[pve-devel] broken system / pve-firewall

Stefan Priebe - Profihost AG s.priebe at profihost.ag
Sun Mar 19 19:51:33 CET 2017


Hi,
Am 19.03.2017 um 14:44 schrieb Dietmar Maurer:
>> After digging around for some weeks i found out that the chain FORWARD
>> does not receive packets anymore?
> 
> And hints in syslog?

No the reason is simply that
net.bridge.bridge-nf-call-iptables
is 0 again. Most probably because /etc/sysctl.d is reinitialized for
some reason.

To me the main question is why does pve-cluster provide a default of 0
which disables iptables for bridges and makes pve-firewall useless for
linux bridges.

> Which kernel do you run exactly?
Tested with my own vanilla 4.4 kernel and with 4.4.44-1-pve. But again
this behaviour is expected with net.bridge.bridge-nf-call-iptables=0 for
all kernels.

Greets,
Stefan



More information about the pve-devel mailing list