LXC CSF and IPtables errors

Y

yswery

Well-Known Member
May 6, 2018
83
5
48
54
We have a simple LXC machine with CSF installed on it (PVE 7.X)

we are getting the following errors inside the LXC CT

Code: 
[root@box ~]# /etc/csf/csftest.pl

Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...FAILED [Error: iptables: No chain/target/match by that name.] - Required for PORTFLOOD and PORTKNOCKING features
Testing xt_connlimit...FAILED [Error: iptables: No chain/target/match by that name.] - Required for CONNLIMIT feature
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

For the life of me I cant seem to find what needs to happen on the PVE node to make xt_connlimit and ipt_recen not show these errors.

Does anyone know?
 
on a hunch - make sure the modules are loaded on the PVE node before starting the container (lxc shares the kernel with the host - so in order to use a particular module it needs to be loaded on the host)

If this is not the issue - I would suggest to consider using CSF in a VM (sadly I don't have any experience with CSF/do not know what it is)

I hope this helps!
 
Stoiko Ivanov said:
If this is not the issue - I would suggest to consider using CSF in a VM (sadly I don't have any experience with CSF/do not know what it is)
Click to expand...

Sorry, CSF is simply a wrapped for Iptables, ill try to simplify this

On the PVE host name we have the following for example:

Code: 
modinfo ipt_recent
filename:       /lib/modules/5.11.22-4-pve/kernel/net/netfilter/xt_recent.ko
alias:          ip6t_recent
alias:          ipt_recent
license:        GPL
description:    Xtables: "recently-seen" host matching
author:         Jan Engelhardt <jengelh@medozas.de>
author:         Patrick McHardy <kaber@trash.net>
srcversion:     695F95E6A7EC108FDCC365A
depends:        x_tables
retpoline:      Y
intree:         Y
name:           xt_recent
vermagic:       5.11.22-4-pve SMP mod_unload modversions
parm:           ip_list_tot:number of IPs to remember per list (uint)
parm:           ip_list_hash_size:size of hash table used to look up IPs (uint)
parm:           ip_list_perms:permissions on /proc/net/xt_recent/* files (uint)
parm:           ip_list_uid:default owner of /proc/net/xt_recent/* files (uint)
parm:           ip_list_gid:default owning group of /proc/net/xt_recent/* files (uint)
parm:           ip_pkt_list_tot:number of packets per IP address to remember (max. 255) (uint)

but inside the CT we seem to not have access to "recent" module in iptables?

Code: 
[root@Testing-CSF csf]# /sbin/iptables -I OUTPUT -p tcp --dport 9999 -m recent --set
iptables: No chain/target/match by that name.

Do you know how we can enable the use of "ipt_recent" (and xt_connlimit)
 
yswery said:
Do you know how we can enable the use of "ipt_recent" (and xt_connlimit)
Click to expand...
The modules are not loaded per default

does everything work if you load them on the PVE node before starting the container?
Code: 
modprobe ipt_recent
modprobe xt_connlimit
 
Stoiko Ivanov said:
modprobe ipt_recent modprobe xt_connlimit
Click to expand...
I cant seem to load them without an error

Code: 
root @ pve-node ➜  ~  modprobe ipt_recent
modprobe: ERROR: could not insert 'xt_recent': Invalid argument

root @ pve-node ➜  ~  modprobe xt_connlimit
modprobe: ERROR: could not insert 'xt_connlimit': Invalid argument

Tried reading online and some suggested its because the kernel wasnt built with them? but I could be even getting more confused.

How do you think I can enable those two modules
 
the commands work here without issue

what's the output of `dmesg` after you try to load them?
else please also post `pveversion -v` and `uname -a`
 
Stoiko Ivanov said:
the commands work here without issue

what's the output of `dmesg` after you try to load them?
else please also post `pveversion -v` and `uname -a`
Click to expand...

From the dmesg, when running modprobe xt_connlimit I get:

Code: 
[8898704.682293] BPF:     type_id=77 bits_offset=1216
[8898704.683686] BPF:
[8898704.684906] BPF:Invalid name
[8898704.686122] BPF:

[8898704.688775] failed to validate module [nf_conncount] BTF: -22

When running modprobe ipt_recent I get:

Code: 
[  +7.679492] BPF:    0_gpio_config type_id=10 bits_offset=72
[  +0.001692] BPF:
[  +0.001419] BPF:Invalid name
[  +0.001640] BPF:

[  +0.002650] failed to validate module [xt_recent] BTF: -22

The PVE node is as follows:


Code: 
root @ pvenode ➜  ~  pveversion -v
proxmox-ve: 7.1-1 (running kernel: 5.11.22-4-pve)
pve-manager: 7.1-8 (running version: 7.1-8/5b267f33)
pve-kernel-helper: 7.1-6
pve-kernel-5.13: 7.1-5
pve-kernel-5.11: 7.0-10
pve-kernel-5.4: 6.4-5
pve-kernel-5.13.19-2-pve: 5.13.19-4
pve-kernel-5.13.19-1-pve: 5.13.19-3
pve-kernel-5.11.22-7-pve: 5.11.22-12
pve-kernel-5.11.22-4-pve: 5.11.22-9
pve-kernel-5.4.128-1-pve: 5.4.128-1
pve-kernel-5.4.60-1-pve: 5.4.60-2
pve-kernel-5.4.55-1-pve: 5.4.55-1
pve-kernel-5.4.44-2-pve: 5.4.44-2
pve-kernel-5.4.34-1-pve: 5.4.34-2
ceph-fuse: 14.2.21-1
corosync: 3.1.5-pve2
criu: 3.15-1+pve-1
glusterfs-client: 9.2-1
ifupdown: residual config
ifupdown2: 3.1.0-1+pmx3
ksm-control-daemon: 1.4-1
libjs-extjs: 7.0.0-1
libknet1: 1.22-pve2
libproxmox-acme-perl: 1.4.0
libproxmox-backup-qemu0: 1.2.0-1
libpve-access-control: 7.1-5
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.0-14
libpve-guest-common-perl: 4.0-3
libpve-http-server-perl: 4.0-4
libpve-storage-perl: 7.0-15
libqb0: 1.0.5-1
libspice-server1: 0.14.3-2.1
lvm2: 2.03.11-2.1
lxc-pve: 4.0.11-1
lxcfs: 4.0.11-pve1
novnc-pve: 1.3.0-1
proxmox-backup-client: 2.1.2-1
proxmox-backup-file-restore: 2.1.2-1
proxmox-mini-journalreader: 1.3-1
proxmox-widget-toolkit: 3.4-4
pve-cluster: 7.1-3
pve-container: 4.1-3
pve-docs: 7.1-2
pve-edk2-firmware: 3.20210831-2
pve-firewall: 4.2-5
pve-firmware: 3.3-4
pve-ha-manager: 3.3-1
pve-i18n: 2.6-2
pve-qemu-kvm: 6.1.0-3
pve-xtermjs: 4.12.0-1
qemu-server: 7.1-4
smartmontools: 7.2-pve2
spiceterm: 3.2-2
swtpm: 0.7.0~rc1+2
vncterm: 1.7-1
zfsutils-linux: 2.1.1-pve3

and Kernal:

Code: 
root @ pvenode ➜  ~  uname -a
Linux fuji 5.11.22-4-pve #1 SMP PVE 5.11.22-8 (Fri, 27 Aug 2021 11:51:34 +0200) x86_64 GNU/Linux

and also if it makes any difference (I dont think it does) here are entries from a few months ago when doing the upgrade PVE 6.X -> 7.X

Code: 
root @ pvenode ➜  ~  cat /etc/kernel/cmdline
systemd.unified_cgroup_hierarchy=0

Code: 
root @ pvenode ➜  ~  cat /etc/default/grub
# If you change this file, run 'update-grub' afterwards to update
# /boot/grub/grub.cfg.
# For full documentation of the options in this file, see:
#   info -f grub -n 'Simple configuration'

GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Proxmox Virtual Environment"
#GRUB_CMDLINE_LINUX_DEFAULT="quiet"
GRUB_CMDLINE_LINUX_DEFAULT="systemd.unified_cgroup_hierarchy=0 quiet"
GRUB_CMDLINE_LINUX=""

# Disable os-prober, it might add menu entries for each guest
GRUB_DISABLE_OS_PROBER=true
 
yswery said:
[ +7.679492] BPF: 0_gpio_config type_id=10 bits_offset=72 [ +0.001692] BPF: [ +0.001419] BPF:Invalid name [ +0.001640] BPF:
Click to expand...
this is an issue which was recently fixed - try running `update-initramfs -k all -u` and rebooting
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back