Hello list, i'm going crazy with a problem i don't understand.
After some time the pve-firewall stops working to me. It doesn't filter any packets anymore. If i restart pve-firewall everything is fine again. After digging around for some weeks i found out that the chain FORWARD does not receive packets anymore? It look like this - so NO packets get processed: # iptables -L FORWARD -vnx Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 PVEFW-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0 Status output: # systemctl status -l pve-firewall.service ● pve-firewall.service - Proxmox VE firewall Loaded: loaded (/lib/systemd/system/pve-firewall.service; enabled) Active: active (running) since Thu 2017-03-02 13:11:24 CET; 2 weeks 2 days ago Main PID: 3056 (pve-firewall) CGroup: /system.slice/pve-firewall.service └─3056 pve-firewal Mar 02 13:11:24 dev-cluster pve-firewall[3056]: starting server Mar 02 13:11:24 dev-cluster systemd[1]: Started Proxmox VE firewall. Mar 08 19:42:06 dev-cluster pve-firewall[3056]: firewall update time (5.055 seconds) Mar 09 17:26:31 dev-cluster pve-firewall[3056]: ipcc_send_rec failed: Transport endpoint is not connected Mar 09 20:23:11 dev-cluster pve-firewall[3056]: ipcc_send_rec failed: Transport endpoint is not connected Mar 15 10:49:23 dev-cluster pve-firewall[3056]: firewall update time (5.237 seconds) Mar 17 08:17:57 dev-cluster pve-firewall[3056]: firewall update time (5.063 seconds) # systemctl restart pve-firewall.service # # iptables -L FORWARD -vnx Chain FORWARD (policy ACCEPT 80 packets, 6543 bytes) pkts bytes target prot opt in out source destination 326 49611 PVEFW-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0 After the restart the FORWARD chain get's immediatly packets again. I noticed that after the restart: net.bridge.bridge-nf-call-ip6tables net.bridge.bridge-nf-call-iptables changed from 0 to 1 which makes sense. but: # cat /etc/sysctl.d/pve.conf net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0 net.bridge.bridge-nf-filter-vlan-tagged = 0 fs.aio-max-nr = 1048576 # dpkg -S /etc/sysctl.d/pve.conf pve-cluster: /etc/sysctl.d/pve.conf Greets, Stefan _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel