Am 17.06.2014 10:38, schrieb Alexandre DERUMIER: >>> Jun 17 10:28:04 cloud3-1351 pve-firewall[7944]: status update error: >>> command '/sbin/iptables-restore -n' failed: exit code 1 > > something seem wrong in generate rules > > can you do a > > #pve-firewall compile > > to see generated rules ?
The output is very long! Do you need everything? Stefan > ----- Mail original ----- > > De: "Stefan Priebe - Profihost AG" <s.pri...@profihost.ag> > À: "Alexandre DERUMIER" <aderum...@odiso.com> > Cc: pve-devel@pve.proxmox.com > Envoyé: Mardi 17 Juin 2014 10:28:32 > Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown error > 524 > > Log says: > Jun 17 10:27:59 cloud3-1351 dnsmasq-dhcp[8437]: DHCP packet received on > fwbr2004i0 which has no address > Jun 17 10:28:02 cloud3-1351 dnsmasq-dhcp[8437]: DHCPDISCOVER(vmbr0) > c2:3e:63:19:6c:bf > Jun 17 10:28:02 cloud3-1351 dnsmasq-dhcp[8437]: DHCPOFFER(vmbr0) > 10.10.28.3 c2:3e:63:19:6c:bf > Jun 17 10:28:04 cloud3-1351 pve-firewall[7944]: status update error: > command '/sbin/iptables-restore -n' failed: exit code 1 > > Am 17.06.2014 10:26, schrieb Stefan Priebe - Profihost AG: >> OK adding an empty >> netpoll pdo controller to the veth device in the kernel fixes the problem. >> >> The veth device does not support netpoll. >> >> Without the netconsole driver i can start the VM. But if the firewall is >> enabled i've not network - even with Input Policy and Output Policy set >> to ACCEPT. >> >> What should i check now? >> >> Stefan >> Am 16.06.2014 11:49, schrieb Alexandre DERUMIER: >>>>> I think this should get cleaned in that case? >>> >>> currently the cleanup is done: >>> >>> at vm shutdown >>> at vm start >>> when you disable|enable firewall on netX through api >>> >>> but indeed we can improve that (I'll try to have a look at it) >>> >>> >>>>> I just don't get why it works for vmbr1 but not for vmbr0. >>> >>> can you try to manually add >>> >>> #brctl addif fwln2004i0 fwbr2004i0 >>> #brctl addif fwpr2004p0 vmbr0 >>> >>> ? >>> >>> >>> >>> >>> ----- Mail original ----- >>> >>> De: "Stefan Priebe - Profihost AG" <s.pri...@profihost.ag> >>> À: "Alexandre DERUMIER" <aderum...@odiso.com> >>> Cc: pve-devel@pve.proxmox.com >>> Envoyé: Lundi 16 Juin 2014 11:40:59 >>> Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown error >>> 524 >>> >>> Am 16.06.2014 11:37, schrieb Alexandre DERUMIER: >>>>>> What is the difference between the normal tap device without firewall - >>>>>> which works fine for me on vmbr0 and vmbr1 and the firewall tap one? >>>> >>>> They are not difference. >>>> >>>> we just need a dedicated bridge (fwbrxxx) by firewalled tap interface, >>>> and this bridge is plugged to vmbrX through a veth pair( fwprxxxx) >>> >>> I just don't get why it works for vmbr1 but not for vmbr0. >>> >>> I don't see a difference. >>> >>> Generally if adding the bridge fails for whatever reason there is a lot >>> of unremoved stuff: >>> >>> [: ~]# ip a l | grep fwbr >>> 14: fwbr2004i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue >>> state UP >>> 16: fwln2004i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc >>> pfifo_fast master fwbr2004i0 state UP qlen 1000 >>> >>> [: ~]# ifconfig| grep ^fw >>> fwbr2004i0 Link encap:Ethernet HWaddr d2:74:33:d9:50:92 >>> fwln2004i0 Link encap:Ethernet HWaddr d2:74:33:d9:50:92 >>> fwpr2004p0 Link encap:Ethernet HWaddr b2:47:35:28:2c:de >>> >>> I think this should get cleaned in that case? >>> >>> Stefan >>> >>>> >>>> ----- Mail original ----- >>>> >>>> De: "Stefan Priebe - Profihost AG" <s.pri...@profihost.ag> >>>> À: "Alexandre DERUMIER" <aderum...@odiso.com> >>>> Cc: pve-devel@pve.proxmox.com >>>> Envoyé: Lundi 16 Juin 2014 11:29:00 >>>> Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown error >>>> 524 >>>> >>>> What is the difference between the normal tap device without firewall - >>>> which works fine for me on vmbr0 and vmbr1 and the firewall tap one? >>>> >>>> Stefan >>>> Am 16.06.2014 11:10, schrieb Stefan Priebe - Profihost AG: >>>>> Hi, >>>>> >>>>> i get the same problem with the official redhat PVE Kernel. >>>>> >>>>> What i don't understand is that it works fine with vmbr1 but not with >>>>> vmbr0. >>>>> >>>>> Interfaces file on host: >>>>> >>>>> auto vmbr0 >>>>> iface vmbr0 inet static >>>>> address XX.XX.XX.XX >>>>> netmask 255.255.255.128 >>>>> gateway XX.XX.XX.XX >>>>> bridge_ports bond0 >>>>> bridge_stp off >>>>> bridge_fd 0 >>>>> >>>>> auto vmbr1 >>>>> iface vmbr1 inet manual >>>>> bridge_ports bond1 >>>>> bridge_stp off >>>>> bridge_fd 0 >>>>> >>>>> Stefan >>>>> >>>>> Am 16.06.2014 09:50, schrieb Alexandre DERUMIER: >>>>>>>> Do i need a special kernel feature? >>>>>> I don't think. >>>>>> It's just create a veth pair, then plug them in bridge. >>>>>> >>>>>> I check my logs, I don't have theses >>>>>> >>>>>> "netpoll: (null): fwpr2004p0 doesn't support polling, aborting " >>>>>> >>>>>> do you use a custom kernel ? >>>>> >>>>> Stefan >>>>> >> _______________________________________________ >> pve-devel mailing list >> pve-devel@pve.proxmox.com >> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel >> _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel