systemctl status -l pve-firewall.service
● pve-firewall.service - Proxmox VE firewall
   Loaded: loaded (/lib/systemd/system/pve-firewall.service; enabled)
   Active: active (running) since Thu 2017-03-02 13:11:24 CET; 2 weeks 2
days ago
 Main PID: 3056 (pve-firewall)
   CGroup: /system.slice/pve-firewall.service
           └─3056 pve-firewal

Mar 02 13:11:24 dev-cluster pve-firewall[3056]: starting server
Mar 02 13:11:24 dev-cluster systemd[1]: Started Proxmox VE firewall.
Mar 08 19:42:06 dev-cluster pve-firewall[3056]: firewall update time
(5.055 seconds)
Mar 09 17:26:31 dev-cluster pve-firewall[3056]: ipcc_send_rec failed:
Transport endpoint is not connected
Mar 09 20:23:11 dev-cluster pve-firewall[3056]: ipcc_send_rec failed:
Transport endpoint is not connected
Mar 15 10:49:23 dev-cluster pve-firewall[3056]: firewall update time
(5.237 seconds)
Mar 17 08:17:57 dev-cluster pve-firewall[3056]: firewall update time
(5.063 seconds)

# systemctl restart pve-firewall.service
#

# iptables -L FORWARD -vnx
Chain FORWARD (policy ACCEPT 80 packets, 6543 bytes)
    pkts      bytes target     prot opt in     out     source
   destination
     326    49611 PVEFW-FORWARD  all  --  *      *       0.0.0.0/0
     0.0.0.0/0

After the restart the FORWARD chain get's immediatly packets again.

I noticed that after the restart:
net.bridge.bridge-nf-call-ip6tables
net.bridge.bridge-nf-call-iptables

changed from 0 to 1 which makes sense.

but:
# cat /etc/sysctl.d/pve.conf
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
net.bridge.bridge-nf-filter-vlan-tagged = 0
fs.aio-max-nr = 1048576

# dpkg -S /etc/sysctl.d/pve.conf
pve-cluster: /etc/sysctl.d/pve.conf

Greets,
Stefan

More information about the pve-devel mailing list