AMP
AMP copied to clipboard
Published
20 hours ago •
CubeCoders
CubeCoders
Duplicate iptables rules being created
Bug Report
System Information
root@AMP:~# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 12 (bookworm)
Release: 12
Codename: bookworm
root@AMP:~# uname -a
Linux AMP 6.2.16-10-pve #1 SMP PREEMPT_DYNAMIC PMX 6.2.16-10 (2023-08-18T11:42Z) x86_64 GNU/Linux
AMP version (Mainline):
AMP Release "Decadeus"
v2.4.6.4, built 07/09/2023 18:02
I confirm:
- [x] that I have searched for an existing bug report for this issue. (Possible duplicate, but marked resolved at the time: #368)
- [x] that I am using the latest available version of AMP.
- [x] that my operating system is up-to-date.
Symptoms
- AMP is creating numerous duplicate iptables rules (40 per hour for 1 server instance)
- Expecting 1 set of rules to be created
Output of iptables -L INPUT --line-numbers:
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp -- anywhere anywhere tcp dpt:2223 /* AMP:ADS01:FileManagerPlugin.SFTP.SFTPPortNumber */
2 ACCEPT tcp -- anywhere anywhere tcp dpt:10100 /* AMP:Valheim01:FileManagerPlugin.SFTP.SFTPPortNumber */
3 ACCEPT udp -- anywhere anywhere udp dpt:10101 /* AMP:Valheim01:GenericModule.App.Ports.$ApplicationPort1 */
4 ACCEPT udp -- anywhere anywhere udp dpt:10102 /* AMP:Valheim01:GenericModule.App.Ports.$ApplicationPort2 */
5 ACCEPT tcp -- anywhere anywhere tcp dpt:2223 /* AMP:ADS01:FileManagerPlugin.SFTP.SFTPPortNumber */
6 ACCEPT tcp -- anywhere anywhere tcp dpt:10100 /* AMP:Valheim01:FileManagerPlugin.SFTP.SFTPPortNumber */
7 ACCEPT udp -- anywhere anywhere udp dpt:10101 /* AMP:Valheim01:GenericModule.App.Ports.$ApplicationPort1 */
8 ACCEPT udp -- anywhere anywhere udp dpt:10102 /* AMP:Valheim01:GenericModule.App.Ports.$ApplicationPort2 */
9 ACCEPT tcp -- anywhere anywhere tcp dpt:2223 /* AMP:ADS01:FileManagerPlugin.SFTP.SFTPPortNumber */
10 ACCEPT tcp -- anywhere anywhere tcp dpt:10100 /* AMP:Valheim01:FileManagerPlugin.SFTP.SFTPPortNumber */
11 ACCEPT udp -- anywhere anywhere udp dpt:10101 /* AMP:Valheim01:GenericModule.App.Ports.$ApplicationPort1 */
12 ACCEPT udp -- anywhere anywhere udp dpt:10102 /* AMP:Valheim01:GenericModule.App.Ports.$ApplicationPort2 */
(repeated for over 940 lines after ~24 hours of uptime)
No manual administrative actions were taken during this time.
journalctl -eu ampfirewall.service --no-pager:
Sep 09 15:22:42 AMP systemd[1]: Starting ampfirewall.service - AMP Instance Manager Firewall...
Sep 09 15:22:48 AMP ampinstmgr[31144]: Can't find custom attr constructor image: /opt/cubecoders/amp/plugins/ADSModule.dll mtoken: 0x0a00001e due to: Could not load file or assembly 'SQLite-net, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null' or one of its dependencies.
Sep 09 15:22:48 AMP systemd[1]: ampfirewall.service: Deactivated successfully.
Sep 09 15:22:48 AMP systemd[1]: Finished ampfirewall.service - AMP Instance Manager Firewall.
Sep 09 15:23:20 AMP systemd[1]: Starting ampfirewall.service - AMP Instance Manager Firewall...
Sep 09 15:23:26 AMP ampinstmgr[31260]: Can't find custom attr constructor image: /opt/cubecoders/amp/plugins/ADSModule.dll mtoken: 0x0a00001e due to: Could not load file or assembly 'SQLite-net, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null' or one of its dependencies.
Sep 09 15:23:26 AMP systemd[1]: ampfirewall.service: Deactivated successfully.
Sep 09 15:23:26 AMP systemd[1]: Finished ampfirewall.service - AMP Instance Manager Firewall.
Sep 09 15:28:42 AMP systemd[1]: Starting ampfirewall.service - AMP Instance Manager Firewall...
Sep 09 15:28:48 AMP ampinstmgr[32146]: Can't find custom attr constructor image: /opt/cubecoders/amp/plugins/ADSModule.dll mtoken: 0x0a00001e due to: Could not load file or assembly 'SQLite-net, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null' or one of its dependencies.
Sep 09 15:28:48 AMP systemd[1]: ampfirewall.service: Deactivated successfully.
Sep 09 15:28:48 AMP systemd[1]: Finished ampfirewall.service - AMP Instance Manager Firewall.
Sep 09 15:34:42 AMP systemd[1]: Starting ampfirewall.service - AMP Instance Manager Firewall...
Sep 09 15:34:48 AMP ampinstmgr[32278]: Can't find custom attr constructor image: /opt/cubecoders/amp/plugins/ADSModule.dll mtoken: 0x0a00001e due to: Could not load file or assembly 'SQLite-net, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null' or one of its dependencies.
Sep 09 15:34:48 AMP systemd[1]: ampfirewall.service: Deactivated successfully.
Sep 09 15:34:48 AMP systemd[1]: Finished ampfirewall.service - AMP Instance Manager Firewall.
journalctl -eu ampinstmgr.service --no-pager:
Sep 08 16:55:53 AMP systemd[1]: Starting ampinstmgr.service - AMP Instance Manager...
Sep 08 16:55:55 AMP ampinstmgr[133]: [Info] AMP Instance Manager v2.4.6.4 built 06/09/2023 12:13
Sep 08 16:55:55 AMP ampinstmgr[133]: [Info] Stream: Mainline / Release - built by CUBECODERS/buildbot on CCL-DEV
Sep 08 16:55:56 AMP ampinstmgr[133]: Can't find custom attr constructor image: /opt/cubecoders/amp/plugins/ADSModule.dll mtoken: 0x0a00001e due to: Could not load file or assembly 'SQLite-net, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null' or one of its dependencies.
Sep 08 16:55:57 AMP ampinstmgr[133]: [Info] Waiting for AMP instance to start...
Sep 08 16:55:58 AMP ampinstmgr[133]: [Notice] AMP instance ADS01 is now running.
Sep 08 16:56:02 AMP ampinstmgr[133]: [Info] **long hex string, possibly sensitive?**
Sep 08 16:56:03 AMP systemd[1]: Finished ampinstmgr.service - AMP Instance Manager.
Reproduction
- Set up Debian 12 LXC container in Proxmox, installed AMP using the "getamp.sh" script
- Changed Networking settings:
- Created a Valheim instance (Docker), enabled BepInEx
- Set up the following Schedule
- Observe duplicate rules being created
Repeating some of the same diagnostic steps mentioned in #368:
root@AMP:~# ampinstmgr updatefirewall amp
[Info] AMP Instance Manager v2.4.6.4 built 06/09/2023 12:13
[Info] Stream: Mainline / Release - built by CUBECODERS/buildbot on CCL-DEV
[Info] Using iptables firewall.
Can't find custom attr constructor image: /opt/cubecoders/amp/plugins/ADSModule.dll mtoken: 0x0a00001e due to: Could not load file or assembly 'SQLite-net, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null' or one of its dependencies.
[Info] Adding 4 new firewall rules
[Info] Firewall rule to add: TCP/2223 (AMP:ADS01:FileManagerPlugin.SFTP.SFTPPortNumber)
[Info] Firewall rule to add: TCP/10100 (AMP:Valheim01:FileManagerPlugin.SFTP.SFTPPortNumber)
[Info] Firewall rule to add: UDP/10101 (AMP:Valheim01:GenericModule.App.Ports.$ApplicationPort1)
[Info] Firewall rule to add: UDP/10102 (AMP:Valheim01:GenericModule.App.Ports.$ApplicationPort2)
[Info] No existing firewall rules to remove
root@AMP:~# iptables -L INPUT --line-numbers | wc -l
1170
root@AMP:~# ampinstmgr updatefirewall amp
[Info] AMP Instance Manager v2.4.6.4 built 06/09/2023 12:13
[Info] Stream: Mainline / Release - built by CUBECODERS/buildbot on CCL-DEV
[Info] Using iptables firewall.
Can't find custom attr constructor image: /opt/cubecoders/amp/plugins/ADSModule.dll mtoken: 0x0a00001e due to: Could not load file or assembly 'SQLite-net, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null' or one of its dependencies.
[Info] Adding 4 new firewall rules
[Info] Firewall rule to add: TCP/2223 (AMP:ADS01:FileManagerPlugin.SFTP.SFTPPortNumber)
[Info] Firewall rule to add: TCP/10100 (AMP:Valheim01:FileManagerPlugin.SFTP.SFTPPortNumber)
[Info] Firewall rule to add: UDP/10101 (AMP:Valheim01:GenericModule.App.Ports.$ApplicationPort1)
[Info] Firewall rule to add: UDP/10102 (AMP:Valheim01:GenericModule.App.Ports.$ApplicationPort2)
[Info] No existing firewall rules to remove
root@AMP:~# iptables -L INPUT --line-numbers | wc -l
1174
root@AMP:~# ampinstmgr updatefirewall amp
[Info] AMP Instance Manager v2.4.6.4 built 06/09/2023 12:13
[Info] Stream: Mainline / Release - built by CUBECODERS/buildbot on CCL-DEV
[Info] Using iptables firewall.
Can't find custom attr constructor image: /opt/cubecoders/amp/plugins/ADSModule.dll mtoken: 0x0a00001e due to: Could not load file or assembly 'SQLite-net, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null' or one of its dependencies.
[Info] Adding 4 new firewall rules
[Info] Firewall rule to add: TCP/2223 (AMP:ADS01:FileManagerPlugin.SFTP.SFTPPortNumber)
[Info] Firewall rule to add: TCP/10100 (AMP:Valheim01:FileManagerPlugin.SFTP.SFTPPortNumber)
[Info] Firewall rule to add: UDP/10101 (AMP:Valheim01:GenericModule.App.Ports.$ApplicationPort1)
[Info] Firewall rule to add: UDP/10102 (AMP:Valheim01:GenericModule.App.Ports.$ApplicationPort2)
[Info] No existing firewall rules to remove
root@AMP:~# iptables -L INPUT --line-numbers | wc -l
1178
root@AMP:~# ampinstmgr dumpfirewall
[Info] AMP Instance Manager v2.4.6.4 built 06/09/2023 12:13
[Info] Stream: Mainline / Release - built by CUBECODERS/buildbot on CCL-DEV
[Info] Using iptables firewall.
[Info] No firewall rules to display.
root@AMP:~# iptables -L INPUT --line-numbers | wc -l
1178
Curiously the build date mentioned by ampinstmgr is different from the one displayed on the web dashboard.
Possibly the issue is that Debian 12 uses nftables by default, and iptables rules are translated to nftables via iptables-nft. So AMP is probably not parsing the existing rules correctly. I suspect if you enable ufw and let AMP use that instead the issue will likely be resolved.
I'm not so sure. According to the Debian wiki, nftables have been the default since Debian 10. Furthermore, Proxmox sets update-alternatives of iptables to iptables-legacy, so I don't believe nftables are in use at all.
# ls -l /etc/alternatives/ | grep iptables
lrwxrwxrwx 1 root root 25 Sep 10 20:50 iptables -> /usr/sbin/iptables-legacy
lrwxrwxrwx 1 root root 33 Sep 10 20:50 iptables-restore -> /usr/sbin/iptables-legacy-restore
lrwxrwxrwx 1 root root 30 Sep 10 20:50 iptables-save -> /usr/sbin/iptables-legacy-save
I don't want to use ufw, but as a temporary measure I could turn off the firewall on the container which is already behind NAT & FW.
What's the output of iptables -n -L INPUT specifically? That's the command the firewall manager uses with iptables to read the rules.
A difference of build date is normal, AMP itself gets updated more frequently than the command line tools.
The other thing you can do is ampinstmgr --debug dumpfirewall to get more information about what it's doing.
root@AMP:~# iptables -n -L INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:2223 /* AMP:ADS01:FileManagerPlugin.SFTP.SFTPPortNumber */
ACCEPT tcp -- anywhere anywhere tcp dpt:2224 /* AMP:BeamMP01:FileManagerPlugin.SFTP.SFTPPortNumber */
ACCEPT tcp -- anywhere anywhere tcp dpt:10111 /* AMP:BeamMP01:GenericModule.App.Ports.$HTTPServerPort */
ACCEPT tcp -- anywhere anywhere tcp dpt:10110 /* AMP:BeamMP01:GenericModule.App.Ports.$MainGamePort */
ACCEPT udp -- anywhere anywhere udp dpt:10110 /* AMP:BeamMP01:GenericModule.App.Ports.$MainGamePort */
ACCEPT tcp -- anywhere anywhere tcp dpt:2223 /* AMP:ADS01:FileManagerPlugin.SFTP.SFTPPortNumber */
ACCEPT tcp -- anywhere anywhere tcp dpt:2224 /* AMP:BeamMP01:FileManagerPlugin.SFTP.SFTPPortNumber */
ACCEPT tcp -- anywhere anywhere tcp dpt:10111 /* AMP:BeamMP01:GenericModule.App.Ports.$HTTPServerPort */
ACCEPT tcp -- anywhere anywhere tcp dpt:10110 /* AMP:BeamMP01:GenericModule.App.Ports.$MainGamePort */
ACCEPT udp -- anywhere anywhere udp dpt:10110 /* AMP:BeamMP01:GenericModule.App.Ports.$MainGamePort */
ACCEPT tcp -- anywhere anywhere tcp dpt:2223 /* AMP:ADS01:FileManagerPlugin.SFTP.SFTPPortNumber */
ACCEPT tcp -- anywhere anywhere tcp dpt:2224 /* AMP:BeamMP01:FileManagerPlugin.SFTP.SFTPPortNumber */
ACCEPT tcp -- anywhere anywhere tcp dpt:10111 /* AMP:BeamMP01:GenericModule.App.Ports.$HTTPServerPort */
ACCEPT tcp -- anywhere anywhere tcp dpt:10110 /* AMP:BeamMP01:GenericModule.App.Ports.$MainGamePort */
ACCEPT udp -- anywhere anywhere udp dpt:10110 /* AMP:BeamMP01:GenericModule.App.Ports.$MainGamePort */
ACCEPT tcp -- anywhere anywhere tcp dpt:2223 /* AMP:ADS01:FileManagerPlugin.SFTP.SFTPPortNumber */
ACCEPT tcp -- anywhere anywhere tcp dpt:2220 /* AMP:Valheim01:FileManagerPlugin.SFTP.SFTPPortNumber */
ACCEPT udp -- anywhere anywhere udp dpt:10101 /* AMP:Valheim01:GenericModule.App.Ports.$ApplicationPort1 */
ACCEPT udp -- anywhere anywhere udp dpt:10102 /* AMP:Valheim01:GenericModule.App.Ports.$ApplicationPort2 */
ACCEPT tcp -- anywhere anywhere tcp dpt:2222 /* AMP:Vanilla01:FileManagerPlugin.SFTP.SFTPPortNumber */
ACCEPT udp -- anywhere anywhere udp dpt:10108 /* AMP:Vanilla01:GenericModule.App.Ports.$ApplicationPort1 */
ACCEPT udp -- anywhere anywhere udp dpt:10109 /* AMP:Vanilla01:GenericModule.App.Ports.$ApplicationPort2 */
ACCEPT tcp -- anywhere anywhere tcp dpt:10210 /* AMP:Vanilla01:GenericModule.App.Ports.$RemoteAdminPort */
ACCEPT tcp -- anywhere anywhere tcp dpt:2224 /* AMP:BeamMP01:FileManagerPlugin.SFTP.SFTPPortNumber */
ACCEPT tcp -- anywhere anywhere tcp dpt:10111 /* AMP:BeamMP01:GenericModule.App.Ports.$HTTPServerPort */
ACCEPT tcp -- anywhere anywhere tcp dpt:10110 /* AMP:BeamMP01:GenericModule.App.Ports.$MainGamePort */
ACCEPT udp -- anywhere anywhere udp dpt:10110 /* AMP:BeamMP01:GenericModule.App.Ports.$MainGamePort */
ACCEPT tcp -- anywhere anywhere tcp dpt:2223 /* AMP:ADS01:FileManagerPlugin.SFTP.SFTPPortNumber */
ACCEPT tcp -- anywhere anywhere tcp dpt:2220 /* AMP:Valheim01:FileManagerPlugin.SFTP.SFTPPortNumber */
ACCEPT udp -- anywhere anywhere udp dpt:10101 /* AMP:Valheim01:GenericModule.App.Ports.$ApplicationPort1 */
ACCEPT udp -- anywhere anywhere udp dpt:10102 /* AMP:Valheim01:GenericModule.App.Ports.$ApplicationPort2 */
ACCEPT tcp -- anywhere anywhere tcp dpt:2222 /* AMP:Vanilla01:FileManagerPlugin.SFTP.SFTPPortNumber */
ACCEPT udp -- anywhere anywhere udp dpt:10108 /* AMP:Vanilla01:GenericModule.App.Ports.$ApplicationPort1 */
ACCEPT udp -- anywhere anywhere udp dpt:10109 /* AMP:Vanilla01:GenericModule.App.Ports.$ApplicationPort2 */
ACCEPT tcp -- anywhere anywhere tcp dpt:10210 /* AMP:Vanilla01:GenericModule.App.Ports.$RemoteAdminPort */
ACCEPT tcp -- anywhere anywhere tcp dpt:2224 /* AMP:BeamMP01:FileManagerPlugin.SFTP.SFTPPortNumber */
ACCEPT tcp -- anywhere anywhere tcp dpt:10111 /* AMP:BeamMP01:GenericModule.App.Ports.$HTTPServerPort */
ACCEPT tcp -- anywhere anywhere tcp dpt:10110 /* AMP:BeamMP01:GenericModule.App.Ports.$MainGamePort */
ACCEPT udp -- anywhere anywhere udp dpt:10110 /* AMP:BeamMP01:GenericModule.App.Ports.$MainGamePort */
ACCEPT tcp -- anywhere anywhere tcp dpt:2223 /* AMP:ADS01:FileManagerPlugin.SFTP.SFTPPortNumber */
ACCEPT tcp -- anywhere anywhere tcp dpt:2220 /* AMP:Valheim01:FileManagerPlugin.SFTP.SFTPPortNumber */
ACCEPT udp -- anywhere anywhere udp dpt:10101 /* AMP:Valheim01:GenericModule.App.Ports.$ApplicationPort1 */
ACCEPT udp -- anywhere anywhere udp dpt:10102 /* AMP:Valheim01:GenericModule.App.Ports.$ApplicationPort2 */
ACCEPT tcp -- anywhere anywhere tcp dpt:2222 /* AMP:Vanilla01:FileManagerPlugin.SFTP.SFTPPortNumber */
ACCEPT udp -- anywhere anywhere udp dpt:10108 /* AMP:Vanilla01:GenericModule.App.Ports.$ApplicationPort1 */
ACCEPT udp -- anywhere anywhere udp dpt:10109 /* AMP:Vanilla01:GenericModule.App.Ports.$ApplicationPort2 */
ACCEPT tcp -- anywhere anywhere tcp dpt:10210 /* AMP:Vanilla01:GenericModule.App.Ports.$RemoteAdminPort */
ACCEPT tcp -- anywhere anywhere tcp dpt:2224 /* AMP:BeamMP01:FileManagerPlugin.SFTP.SFTPPortNumber */
ACCEPT tcp -- anywhere anywhere tcp dpt:10111 /* AMP:BeamMP01:GenericModule.App.Ports.$HTTPServerPort */
ACCEPT tcp -- anywhere anywhere tcp dpt:10110 /* AMP:BeamMP01:GenericModule.App.Ports.$MainGamePort */
ACCEPT udp -- anywhere anywhere udp dpt:10110 /* AMP:BeamMP01:GenericModule.App.Ports.$MainGamePort */
ACCEPT tcp -- anywhere anywhere tcp dpt:2223 /* AMP:ADS01:FileManagerPlugin.SFTP.SFTPPortNumber */
ACCEPT tcp -- anywhere anywhere tcp dpt:2220 /* AMP:Valheim01:FileManagerPlugin.SFTP.SFTPPortNumber */
ACCEPT udp -- anywhere anywhere udp dpt:10101 /* AMP:Valheim01:GenericModule.App.Ports.$ApplicationPort1 */
ACCEPT udp -- anywhere anywhere udp dpt:10102 /* AMP:Valheim01:GenericModule.App.Ports.$ApplicationPort2 */
ACCEPT tcp -- anywhere anywhere tcp dpt:2222 /* AMP:Vanilla01:FileManagerPlugin.SFTP.SFTPPortNumber */
ACCEPT udp -- anywhere anywhere udp dpt:10108 /* AMP:Vanilla01:GenericModule.App.Ports.$ApplicationPort1 */
ACCEPT udp -- anywhere anywhere udp dpt:10109 /* AMP:Vanilla01:GenericModule.App.Ports.$ApplicationPort2 */
ACCEPT tcp -- anywhere anywhere tcp dpt:10210 /* AMP:Vanilla01:GenericModule.App.Ports.$RemoteAdminPort */
ACCEPT tcp -- anywhere anywhere tcp dpt:2224 /* AMP:BeamMP01:FileManagerPlugin.SFTP.SFTPPortNumber */
ACCEPT tcp -- anywhere anywhere tcp dpt:10111 /* AMP:BeamMP01:GenericModule.App.Ports.$HTTPServerPort */
ACCEPT tcp -- anywhere anywhere tcp dpt:10110 /* AMP:BeamMP01:GenericModule.App.Ports.$MainGamePort */
ACCEPT udp -- anywhere anywhere udp dpt:10110 /* AMP:BeamMP01:GenericModule.App.Ports.$MainGamePort */
ACCEPT tcp -- anywhere anywhere tcp dpt:2223 /* AMP:ADS01:FileManagerPlugin.SFTP.SFTPPortNumber */
ACCEPT tcp -- anywhere anywhere tcp dpt:2220 /* AMP:Valheim01:FileManagerPlugin.SFTP.SFTPPortNumber */
ACCEPT udp -- anywhere anywhere udp dpt:10101 /* AMP:Valheim01:GenericModule.App.Ports.$ApplicationPort1 */
ACCEPT udp -- anywhere anywhere udp dpt:10102 /* AMP:Valheim01:GenericModule.App.Ports.$ApplicationPort2 */
ACCEPT tcp -- anywhere anywhere tcp dpt:2222 /* AMP:Vanilla01:FileManagerPlugin.SFTP.SFTPPortNumber */
ACCEPT udp -- anywhere anywhere udp dpt:10108 /* AMP:Vanilla01:GenericModule.App.Ports.$ApplicationPort1 */
ACCEPT udp -- anywhere anywhere udp dpt:10109 /* AMP:Vanilla01:GenericModule.App.Ports.$ApplicationPort2 */
ACCEPT tcp -- anywhere anywhere tcp dpt:10210 /* AMP:Vanilla01:GenericModule.App.Ports.$RemoteAdminPort */
ACCEPT tcp -- anywhere anywhere tcp dpt:2224 /* AMP:BeamMP01:FileManagerPlugin.SFTP.SFTPPortNumber */
ACCEPT tcp -- anywhere anywhere tcp dpt:10111 /* AMP:BeamMP01:GenericModule.App.Ports.$HTTPServerPort */
ACCEPT tcp -- anywhere anywhere tcp dpt:10110 /* AMP:BeamMP01:GenericModule.App.Ports.$MainGamePort */
ACCEPT udp -- anywhere anywhere udp dpt:10110 /* AMP:BeamMP01:GenericModule.App.Ports.$MainGamePort */
root@AMP:~# ampinstmgr --debug dumpfirewall
[Info] AMP Instance Manager v2.4.6.4 built 06/09/2023 12:13
[Info] Stream: Mainline / Release - built by CUBECODERS/buildbot on CCL-DEV
[Debug] Syncing certificate store using /etc/ssl/certs/ca-certificates.crt
[Debug] Current certificate store contains 136 items, system store contains 137
[Debug] Imported 1 certificates.
[Debug] Removed 0 certificates.
[Debug] Sync process completed.
[Debug] Loading instances from /root/.ampdata/instances.json...
[Debug] /root/.ampdata/instances.json does not exist, using empty dataset.
[Info] Using iptables firewall.
[Debug] Starting process /usr/sbin/iptables
[Debug] Started process with ID 323805
[Info] No firewall rules to display.
[Debug] Starting process /usr/sbin/iptables
[Debug] Started process with ID 323806
This is a little odd - I can't currently reproduce this on Debian.
The only thing that I am noticing is that your iptables output looks wrong- when using the -n flag it should be showing 0.0.0.0 rather than anywhere but AMP is more than able to cope with that.
What's the output of whereis iptables ?
Hmm, odd. This was a brand new AMP install in a clean Debian 12 container created using Proxmox 8 debian-12-standard_12.0-1_amd64.tar.zst template.
root@AMP:~# whereis iptables
iptables: /usr/sbin/iptables /usr/share/iptables /usr/share/man/man8/iptables.8.gz
root@AMP:~# iptables --version
iptables v1.8.9 (legacy)
I suspect this is some artefact of being in a container - because on a Debian VM you get nf_tables as the backend rather than legacy. That said it shouldn't matter that much, AMP just reads the output to know what rules are there and it's capable of tolerating the output not being in the numeric format.
I'm also having this issue. Network traffic / throughput is heavily affected, like can't use more than ~25Mb/s on a 1Gb/s link before CPU cores get maxed out. Hosted games on Target starting to stutter / lag / rubber band.
Is there a recommended solution to this?
sudo iptables -S | wc -l
100034
lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 12 (bookworm)
Release: 12
Codename: bookworm
cat /etc/debian_version
12.2
uname -a
Linux erosion 6.1.0-13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.55-1 (2023-09-29) x86_64 GNU/Linux
ampinstmgr --version
[Info] AMP Instance Manager v2.4.6.6 built 05/10/2023 11:57
[Info] Stream: Mainline / Release - built by CUBECODERS/buildbot on CCL-DEV
Thanks. I've re-enabled firewall rules for my instances so I'll keep an eye on things.
That said, I've found another edge case where duplicate rules are created. After updating my instances, the licenses somehow ended up becoming invalid and so none of the instances would start (by the way, a user-friendly error message would be nice when an instance doesn't start, I had to search through logs to find the license issue).
As I was restarting my instances trying to figure out what was going on, I ended up with many duplicate rules and this seems to have stopped once I reactivated my licenses.