Open DennisGaida opened 1 year ago
Same
root@udm0-office:/data/on_boot.d# ubnt-device-info summary; echo
Device information summary:
Subsystem ID: ea11
Family: UniFi Dream Machine (UDM)
Model: UniFi Dream Machine (UDM)
Default MAC address: (removed)
Default IPv4 address: 127.0.0.1
Firmware: 2.4.23 (2.4.23)
This rule is created by the firewall CNI plugin. Make sure your CNI plugins are up to date and that you're not using firewall
I'm not quite sure I understand what you are saying @boostchicken. Are you saying this isn't an issue of unifi-utilities
but of https://github.com/containernetworking?
I installed the latest version of the CNI-plugins, i.e. v1.2.0
, and I still receive this message in /var/log/messages
. I'm not sure about "not using firewall" - UniFi always has the firewall up or are you talking about anything in particular?
-A FORWARD -m comment --comment "CNI firewall plugin rules" -j CNI-FORWARD
-A CNI-FORWARD -m comment --comment "CNI firewall plugin admin overrides" -j CNI-ADMIN
Those rule are absolutely made by the CNI plugins, when and where I am not sure.
To me it appears like unifi is checking iptables
rules and those coming not from Unifi are marked as "unexpected". Checking the rules, I see that unifi rules have some kind of ID, e.g. (00000001095216660285):
-A UBIOS_POSTROUTING_USER_HOOK -o ppp0 -m comment --comment 00000001095216660285 -j MASQUERADE
the iptables rules generated by CNI(?) don't have these IDs and have comments such as the following:
-A CNI-<id> -d 10.88.0.0/16 -m comment --comment "name: \"podman\" id: \"<very-long-id>\"" -j ACCEPT
Currently I get the following warnings in /var/log/messages
every minute (!):
2023-01-18T09:41:33+01:00 Dream-Router ubios-udapi-server[4601]: firewall: Found unexpected rule --comment '"CNI'
2023-01-18T09:41:33+01:00 Dream-Router ubios-udapi-server[4601]: firewall: Found unexpected rule --comment '"name:'
2023-01-18T09:41:33+01:00 Dream-Router ubios-udapi-server[4601]: firewall: Found unexpected rule --comment '"name:'
2023-01-18T09:41:33+01:00 Dream-Router ubios-udapi-server[4601]: firewall: Found unexpected rule --comment '"name:'
2023-01-18T09:41:33+01:00 Dream-Router ubios-udapi-server[4601]: firewall: Found unexpected rule --comment '"dnat'
2023-01-18T09:41:33+01:00 Dream-Router ubios-udapi-server[4601]: firewall: Found unexpected rule --comment '"CNI'
2023-01-18T09:41:33+01:00 Dream-Router ubios-udapi-server[4601]: firewall: Found unexpected rule --comment '"CNI'
2023-01-18T09:41:33+01:00 Dream-Router ubios-udapi-server[4601]: firewall: Found unexpected rule --comment '"CNI'
And since more containers mean more iptables
rules, there will be more warnings. I believe these warnings will be generated by anyone using current unifi software. Maybe we will need some documentation on this in the installation documentation such as here: https://github.com/unifi-utilities/unifios-utilities/tree/main/container-common
Currently these warnings don't do anything besides spamming the logs. Similar warnings were already noted in another issue: https://github.com/unifi-utilities/unifios-utilities/issues/49
I found a German blogpost detailing the same warnings (https://nerdig.es/udm-pro-netzwerktrennung-2/) and it states that the solution is to create iptables
rules without comments. I don't think you can change the way CNI-plugins work, but you may be able to remove the comments from the existing rules.
You could open an issue in the CNI repo and send them a PR to fix it
I sure could, if I was an expert in creating iptable
rules. Since this is a warning that Unifi creates, I don't think CNI will care about it. Maybe there could be a switch like "create rules without comments" when using CNI, but I don't see that happening soon.
I still believe we need a note in unifios-utilities
that the warnings created by unifi don't mean anything - just that unify doesn't know the rules. When searching for the CNI installation, it is referenced many times throughout this repo: https://github.com/search?q=repo%3Aunifi-utilities%2Funifios-utilities%20install-cni-plugins.sh&type=code and once people install newer versions of Unifi, they will all receive this warning.
Maybe the best way would be to have a README
in https://github.com/unifi-utilities/unifios-utilities/tree/main/cni-plugins and update all references that call directly for running 05-install-cni-plugins.sh
to link to that README instead.
Describe the bug Checked
/var/log/messages
and every couple of seconds I get the error messageDream-Router ubios-udapi-server[3290]: firewall: Found unexpected rule --comment '"CNI'
.Checking
iptables -S | grep CNI
I see the following rules:To Reproduce Steps to reproduce the behavior:
/var/log/messages
Expected behavior I suppose there shouldn't be any error messages / unexpected rules? Or maybe this is related to Unifi not knowing about these rules?
UDM Information