Hi, Am 18.06.2014 08:59, schrieb Alexandre DERUMIER: > try my patch #pve-firewall compile --full > > it should display the generate rules, and error message from iptables-restore
This is the output with patch applied: http://pastebin.com/raw.php?i=rvt127kw What i'm wondering is that these rulese also do things on my normal interfaces where i already run custom firewall rules. The next thing i tried was disabling the cluster firewall in hope that this results in firewall rules ONLY for the VMs. I think there should be a way to skip all those global rules for the hw nodes and only apply rules for VMs. Stefan > ----- Mail original ----- > > De: "Stefan Priebe" <s.pri...@profihost.ag> > À: "Alexandre DERUMIER" <aderum...@odiso.com> > Cc: pve-devel@pve.proxmox.com > Envoyé: Mercredi 18 Juin 2014 08:33:26 > Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown error > 524 > > Am 18.06.2014 03:16, schrieb Alexandre DERUMIER: >>>> The output is very long! Do you need everything? >> >> how many rules do you have created ? are you talking about MB of output ? >> >> if it's too big, you can send them to my email directly > > NO i didn't even have rules set that's the funny thing and why i don't > know why all traffic is blocked. > > But generally i see no rules under > iptables -L -vnx > > Most probably due to: > Jun 18 08:32:55 cloud3-1351 pve-firewall[7944]: status update error: > command '/sbin/iptables-restore -n' failed: exit code 1 > > Stefan > >> ----- Mail original ----- >> >> De: "Stefan Priebe - Profihost AG" <s.pri...@profihost.ag> >> À: "Alexandre DERUMIER" <aderum...@odiso.com> >> Cc: pve-devel@pve.proxmox.com >> Envoyé: Mardi 17 Juin 2014 15:09:57 >> Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown error >> 524 >> >> Am 17.06.2014 10:38, schrieb Alexandre DERUMIER: >>>>> Jun 17 10:28:04 cloud3-1351 pve-firewall[7944]: status update error: >>>>> command '/sbin/iptables-restore -n' failed: exit code 1 >>> >>> something seem wrong in generate rules >>> >>> can you do a >>> >>> #pve-firewall compile >>> >>> to see generated rules ? >> >> The output is very long! Do you need everything? >> >> Stefan >> >>> ----- Mail original ----- >>> >>> De: "Stefan Priebe - Profihost AG" <s.pri...@profihost.ag> >>> À: "Alexandre DERUMIER" <aderum...@odiso.com> >>> Cc: pve-devel@pve.proxmox.com >>> Envoyé: Mardi 17 Juin 2014 10:28:32 >>> Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown error >>> 524 >>> >>> Log says: >>> Jun 17 10:27:59 cloud3-1351 dnsmasq-dhcp[8437]: DHCP packet received on >>> fwbr2004i0 which has no address >>> Jun 17 10:28:02 cloud3-1351 dnsmasq-dhcp[8437]: DHCPDISCOVER(vmbr0) >>> c2:3e:63:19:6c:bf >>> Jun 17 10:28:02 cloud3-1351 dnsmasq-dhcp[8437]: DHCPOFFER(vmbr0) >>> 10.10.28.3 c2:3e:63:19:6c:bf >>> Jun 17 10:28:04 cloud3-1351 pve-firewall[7944]: status update error: >>> command '/sbin/iptables-restore -n' failed: exit code 1 >>> >>> Am 17.06.2014 10:26, schrieb Stefan Priebe - Profihost AG: >>>> OK adding an empty >>>> netpoll pdo controller to the veth device in the kernel fixes the problem. >>>> >>>> The veth device does not support netpoll. >>>> >>>> Without the netconsole driver i can start the VM. But if the firewall is >>>> enabled i've not network - even with Input Policy and Output Policy set >>>> to ACCEPT. >>>> >>>> What should i check now? >>>> >>>> Stefan >>>> Am 16.06.2014 11:49, schrieb Alexandre DERUMIER: >>>>>>> I think this should get cleaned in that case? >>>>> >>>>> currently the cleanup is done: >>>>> >>>>> at vm shutdown >>>>> at vm start >>>>> when you disable|enable firewall on netX through api >>>>> >>>>> but indeed we can improve that (I'll try to have a look at it) >>>>> >>>>> >>>>>>> I just don't get why it works for vmbr1 but not for vmbr0. >>>>> >>>>> can you try to manually add >>>>> >>>>> #brctl addif fwln2004i0 fwbr2004i0 >>>>> #brctl addif fwpr2004p0 vmbr0 >>>>> >>>>> ? >>>>> >>>>> >>>>> >>>>> >>>>> ----- Mail original ----- >>>>> >>>>> De: "Stefan Priebe - Profihost AG" <s.pri...@profihost.ag> >>>>> À: "Alexandre DERUMIER" <aderum...@odiso.com> >>>>> Cc: pve-devel@pve.proxmox.com >>>>> Envoyé: Lundi 16 Juin 2014 11:40:59 >>>>> Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown >>>>> error 524 >>>>> >>>>> Am 16.06.2014 11:37, schrieb Alexandre DERUMIER: >>>>>>>> What is the difference between the normal tap device without firewall >>>>>>>> - >>>>>>>> which works fine for me on vmbr0 and vmbr1 and the firewall tap one? >>>>>> >>>>>> They are not difference. >>>>>> >>>>>> we just need a dedicated bridge (fwbrxxx) by firewalled tap interface, >>>>>> and this bridge is plugged to vmbrX through a veth pair( fwprxxxx) >>>>> >>>>> I just don't get why it works for vmbr1 but not for vmbr0. >>>>> >>>>> I don't see a difference. >>>>> >>>>> Generally if adding the bridge fails for whatever reason there is a lot >>>>> of unremoved stuff: >>>>> >>>>> [: ~]# ip a l | grep fwbr >>>>> 14: fwbr2004i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue >>>>> state UP >>>>> 16: fwln2004i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc >>>>> pfifo_fast master fwbr2004i0 state UP qlen 1000 >>>>> >>>>> [: ~]# ifconfig| grep ^fw >>>>> fwbr2004i0 Link encap:Ethernet HWaddr d2:74:33:d9:50:92 >>>>> fwln2004i0 Link encap:Ethernet HWaddr d2:74:33:d9:50:92 >>>>> fwpr2004p0 Link encap:Ethernet HWaddr b2:47:35:28:2c:de >>>>> >>>>> I think this should get cleaned in that case? >>>>> >>>>> Stefan >>>>> >>>>>> >>>>>> ----- Mail original ----- >>>>>> >>>>>> De: "Stefan Priebe - Profihost AG" <s.pri...@profihost.ag> >>>>>> À: "Alexandre DERUMIER" <aderum...@odiso.com> >>>>>> Cc: pve-devel@pve.proxmox.com >>>>>> Envoyé: Lundi 16 Juin 2014 11:29:00 >>>>>> Objet: Re: [pve-devel] can't add fwpr2004p0 to bridge vmbr0: Unknown >>>>>> error 524 >>>>>> >>>>>> What is the difference between the normal tap device without firewall - >>>>>> which works fine for me on vmbr0 and vmbr1 and the firewall tap one? >>>>>> >>>>>> Stefan >>>>>> Am 16.06.2014 11:10, schrieb Stefan Priebe - Profihost AG: >>>>>>> Hi, >>>>>>> >>>>>>> i get the same problem with the official redhat PVE Kernel. >>>>>>> >>>>>>> What i don't understand is that it works fine with vmbr1 but not with >>>>>>> vmbr0. >>>>>>> >>>>>>> Interfaces file on host: >>>>>>> >>>>>>> auto vmbr0 >>>>>>> iface vmbr0 inet static >>>>>>> address XX.XX.XX.XX >>>>>>> netmask 255.255.255.128 >>>>>>> gateway XX.XX.XX.XX >>>>>>> bridge_ports bond0 >>>>>>> bridge_stp off >>>>>>> bridge_fd 0 >>>>>>> >>>>>>> auto vmbr1 >>>>>>> iface vmbr1 inet manual >>>>>>> bridge_ports bond1 >>>>>>> bridge_stp off >>>>>>> bridge_fd 0 >>>>>>> >>>>>>> Stefan >>>>>>> >>>>>>> Am 16.06.2014 09:50, schrieb Alexandre DERUMIER: >>>>>>>>>> Do i need a special kernel feature? >>>>>>>> I don't think. >>>>>>>> It's just create a veth pair, then plug them in bridge. >>>>>>>> >>>>>>>> I check my logs, I don't have theses >>>>>>>> >>>>>>>> "netpoll: (null): fwpr2004p0 doesn't support polling, aborting " >>>>>>>> >>>>>>>> do you use a custom kernel ? >>>>>>> >>>>>>> Stefan >>>>>>> >>>> _______________________________________________ >>>> pve-devel mailing list >>>> pve-devel@pve.proxmox.com >>>> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel >>>> _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
