-
Notifications
You must be signed in to change notification settings - Fork 44
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Service should start after netfilter-persistent, not before #212
Comments
Same problem here, how should we procede? |
I fixed it back then by changing the service file. In the meantime, I have moved on to nftables. |
I wanted to add that on Ubuntu 22.04 this dependency causes "ordering cycle" issues and CrowdSec fails to start. See the discussion here: https://discourse.crowdsec.net/t/firewall-bouncer-fails-to-start-systemd-ordering-cycle/1265 |
I couldn't reproduce the issue. Can you specify
|
Hi @sabban , I just wanted to confirm which issue you are not able to reproduce. I think you are saying that you are unable to reproduce original issue posted by @mstilkerich , correct? Unfortunately, I cannot really help with that as I am not using netfilter/ipset. https://discourse.crowdsec.net/t/firewall-bouncer-fails-to-start-systemd-ordering-cycle/1265 It seems to be related to the same dependency and that's why I put a note here. |
It's most likely an issue on our side. Can you share the configuration you have:
|
Same problem with Dnsmasq : #326 To reproduce just install Dnsmasq and crowdsec bouncer firewall. |
I have this issue also.
Crowdsec version:
crowdsec-firewall-bouncer-iptables version:
bouncer config:
crowdsec config:
If you need me to provide something more, just ask. |
Thank you, I will look at it as soon as I get some time. |
Ok, I managed to reproduce the issue. I repaired a new prerelease (v0.0.29-rc1) in order to get it tested. |
I'd also like to add, that if the bouncer is running natively on the host and the crowdsec engine is in docker, the bouncer service will fail since it tries to start before docker and there's no API available at that time. Here are the adjustments I've made to the service file to mitigate that scenario: [Unit] [Service] [Install] |
I would like to ask if any updates are planned to fix this, been experiencing the same issue as well and as a result has caused my cifs mounts to break. The only workaround that worked was uncommenting Before=netfilter-persistent.service |
Hello,
I use the bouncer in ipset mode since I'd like to control where inside my firewall rules the crowdsec lists are checked.
I have netfilter-persistent installed including iptables-persistent and ipset-persistent to load my own firewall rules including the rule referring to the crowdsec ipsets, as well as the initial creation of the empty ipsets for crowdsec.
Now after reboot, I see errors in cs-firewall-bouncer log that the ipsets did not exist, and the sets themselves are showing empty. This is because the bouncer service is set to start before netfilter-persistent service, which is the one creating the ipsets. To fix this, the cs-firewall-bouncer service should be set to start after netfilter-persistent, not before.
I saw that the Before-dependency was added in #168 reasoning that netfilter-persistent failed because the ipsets created by crowdsec were missing. However, I believe this was because the ipset-persistent plugin was not installed. If it is installed, then ipsets are persisted along with the netfilter rules upon
netfilter-persistent save
.The text was updated successfully, but these errors were encountered: