Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Problem with nftables firewall bouncer #182

Open
PrOOnOOb opened this issue May 31, 2022 · 2 comments
Open

Problem with nftables firewall bouncer #182

PrOOnOOb opened this issue May 31, 2022 · 2 comments

Comments

@PrOOnOOb
Copy link

Hello, i have a problem with the nftables bouncer there are many errors in the bouncer log files
all errors

time="29-05-2022` 12:02:47" level=info msg="backend type : nftables"
time="29-05-2022 12:02:47" level=info msg="nftables initiated"
time="29-05-2022 12:02:47" level=info msg="Processing new and deleted decisions . . ."
time="29-05-2022 12:02:48" level=error msg="unable to commit add decisions Receive: netlink receive: no such file or directory"
time="29-05-2022 12:02:48" level=info msg="13641 decisions added"
time="29-05-2022 12:03:39" level=info msg="removing 'crowdsec' table"
time="29-05-2022 12:03:39" level=fatal msg="shutdown fail: Receive: netlink receive: no such file or directory"
time="29-05-2022 12:04:38" level=info msg="backend type : nftables"
time="29-05-2022 12:04:38" level=info msg="nftables initiated"
time="29-05-2022 12:04:38" level=info msg="Processing new and deleted decisions . . ."
time="29-05-2022 12:04:42" level=error msg="unable to commit add decisions Receive: netlink receive: no such file or directory"
time="29-05-2022 12:04:42" level=info msg="13641 decisions added"
time="29-05-2022 12:57:28" level=error msg="unable to commit delete decisions Receive: netlink receive: no such file or directory"

it seems like the bouncer can not create the needed tables if i create the tables manually, the tables stay empty.

table ip crowdsec {
}
table ip6 crowdsec {
}

Unless i restart the bouncer then the bouncer delete the tables but did not create new ones
i don't use any firewall managing tools like ufw. Rules I created manually works fine

table inet filter {
    chain input {
        type filter hook input priority filter; policy accept;
        iif "lo" accept
        ip protocol icmp icmp type echo-request limit rate over 10/second burst 4 packets drop
        ip6 nexthdr ipv6-icmp icmpv6 type echo-request limit rate over 10/second burst 4 packets drop
        ct state established,related accept
        ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
        ip protocol icmp icmp type { destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
        ip protocol igmp accept
        tcp dport 5829 accept
        tcp dport 80 accept
        tcp dport 443 accept
        tcp dport 25 accept
        tcp dport 587 accept
        tcp dport 465 accept
        tcp dport 110 accept
        tcp dport 995 accept
        tcp dport 143 accept
        tcp dport 993 accept
        counter packets 17 bytes 771 drop
    }

    chain output {
        type filter hook output priority filter; policy accept;
    }

    chain forward {
        type filter hook forward priority filter; policy drop;
    }
}

i enabled the debugging mode for the bouncer the log is attached
crowdsec-firewall-bouncer.log

it looks to me like according to the logs, the bouncer manages to create everything (table, chain, set, rule)
The whole thing runs on a VServer with OpenVZ virtualization (Debian 11 Kernel 4.19.0
I have crowdsec on several other servers that are kvm virtualized, everything runs without problems.
I have no way to test it on another OpenVZ server. I tried to repeat in an LXC container, everything works under the same conditions.
Are problems with OpenVZ known?
Or is it a different problem that I am overlooking?

@PrOOnOOb PrOOnOOb changed the title Problem with the nftables firewall bouncer Problem with nftables firewall bouncer May 31, 2022
@sbs2001
Copy link
Contributor

sbs2001 commented Jul 27, 2022

I can reproduce the issue by

  1. Keep the bouncer running.
  2. Delete ip table managed by the bouncer via sudo nft delete table ip crowdsec
  3. Create some decision sudo cscli decisions add --ip 1.2.3.4

The bouncer then emits the error

ERRO[27-07-2022 17:42:57] unable to commit add decisions Receive: netlink receive: no such file or directory 

Upon deleting some decision, bouncer emits the error

ERRO[27-07-2022 17:46:07] unable to commit delete decisions Receive: netlink receive: no such file or directory

@PrOOnOOb any chance there's some service deleting the table ?

@PrOOnOOb
Copy link
Author

Hey no there is no service running that deletes rules or otherwise interferes with the firewall.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants