Error in crowdsec-firewall-bouncer log

Hello all,

I am seeing the below errors in crowdsec-firewall-bouncer -

time="12-03-2024 07:34:31" level=error msg="set destroy error : exit status 1 - ipset v7.17: Set cannot be destroyed: it is in use by a kernel component\n"
time="12-03-2024 07:34:31" level=fatal msg="process terminated with error: received SIGTERM"
time="12-03-2024 07:34:31" level=error msg="error while removing set entry in iptables : exit status 1 --> iptables: Bad rule (does a matching rule exist in that chain?).\n"
time="12-03-2024 07:34:31" level=error msg="error while removing set entry in iptables : exit status 1 --> iptables: Bad rule (does a matching rule exist in that chain?).\n"
time="12-03-2024 07:34:32" level=error msg="error while removing set entry in iptables : exit status 1 --> iptables: Bad rule (does a matching rule exist in that chain?).\n"
time="12-03-2024 07:34:33" level=error msg="error while removing set entry in iptables : exit status 1 --> ip6tables: Bad rule (does a matching rule exist in that chain?).\n"
time="12-03-2024 07:34:33" level=error msg="error while removing set entry in iptables : exit status 1 --> ip6tables: Bad rule (does a matching rule exist in that chain?).\n"
time="12-03-2024 07:34:33" level=error msg="error while removing set entry in iptables : exit status 1 --> ip6tables: Bad rule (does a matching rule exist in that chain?).\n"
time="12-03-2024 07:34:34" level=error msg="set destroy error : exit status 1 - ipset v7.17: Set cannot be destroyed: it is in use by a kernel component\n"
time="12-03-2024 07:34:34" level=error msg="set destroy error : exit status 1 - ipset v7.17: Set cannot be destroyed: it is in use by a kernel component\n"
time="12-03-2024 07:34:34" level=error msg="error while removing set entry in iptables : exit status 1 --> iptables: Bad rule (does a matching rule exist in that chain?).\n"
time="12-03-2024 07:34:34" level=error msg="error while removing set entry in iptables : exit status 1 --> iptables: Bad rule (does a matching rule exist in that chain?).\n"
time="12-03-2024 07:34:34" level=error msg="error while removing set entry in iptables : exit status 1 --> iptables: Bad rule (does a matching rule exist in that chain?).\n"
time="12-03-2024 07:34:35" level=error msg="error while removing set entry in iptables : exit status 1 --> ip6tables: Bad rule (does a matching rule exist in that chain?).\n"
time="12-03-2024 07:34:35" level=error msg="error while removing set entry in iptables : exit status 1 --> ip6tables: Bad rule (does a matching rule exist in that chain?).\n"
time="12-03-2024 07:34:35" level=error msg="error while removing set entry in iptables : exit status 1 --> ip6tables: Bad rule (does a matching rule exist in that chain?).\n"

Please advise.

Thanks.

help me help me help me
please :slight_smile:

It seems it cannot find the iptables rules, do you have any external automations like UFW?

No, just iptables no ufw or nft.

okay can you stop the firewall bouncer then flush the tables? if you have any pre saved rules using iptables-save these will be lost until you re run the command. However, iptables-save may be causing the issue.

I did per your instructions and now I see -

pkts bytes target     prot opt in     out     source               destination         
 0     0    DROP       all  --  any    any     anywhere             anywhere             match-set crowdsec-blacklists src

in these chains viz. INPUT, FORWARD and DOCKER-USER.

But the earlier posted errors in the firewall-bouncers remain.

Edit -
Posting the output of iptables -L -v for reference

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
3002K 7217M MAILCOW    all  --  any    any     anywhere             anywhere             /* mailcow */
   37  2220 DROP       all  --  any    any     anywhere             anywhere             match-set crowdsec-blacklists src

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  28M 6269M MAILCOW    all  --  any    any     anywhere             anywhere             /* mailcow */
  289 16020 DROP       all  --  any    any     anywhere             anywhere             match-set crowdsec-blacklists src
  47M   11G DOCKER-USER  all  --  any    any     anywhere             anywhere            
  47M   11G DOCKER-ISOLATION-STAGE-1  all  --  any    any     anywhere             anywhere            
68507   84M ACCEPT     all  --  any    br-d367e697ec9d  anywhere             anywhere             ctstate RELATED,ESTABLISHED
 2167  128K DOCKER     all  --  any    br-d367e697ec9d  anywhere             anywhere            
42122   34M ACCEPT     all  --  br-d367e697ec9d !br-d367e697ec9d  anywhere             anywhere            
 1643 98580 ACCEPT     all  --  br-d367e697ec9d br-d367e697ec9d  anywhere             anywhere            
 137K  207M ACCEPT     all  --  any    br-6c8a8a8cb928  anywhere             anywhere             ctstate RELATED,ESTABLISHED
 1121 67260 DOCKER     all  --  any    br-6c8a8a8cb928  anywhere             anywhere            
 8087 1072K ACCEPT     all  --  br-6c8a8a8cb928 !br-6c8a8a8cb928  anywhere             anywhere            
 1121 67260 ACCEPT     all  --  br-6c8a8a8cb928 br-6c8a8a8cb928  anywhere             anywhere            
    0     0 ACCEPT     all  --  any    docker0  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  any    docker0  anywhere             anywhere            
    0     0 ACCEPT     all  --  docker0 !docker0  anywhere             anywhere            
    0     0 ACCEPT     all  --  docker0 docker0  anywhere             anywhere            
  11M 4399M ACCEPT     all  --  any    br-c728babc3830  anywhere             anywhere             ctstate RELATED,ESTABLISHED
  841 50460 DOCKER     all  --  any    br-c728babc3830  anywhere             anywhere            
   45  4054 ACCEPT     all  --  br-c728babc3830 !br-c728babc3830  anywhere             anywhere            
  841 50460 ACCEPT     all  --  br-c728babc3830 br-c728babc3830  anywhere             anywhere            
  53M 9896M ACCEPT     all  --  any    br-94af337920c8  anywhere             anywhere             ctstate RELATED,ESTABLISHED
 1562 93720 DOCKER     all  --  any    br-94af337920c8  anywhere             anywhere            
 7784  437K ACCEPT     all  --  br-94af337920c8 !br-94af337920c8  anywhere             anywhere            
 1562 93720 ACCEPT     all  --  br-94af337920c8 br-94af337920c8  anywhere             anywhere            
    0     0 ACCEPT     all  --  any    br-91eedf386e54  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  any    br-91eedf386e54  anywhere             anywhere            
    0     0 ACCEPT     all  --  br-91eedf386e54 !br-91eedf386e54  anywhere             anywhere            
    0     0 ACCEPT     all  --  br-91eedf386e54 br-91eedf386e54  anywhere             anywhere            
8880K 2065M ACCEPT     all  --  any    br-82838f93c317  anywhere             anywhere             ctstate RELATED,ESTABLISHED
77608 4656K DOCKER     all  --  any    br-82838f93c317  anywhere             anywhere            
 468K   38M ACCEPT     all  --  br-82838f93c317 !br-82838f93c317  anywhere             anywhere            
77608 4656K ACCEPT     all  --  br-82838f93c317 br-82838f93c317  anywhere             anywhere            
3817K  540M ACCEPT     all  --  any    br-mailcow  anywhere             anywhere             ctstate RELATED,ESTABLISHED
 417K   26M DOCKER     all  --  any    br-mailcow  anywhere             anywhere            
 327K   42M ACCEPT     all  --  br-mailcow !br-mailcow  anywhere             anywhere            
 416K   26M ACCEPT     all  --  br-mailcow br-mailcow  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (8 references)
 pkts bytes target     prot opt in     out     source               destination         
  738 39520 ACCEPT     tcp  --  !br-mailcow br-mailcow  anywhere             172.22.1.2           tcp dpt:8443
  455 24495 ACCEPT     tcp  --  !br-mailcow br-mailcow  anywhere             172.22.1.2           tcp dpt:http
    0     0 ACCEPT     tcp  --  !br-c728babc3830 br-c728babc3830  anywhere             172.19.0.2           tcp dpt:2342
    0     0 ACCEPT     tcp  --  !br-94af337920c8 br-94af337920c8  anywhere             172.23.0.4           tcp dpt:http
    0     0 ACCEPT     tcp  --  !br-82838f93c317 br-82838f93c317  anywhere             172.25.0.6           tcp dpt:http
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  anywhere             172.22.1.6           tcp dpt:8983
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  anywhere             172.22.1.249         tcp dpt:redis
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  anywhere             172.22.1.10          tcp dpt:mysql
  524 29884 ACCEPT     tcp  --  !br-d367e697ec9d br-d367e697ec9d  anywhere             192.168.32.2         tcp dpt:https
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  anywhere             172.22.1.250         tcp dpt:12345
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  anywhere             172.22.1.250         tcp dpt:sieve
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  anywhere             172.22.1.250         tcp dpt:pop3s
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  anywhere             172.22.1.250         tcp dpt:imaps
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  anywhere             172.22.1.250         tcp dpt:imap2
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  anywhere             172.22.1.250         tcp dpt:pop3
    7   356 ACCEPT     tcp  --  !br-mailcow br-mailcow  anywhere             172.22.1.253         tcp dpt:submission
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  anywhere             172.22.1.253         tcp dpt:submissions
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  anywhere             172.22.1.253         tcp dpt:smtp

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
42122   34M DOCKER-ISOLATION-STAGE-2  all  --  br-d367e697ec9d !br-d367e697ec9d  anywhere             anywhere            
 8087 1072K DOCKER-ISOLATION-STAGE-2  all  --  br-6c8a8a8cb928 !br-6c8a8a8cb928  anywhere             anywhere            
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  anywhere             anywhere            
   45  4054 DOCKER-ISOLATION-STAGE-2  all  --  br-c728babc3830 !br-c728babc3830  anywhere             anywhere            
 7784  437K DOCKER-ISOLATION-STAGE-2  all  --  br-94af337920c8 !br-94af337920c8  anywhere             anywhere            
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  br-91eedf386e54 !br-91eedf386e54  anywhere             anywhere            
 468K   38M DOCKER-ISOLATION-STAGE-2  all  --  br-82838f93c317 !br-82838f93c317  anywhere             anywhere            
 327K   42M DOCKER-ISOLATION-STAGE-2  all  --  br-mailcow !br-mailcow  anywhere             anywhere            
  79M   18G RETURN     all  --  any    any     anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-2 (8 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  any    br-d367e697ec9d  anywhere             anywhere            
    0     0 DROP       all  --  any    br-6c8a8a8cb928  anywhere             anywhere            
    0     0 DROP       all  --  any    docker0  anywhere             anywhere            
    0     0 DROP       all  --  any    br-c728babc3830  anywhere             anywhere            
    0     0 DROP       all  --  any    br-94af337920c8  anywhere             anywhere            
    0     0 DROP       all  --  any    br-91eedf386e54  anywhere             anywhere            
    0     0 DROP       all  --  any    br-82838f93c317  anywhere             anywhere            
    0     0 DROP       all  --  any    br-mailcow  anywhere             anywhere            
1002K  145M RETURN     all  --  any    any     anywhere             anywhere            

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  any    any     anywhere             anywhere             match-set crowdsec-blacklists src
  79M   18G RETURN     all  --  any    any     anywhere             anywhere            

Chain MAILCOW (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       tcp  --  !br-mailcow br-mailcow  anywhere             anywhere             /* mailcow isolation */