-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
level=error msg="unable to commit delete decisions conn.Receive: netlink receive: no such file or directory" #230
Comments
Guess you use NFTABLES? Error line: Line 222 in bb8370a
Commit func: cs-firewall-bouncer/nftables.go Line 526 in c0a9f1d
Searching for message returns stackexchange post https://unix.stackexchange.com/questions/537912/nftables-rule-no-such-file-or-directory-error Do your chains exist? EDIT:
For us to know if this is the issue you could open your configuration and change the prometheus enabled -> false. To see if its the issue. |
As far as I see, the bouncer is creating table, chains and rules (for nftables in my case) only or input hook. As I want to use it on a (OpenWrt) router I need to create my rules manually to cover forward hook. |
Same problem here without any way to determine what's causing the error.
configuration :
The set is empty :
|
We figured out the issue is most likely linked to running nftables in ipv4 or ipv6 only. We have a current RC pending if you wish to download and replace the binary with to test if it fixes for you. Instructions are for amd64 if you are not using it then please go to releases and update link to relevant platform 😄
|
It's definitely working the RC version. |
I just updated to 0.0.26-rc4 on OpenWrt. The error message still appears. :(
My bouncer config is
This is the nftables tables/chains:
|
This is a log as of today:
|
Logging with debug level does not really give more information :(
|
So I been playing around with nftables abit, and nomally that error happens when the underlying table / chain does not exist. Do you have any other program that interfaces with nftables that could be flushing the set and then our bouncer does not know it has been removed? |
You can confirm if they are missing if you run
It will not show the crowdsec ones |
actually it shows the crowdsec tables. With the OpenWrt package the tables, chains and sets are created with the init script. As in the config file, the bouncer uses set-only mode (which I beleive is for exactly this situation). There is no other process manipulating the sets. But they are created with |
Interesting, if we set it to timeout, we shouldn't care to remove deleted decisions as nftables will self remove. I think you're on the right track, I will test this once I am able to do so. |
Same error message here on a Debian 11 Linux server (using nftables/firewalld). The tables do exist though:
iptables is present as well, it gets installed with firewalld. Can't remove it. |
The messages still appear with 0.0.26-rc6 |
Should be fixed in #279 0.0.27-rc1 soon |
0.0.27-rc1 is out, should fix this issue |
Hi @mmtec Please reopen: this is with 0.0.27-rc1:
Maybe a mitigation may be to increase (by 25%?) the timeout/expire values when adding elements to the sets by the bouncer? So that they are not gone when trying to remove them? |
Hi @ne20002 Actually, it works as intended, and the message down to "info" level. The logic is now
The message can be improved but it's not meant to alarm, you may perceive it as that because it was associated with a fatal error before |
Hi @mmetc As stated: wouldn't increasing the timeout/expire values when adding the ips to set mitigate the problem? I understand it as now
|
I just upgraded to newest version 0.0.25 and found this in the logfile
What may be the cause of this message?
The text was updated successfully, but these errors were encountered: