LXC CSF and IPtables errors

Y

yswery

Well-Known Member
May 6, 2018
84
5
48
55
We have a simple LXC machine with CSF installed on it (PVE 7.X)

we are getting the following errors inside the LXC CT

Code: 
[root@box ~]# /etc/csf/csftest.pl

Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...FAILED [Error: iptables: No chain/target/match by that name.] - Required for PORTFLOOD and PORTKNOCKING features
Testing xt_connlimit...FAILED [Error: iptables: No chain/target/match by that name.] - Required for CONNLIMIT feature
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

For the life of me I cant seem to find what needs to happen on the PVE node to make xt_connlimit and ipt_recen not show these errors.

Does anyone know?
 
on a hunch - make sure the modules are loaded on the PVE node before starting the container (lxc shares the kernel with the host - so in order to use a particular module it needs to be loaded on the host)

If this is not the issue - I would suggest to consider using CSF in a VM (sadly I don't have any experience with CSF/do not know what it is)

I hope this helps!
 
Stoiko Ivanov said:
If this is not the issue - I would suggest to consider using CSF in a VM (sadly I don't have any experience with CSF/do not know what it is)
Click to expand...

Sorry, CSF is simply a wrapped for Iptables, ill try to simplify this

On the PVE host name we have the following for example:

Code: 
modinfo ipt_recent
filename:       /lib/modules/5.11.22-4-pve/kernel/net/netfilter/xt_recent.ko
alias:          ip6t_recent
alias:          ipt_recent
license:        GPL
description:    Xtables: "recently-seen" host matching
author:         Jan Engelhardt <jengelh@medozas.de>
author:         Patrick McHardy <kaber@trash.net>
srcversion:     695F95E6A7EC108FDCC365A
depends:        x_tables
retpoline:      Y
intree:         Y
name:           xt_recent
vermagic:       5.11.22-4-pve SMP mod_unload modversions
parm:           ip_list_tot:number of IPs to remember per list (uint)
parm:           ip_list_hash_size:size of hash table used to look up IPs (uint)
parm:           ip_list_perms:permissions on /proc/net/xt_recent/* files (uint)
parm:           ip_list_uid:default owner of /proc/net/xt_recent/* files (uint)
parm:           ip_list_gid:default owning group of /proc/net/xt_recent/* files (uint)
parm:           ip_pkt_list_tot:number of packets per IP address to remember (max. 255) (uint)

but inside the CT we seem to not have access to "recent" module in iptables?

Code: 
[root@Testing-CSF csf]# /sbin/iptables -I OUTPUT -p tcp --dport 9999 -m recent --set
iptables: No chain/target/match by that name.

Do you know how we can enable the use of "ipt_recent" (and xt_connlimit)
 
yswery said:
Do you know how we can enable the use of "ipt_recent" (and xt_connlimit)
Click to expand...
The modules are not loaded per default

does everything work if you load them on the PVE node before starting the container?
Code: 
modprobe ipt_recent
modprobe xt_connlimit
 
Stoiko Ivanov said:
modprobe ipt_recent modprobe xt_connlimit
Click to expand...
I cant seem to load them without an error

Code: 
root @ pve-node ➜  ~  modprobe ipt_recent
modprobe: ERROR: could not insert 'xt_recent': Invalid argument

root @ pve-node ➜  ~  modprobe xt_connlimit
modprobe: ERROR: could not insert 'xt_connlimit': Invalid argument

Tried reading online and some suggested its because the kernel wasnt built with them? but I could be even getting more confused.

How do you think I can enable those two modules
 
the commands work here without issue

what's the output of `dmesg` after you try to load them?
else please also post `pveversion -v` and `uname -a`
 
Stoiko Ivanov said:
the commands work here without issue

what's the output of `dmesg` after you try to load them?
else please also post `pveversion -v` and `uname -a`
Click to expand...

From the dmesg, when running modprobe xt_connlimit I get:

Code: 
[8898704.682293] BPF:     type_id=77 bits_offset=1216
[8898704.683686] BPF:
[8898704.684906] BPF:Invalid name
[8898704.686122] BPF:

[8898704.688775] failed to validate module [nf_conncount] BTF: -22

When running modprobe ipt_recent I get:

Code: 
[  +7.679492] BPF:    0_gpio_config type_id=10 bits_offset=72
[  +0.001692] BPF:
[  +0.001419] BPF:Invalid name
[  +0.001640] BPF:

[  +0.002650] failed to validate module [xt_recent] BTF: -22

The PVE node is as follows:


Code: 
root @ pvenode ➜  ~  pveversion -v
proxmox-ve: 7.1-1 (running kernel: 5.11.22-4-pve)
pve-manager: 7.1-8 (running version: 7.1-8/5b267f33)
pve-kernel-helper: 7.1-6
pve-kernel-5.13: 7.1-5
pve-kernel-5.11: 7.0-10
pve-kernel-5.4: 6.4-5
pve-kernel-5.13.19-2-pve: 5.13.19-4
pve-kernel-5.13.19-1-pve: 5.13.19-3
pve-kernel-5.11.22-7-pve: 5.11.22-12
pve-kernel-5.11.22-4-pve: 5.11.22-9
pve-kernel-5.4.128-1-pve: 5.4.128-1
pve-kernel-5.4.60-1-pve: 5.4.60-2
pve-kernel-5.4.55-1-pve: 5.4.55-1
pve-kernel-5.4.44-2-pve: 5.4.44-2
pve-kernel-5.4.34-1-pve: 5.4.34-2
ceph-fuse: 14.2.21-1
corosync: 3.1.5-pve2
criu: 3.15-1+pve-1
glusterfs-client: 9.2-1
ifupdown: residual config
ifupdown2: 3.1.0-1+pmx3
ksm-control-daemon: 1.4-1
libjs-extjs: 7.0.0-1
libknet1: 1.22-pve2
libproxmox-acme-perl: 1.4.0
libproxmox-backup-qemu0: 1.2.0-1
libpve-access-control: 7.1-5
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.0-14
libpve-guest-common-perl: 4.0-3
libpve-http-server-perl: 4.0-4
libpve-storage-perl: 7.0-15
libqb0: 1.0.5-1
libspice-server1: 0.14.3-2.1
lvm2: 2.03.11-2.1
lxc-pve: 4.0.11-1
lxcfs: 4.0.11-pve1
novnc-pve: 1.3.0-1
proxmox-backup-client: 2.1.2-1
proxmox-backup-file-restore: 2.1.2-1
proxmox-mini-journalreader: 1.3-1
proxmox-widget-toolkit: 3.4-4
pve-cluster: 7.1-3
pve-container: 4.1-3
pve-docs: 7.1-2
pve-edk2-firmware: 3.20210831-2
pve-firewall: 4.2-5
pve-firmware: 3.3-4
pve-ha-manager: 3.3-1
pve-i18n: 2.6-2
pve-qemu-kvm: 6.1.0-3
pve-xtermjs: 4.12.0-1
qemu-server: 7.1-4
smartmontools: 7.2-pve2
spiceterm: 3.2-2
swtpm: 0.7.0~rc1+2
vncterm: 1.7-1
zfsutils-linux: 2.1.1-pve3

and Kernal:

Code: 
root @ pvenode ➜  ~  uname -a
Linux fuji 5.11.22-4-pve #1 SMP PVE 5.11.22-8 (Fri, 27 Aug 2021 11:51:34 +0200) x86_64 GNU/Linux

and also if it makes any difference (I dont think it does) here are entries from a few months ago when doing the upgrade PVE 6.X -> 7.X

Code: 
root @ pvenode ➜  ~  cat /etc/kernel/cmdline
systemd.unified_cgroup_hierarchy=0

Code: 
root @ pvenode ➜  ~  cat /etc/default/grub
# If you change this file, run 'update-grub' afterwards to update
# /boot/grub/grub.cfg.
# For full documentation of the options in this file, see:
#   info -f grub -n 'Simple configuration'

GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Proxmox Virtual Environment"
#GRUB_CMDLINE_LINUX_DEFAULT="quiet"
GRUB_CMDLINE_LINUX_DEFAULT="systemd.unified_cgroup_hierarchy=0 quiet"
GRUB_CMDLINE_LINUX=""

# Disable os-prober, it might add menu entries for each guest
GRUB_DISABLE_OS_PROBER=true
 
yswery said:
[ +7.679492] BPF: 0_gpio_config type_id=10 bits_offset=72 [ +0.001692] BPF: [ +0.001419] BPF:Invalid name [ +0.001640] BPF:
Click to expand...
this is an issue which was recently fixed - try running `update-initramfs -k all -u` and rebooting
 
You must log in or register to reply here.
Top Bottom