unifios-utilities icon indicating copy to clipboard operation
unifios-utilities copied to clipboard

Published 20 hours ago verified publisher icon unifi-utilities

Found unexpected rule --comment '"CNI'

Open DennisGaida opened this issue 2 years ago • 7 comments

Describe the bug Checked /var/log/messages and every couple of seconds I get the error message Dream-Router ubios-udapi-server[3290]: firewall: Found unexpected rule --comment '"CNI'.

Checking iptables -S | grep CNI I see the following rules:

-N CNI-ADMIN
-N CNI-FORWARD
-A FORWARD -m comment --comment "CNI firewall plugin rules" -j CNI-FORWARD
-A CNI-FORWARD -m comment --comment "CNI firewall plugin admin overrides" -j CNI-ADMIN

To Reproduce Steps to reproduce the behavior:

  1. Install CNI tools / plugins: https://github.com/unifi-utilities/unifios-utilities/blob/main/cni-plugins/05-install-cni-plugins.sh
  2. Observe /var/log/messages

Expected behavior I suppose there shouldn't be any error messages / unexpected rules? Or maybe this is related to Unifi not knowing about these rules?

UDM Information

  • UDR
  • Firmware Version: v3.0.13
  • Controller Version 7.3.76

DennisGaida avatar Dec 14 '22 15:12 DennisGaida

Same

  • UDM
  • Firmware version: 2.4.23
  • Controller version: 7.3.76
root@udm0-office:/data/on_boot.d# ubnt-device-info summary; echo
Device information summary:
        Subsystem ID: ea11
              Family: UniFi Dream Machine (UDM)
               Model: UniFi Dream Machine (UDM)
 Default MAC address: (removed)
Default IPv4 address: 127.0.0.1
            Firmware: 2.4.23 (2.4.23)

bennettp123 avatar Dec 16 '22 16:12 bennettp123

This rule is created by the firewall CNI plugin. Make sure your CNI plugins are up to date and that you're not using firewall

boostchicken avatar Jan 17 '23 12:01 boostchicken

I'm not quite sure I understand what you are saying @boostchicken. Are you saying this isn't an issue of unifi-utilities but of https://github.com/containernetworking?

I installed the latest version of the CNI-plugins, i.e. v1.2.0, and I still receive this message in /var/log/messages. I'm not sure about "not using firewall" - UniFi always has the firewall up or are you talking about anything in particular?

DennisGaida avatar Jan 17 '23 12:01 DennisGaida 

-A FORWARD -m comment --comment "CNI firewall plugin rules" -j CNI-FORWARD
-A CNI-FORWARD -m comment --comment "CNI firewall plugin admin overrides" -j CNI-ADMIN

Those rule are absolutely made by the CNI plugins, when and where I am not sure.

boostchicken avatar Jan 17 '23 17:01 boostchicken

To me it appears like unifi is checking iptables rules and those coming not from Unifi are marked as "unexpected". Checking the rules, I see that unifi rules have some kind of ID, e.g. (00000001095216660285):

-A UBIOS_POSTROUTING_USER_HOOK -o ppp0 -m comment --comment 00000001095216660285 -j MASQUERADE

the iptables rules generated by CNI(?) don't have these IDs and have comments such as the following:

-A CNI-<id> -d 10.88.0.0/16 -m comment --comment "name: \"podman\" id: \"<very-long-id>\"" -j ACCEPT

Currently I get the following warnings in /var/log/messages every minute (!):

2023-01-18T09:41:33+01:00 Dream-Router ubios-udapi-server[4601]: firewall: Found unexpected rule --comment '"CNI'
2023-01-18T09:41:33+01:00 Dream-Router ubios-udapi-server[4601]: firewall: Found unexpected rule --comment '"name:'
2023-01-18T09:41:33+01:00 Dream-Router ubios-udapi-server[4601]: firewall: Found unexpected rule --comment '"name:'
2023-01-18T09:41:33+01:00 Dream-Router ubios-udapi-server[4601]: firewall: Found unexpected rule --comment '"name:'
2023-01-18T09:41:33+01:00 Dream-Router ubios-udapi-server[4601]: firewall: Found unexpected rule --comment '"dnat'
2023-01-18T09:41:33+01:00 Dream-Router ubios-udapi-server[4601]: firewall: Found unexpected rule --comment '"CNI'
2023-01-18T09:41:33+01:00 Dream-Router ubios-udapi-server[4601]: firewall: Found unexpected rule --comment '"CNI'
2023-01-18T09:41:33+01:00 Dream-Router ubios-udapi-server[4601]: firewall: Found unexpected rule --comment '"CNI'

And since more containers mean more iptables rules, there will be more warnings. I believe these warnings will be generated by anyone using current unifi software. Maybe we will need some documentation on this in the installation documentation such as here: https://github.com/unifi-utilities/unifios-utilities/tree/main/container-common

Currently these warnings don't do anything besides spamming the logs. Similar warnings were already noted in another issue: https://github.com/unifi-utilities/unifios-utilities/issues/49

I found a German blogpost detailing the same warnings (https://nerdig.es/udm-pro-netzwerktrennung-2/) and it states that the solution is to create iptables rules without comments. I don't think you can change the way CNI-plugins work, but you may be able to remove the comments from the existing rules.

DennisGaida avatar Jan 18 '23 08:01 DennisGaida

You could open an issue in the CNI repo and send them a PR to fix it

boostchicken avatar Jan 24 '23 10:01 boostchicken

I sure could, if I was an expert in creating iptable rules. Since this is a warning that Unifi creates, I don't think CNI will care about it. Maybe there could be a switch like "create rules without comments" when using CNI, but I don't see that happening soon.

I still believe we need a note in unifios-utilities that the warnings created by unifi don't mean anything - just that unify doesn't know the rules. When searching for the CNI installation, it is referenced many times throughout this repo: https://github.com/search?q=repo%3Aunifi-utilities%2Funifios-utilities%20install-cni-plugins.sh&type=code and once people install newer versions of Unifi, they will all receive this warning.

Maybe the best way would be to have a README in https://github.com/unifi-utilities/unifios-utilities/tree/main/cni-plugins and update all references that call directly for running 05-install-cni-plugins.sh to link to that README instead.

DennisGaida avatar Jan 24 '23 13:01 DennisGaida