[PVE-User] PVE Firewall IPset+Alias broken in v8
Patrick Velder
lists at velder.li
Mon Jul 10 17:58:16 CEST 2023
Update:
Upon further investigation, I discovered that the error message "value
does not look like a valid IP address or CIDR network" also occurs on
functioning PVE 7.xx systems. It appears that these messages are
unrelated to the current issue. However, they can cause confusion when
troubleshooting firewall-related problems and should also be addressed.
The actual problem lies in the fact that when a global IP set is defined
at the datacenter level, which includes aliases with the prefixes "dc/"
or "guest/", the rules fail to work, also resulting in the following
error messages:
> no such alias 'xxx'
> no such alias 'yyy'
Best regards
Patrick
On 7/9/23 21:11, Patrick Velder wrote:
> Hello,
>
> Since the upgrade to PVE 8, there appears to be a problem with the
> combination of ipset and alias. When checking the firewall status
> using the command "pve-firewall status," I receive the error message
> "value does not look like a valid IP address or CIDR network" repeated
> multiple times. Despite attempting to downgrade to
> pve-firewall_4.3-2_amd64.deb, the issue remains unresolved.
>
> To further investigate and find a potential solution, I recommend
> checking the following forum threads:
>
> * https://forum.proxmox.com/threads/pve-8-pve-firewall-status-no-such-alias.130202/
> * https://forum.proxmox.com/threads/ipset-not-working-for-accepting-cluster-traffic.129599/
>
> Is that a known issue and is there maybe a workaround, since many
> rules stopped working?
>
> Thanks and best regards
> Patrick
>
More information about the pve-user
mailing list