Netclient defaults to nfttables for FW, causes iptables machine to break

[LucaOonk]

What happened?

When adding a new Node it defaults to use the nfttables in firewallinuse, even though the active firewall is iptables. When this node is made an ingress-node this machine becomes unresponsive, and can not be reached. Requiring the following to make the machine work again:

• Reboot the machine
• Netclient remove the network as soon as the machine responds again, hoping it wont break again.
• Reboot the machine again

The workaround I found was make an api call to change the firewallinuse and then make the node an ingress:

curl 'https://api.<DOMAIN>/api/nodes/<NETWORK>/<NODEID>' \
  -X 'PUT' \
  -H 'accept: application/json, text/plain, */*' \
  -H 'accept-language: nl-NL,nl;q=0.9,en-US;q=0.8,en;q=0.7' \
  -H 'authorization: Bearer <TOKEN>' \
  -H 'content-type: application/json' \
  -H 'sec-fetch-mode: cors' \
  -H 'user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36' \
  --data-raw '{"firewallinuse":"iptables"}' \
  --compressed

My guess is that this is not intended and could be prevented. For example, check the current firewall when the node is added. Maybe this kind of advanced info could be shown in a special tab for each node? This would greatly help troubleshoot stuff like this!

Version v0.16.0 server v0.16.0 netclient

What OS are you using? Linux

Relevant log output No response

Contributing guidelines Yes, I did.

[mattkasun]

netclient defaults to iptables unless nftables is present on the host, assumption being that latest firewall tool installed is to be used. This assumption may need to be revisited.

[LucaOonk]

If I understand correctly, when nfttables is deleted before enrolling the node it will use iptables, correct? Update: I tested this and it seems to work: removing nftables and then enrolling the node indeed defaults to iptables

I had some idea's how to "fix" this:

• Maybe this could be "fixed" by adding a promt when a new node is added? Then the admin, who has this info, could correctly configure it without breaking the server+ssh (and other services).
• Or being able to set/change this as a network/node setting using the Netmaker UI

[LucaOonk]

Hi @mattkasun,

I have made a fix for this issue, and made a pull request. https://github.com/gravitl/netmaker/pull/1696

I hope this will be merged in the next version of netclient.

[LucaOonk]

As the pull request is approved this issue can be closed.