-
Notifications
You must be signed in to change notification settings - Fork 0
Troubleshooting and Selftest
Type: Operator Reference (Troubleshooting) Scope:
nftban smokeandnftban selftestbehavior, SKIP/PASS/FAIL semantics Since: v1.95.0 (smoke/selftest split) · Last verified: v1.218.7 Verified: RHEL-family and Debian-family hosts
As of v1.95.0, NFTBan has two distinct validation commands:
| Command | Purpose | Modifies state? | CI-safe? |
|---|---|---|---|
nftban smoke |
Non-destructive system verification | NO | YES |
nftban selftest |
Extended validation with controlled state changes | YES (ban/unban/whitelist) | NO |
nftban smoke reads system state and reports PASS/SKIP/FAIL. It never bans,
unbans, modifies whitelist, or changes firewall rules.
nftban selftest performs controlled mutations (ban test IP, verify count
changes, unban) using RFC 5737 documentation-range IPs that do not route on
the internet.
| Status | Meaning | Action needed |
|---|---|---|
| PASS | Test executed and succeeded | None |
| SKIP | Prerequisite not met — test not executed | Check if prerequisite should be present |
| FAIL | Test executed and failed | Investigate |
SKIP is not an error. A result of PASS (6/10 PASS, 4 SKIP) means the
system passed all tests it could run. The 4 skipped tests had prerequisites
that were not satisfied (e.g., binary not installed, module not enabled).
The overall result is PASS if zero tests FAIL. SKIPs do not affect the overall result.
Symptom:
nftban smoke
truth:
skip validator JSON (prerequisite not met: binary:nftban validate)
skip health JSON (prerequisite not met: validator_present:nftban validate)
ok status
Cause:
The nftban validate binary is not installed. Smoke tests T1 and T2
require it for validator JSON and health JSON validation.
Verify:
test -x /usr/lib/nftban/bin/nftban-validate
# If empty or "not found" → binary is missingFix:
Reinstall or upgrade the NFTBan package. The nftban validate binary
should be included at /usr/lib/nftban/bin/nftban-validate.
Important: This is correct SKIP behavior, not a smoke bug. Smoke
detects the missing prerequisite and skips instead of failing. All
production systems should have nftban validate installed for full
truth validation coverage.
Symptom:
Smoke reports:
botguard → SKIP (prerequisite not met: module_enabled:botguard)
loginmon → SKIP (prerequisite not met: module_enabled:login)
But health reports the module as enabled:
nftban health --json | jq '.modules.botguard'
# {"config": "enabled", "structural": "present", ...}Cause:
Mismatch between smoke's prerequisite detection (module_enabled:*
checks config files for ENABLED=true) and the actual module state
as reported by the validator.
The smoke prerequisite checker reads specific config file paths:
/etc/nftban/conf.d/<module>/main.conf.local/etc/nftban/conf.d/<module>/main.conf/etc/nftban/modules/<module>.conf.local/etc/nftban/modules/<module>.conf
If the module is enabled through a different config path or mechanism, smoke may not detect it.
Verify:
# What validator says
nftban health --json | jq '.modules'
# What smoke prereqs check
cat /etc/nftban/conf.d/botguard/main.conf 2>/dev/null | grep ENABLED
cat /etc/nftban/modules/botguard.conf 2>/dev/null | grep ENABLEDExpected behavior:
| Condition | Smoke result |
|---|---|
| Module disabled in config | SKIP (correct) |
| Module enabled and working | PASS (correct) |
| Module enabled but smoke can't detect it | SKIP (bug — report it) |
| Module enabled but broken at runtime | FAIL (correct) |
If mismatch occurs:
This is a bug in smoke prerequisite detection, not user misconfiguration.
Report the issue with the output of nftban health --json and the
contents of the module config files listed above.
Symptom:
nftban smoke lifecycle
# Output:
NOTE: 'nftban smoke lifecycle' was moved to 'nftban selftest' in v1.95.
nftban smoke = non-destructive system verification (CI-safe)
nftban selftest = extended validation with controlled state changes
Run instead: nftban selftest lifecycleExplanation:
In v1.95.0, lifecycle tests (ban/unban, whitelist add/remove) were moved
from smoke to selftest because they modify system state. The smoke
command is now exclusively non-destructive.
The old subcommands (run, test, all, lifecycle) print a migration
message and exit with code 1.
Fix:
# Old (pre-v1.95) → New (v1.95+)
nftban smoke run → nftban selftest run
nftban smoke test → nftban selftest test
nftban smoke all → nftban selftest all
nftban smoke lifecycle → nftban selftest lifecycle
nftban smoke quick → nftban selftest quick
nftban smoke verify → nftban selftest verifyTo confirm smoke does not modify firewall state:
# Count sets BEFORE
echo "=== BEFORE ==="
nft list set ip nftban blacklist_manual_ipv4 2>/dev/null | wc -l
nft list set ip6 nftban blacklist_manual_ipv6 2>/dev/null | wc -l
nft list set ip nftban whitelist_ipv4 2>/dev/null | wc -l
nft list set ip6 nftban whitelist_ipv6 2>/dev/null | wc -l
# Run smoke
nftban smoke
# Count sets AFTER
echo "=== AFTER ==="
nft list set ip nftban blacklist_manual_ipv4 2>/dev/null | wc -l
nft list set ip6 nftban blacklist_manual_ipv6 2>/dev/null | wc -l
nft list set ip nftban whitelist_ipv4 2>/dev/null | wc -l
nft list set ip6 nftban whitelist_ipv6 2>/dev/null | wc -lExpected: All counts identical before and after.
Verified on RHEL-family and Debian-family hosts — set counts did not change.
If counts change after smoke: This is a critical bug. Report immediately.
Symptom:
command -v nftban-core
# → empty (not found)But nftban smoke runs successfully.
Cause:
nftban-core is installed at /usr/lib/nftban/bin/nftban-core, not in
/usr/sbin/ or /usr/bin/. The smoke shell shim resolves the binary via
${NFTBAN_LIB_DIR}/bin/nftban-core, which works without PATH.
Impact:
Not a runtime issue. Only affects operators who want to run nftban-core
directly (e.g., nftban-core smoke --json).
Optional fix:
ln -s /usr/lib/nftban/bin/nftban-core /usr/sbin/nftban-coreUse nftban smoke for:
- CI/CD pipeline checks
- Production health verification
- Routine monitoring (cron, fleet checks)
- Verifying system integrity after updates
nftban smoke # all tests
nftban smoke --json # machine-readable output
nftban smoke --group=truth # validator/health checks only
nftban smoke --group=daemon # daemon service check onlyUse nftban selftest for:
- Post-installation verification
- Debugging ban/unban behavior
- Verifying kernel enforcement lifecycle
- Lab/staging environment validation
nftban selftest quick # 3 core commands (version, help, status)
nftban selftest lifecycle # ban/unban + whitelist add/remove (IPv4+IPv6)
nftban selftest run # ~32 CLI commands + lifecycle
nftban selftest verify # smart count validation (ban count +1/-1)Fast (2 seconds):
nftban smoke --group=daemonChecks: daemon is active.
Standard (5 seconds):
nftban smoke --group=truthChecks: validator JSON, health JSON, status command.
Full (10 seconds):
nftban smokeChecks: truth + daemon + config + metrics + enabled modules.
Deep (15 seconds):
nftban smoke --deepChecks: all above + deep assertions.
When reporting smoke or selftest failures, attach:
nftban smoke --json | jq .
nftban health --json | jq .
nftban version --json 2>/dev/null | grep -v '^#'
uname -r
cat /etc/os-release | head -3This provides: test results, health state, version, kernel, and distro — enough context to diagnose most issues without further questions.
These are expected behaviors, not bugs:
-
T1/T2 SKIP when
nftban validateis missing. Install the binary for full truth validation. Smoke correctly skips rather than failing. -
Module SKIP on some hosts despite being enabled. Known edge case in prerequisite detection. Being tracked for fix.
-
nftban smoke lifecycleprints migration message. Correct. Usenftban selftest lifecycleinstead. -
Smoke is intentionally minimal. It checks system integrity, not feature completeness. Use
selftestfor deeper validation. -
Selftest uses RFC 5737 test IPs. Ban/unban lifecycle tests use
198.51.100.99(IPv4) and2001:db8::dead:beef(IPv6). These are documentation-range addresses that do not route on the internet.
NFTBan Wiki
Getting Started
Architecture
- Architecture Overview
- Firewall Anchor Architecture
- NFT Schema & Validator Model
- Health & Validation
- Metrics & Evidence Model
- Watchdog & Resource Profiles
- Security Architecture
Protection & Monitoring
- Protection & Monitoring Modules
- BotGuard — HTTP Guard
- BotScan — HTTP Exploit Scanner
- DDoS Protection
- Portscan Detection
- Login Monitoring
- Blacklist & Threat Feeds
- Suricata IDS Integration
- RBL Monitoring
- DNS Tunnel Detection
Operator Reference
- CLI Commands Reference
- Configuration Reference
- Systemd Units & Timers
- Optimization & Tuning
- Security Operations Guide
- GeoIP Database Guide
- FHS Compliance
- Troubleshooting & Selftest
Operations, Communications & Reporting
- Maintenance & Scheduled Operations
- Logging, Rotation & Retention
- Communications & Notifications
- Notification & Report Templates
- Audit Reports & Compliance
Verification & Trust
Reference
Legal