Hello all,
I am seeing the below errors in crowdsec-firewall-bouncer -
time="12-03-2024 07:34:31" level=error msg="set destroy error : exit status 1 - ipset v7.17: Set cannot be destroyed: it is in use by a kernel component\n"
time="12-03-2024 07:34:31" level=fatal msg="process terminated with error: received SIGTERM"
time="12-03-2024 07:34:31" level=error msg="error while removing set entry in iptables : exit status 1 --> iptables: Bad rule (does a matching rule exist in that chain?).\n"
time="12-03-2024 07:34:31" level=error msg="error while removing set entry in iptables : exit status 1 --> iptables: Bad rule (does a matching rule exist in that chain?).\n"
time="12-03-2024 07:34:32" level=error msg="error while removing set entry in iptables : exit status 1 --> iptables: Bad rule (does a matching rule exist in that chain?).\n"
time="12-03-2024 07:34:33" level=error msg="error while removing set entry in iptables : exit status 1 --> ip6tables: Bad rule (does a matching rule exist in that chain?).\n"
time="12-03-2024 07:34:33" level=error msg="error while removing set entry in iptables : exit status 1 --> ip6tables: Bad rule (does a matching rule exist in that chain?).\n"
time="12-03-2024 07:34:33" level=error msg="error while removing set entry in iptables : exit status 1 --> ip6tables: Bad rule (does a matching rule exist in that chain?).\n"
time="12-03-2024 07:34:34" level=error msg="set destroy error : exit status 1 - ipset v7.17: Set cannot be destroyed: it is in use by a kernel component\n"
time="12-03-2024 07:34:34" level=error msg="set destroy error : exit status 1 - ipset v7.17: Set cannot be destroyed: it is in use by a kernel component\n"
time="12-03-2024 07:34:34" level=error msg="error while removing set entry in iptables : exit status 1 --> iptables: Bad rule (does a matching rule exist in that chain?).\n"
time="12-03-2024 07:34:34" level=error msg="error while removing set entry in iptables : exit status 1 --> iptables: Bad rule (does a matching rule exist in that chain?).\n"
time="12-03-2024 07:34:34" level=error msg="error while removing set entry in iptables : exit status 1 --> iptables: Bad rule (does a matching rule exist in that chain?).\n"
time="12-03-2024 07:34:35" level=error msg="error while removing set entry in iptables : exit status 1 --> ip6tables: Bad rule (does a matching rule exist in that chain?).\n"
time="12-03-2024 07:34:35" level=error msg="error while removing set entry in iptables : exit status 1 --> ip6tables: Bad rule (does a matching rule exist in that chain?).\n"
time="12-03-2024 07:34:35" level=error msg="error while removing set entry in iptables : exit status 1 --> ip6tables: Bad rule (does a matching rule exist in that chain?).\n"
Please advise.
Thanks.
help me help me help me
please 
It seems it cannot find the iptables rules, do you have any external automations like UFW?
No, just iptables no ufw or nft.
okay can you stop the firewall bouncer then flush the tables? if you have any pre saved rules using iptables-save these will be lost until you re run the command. However, iptables-save may be causing the issue.
I did per your instructions and now I see -
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any anywhere anywhere match-set crowdsec-blacklists src
in these chains viz. INPUT, FORWARD and DOCKER-USER.
But the earlier posted errors in the firewall-bouncers remain.
Edit -
Posting the output of iptables -L -v for reference
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3002K 7217M MAILCOW all -- any any anywhere anywhere /* mailcow */
37 2220 DROP all -- any any anywhere anywhere match-set crowdsec-blacklists src
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
28M 6269M MAILCOW all -- any any anywhere anywhere /* mailcow */
289 16020 DROP all -- any any anywhere anywhere match-set crowdsec-blacklists src
47M 11G DOCKER-USER all -- any any anywhere anywhere
47M 11G DOCKER-ISOLATION-STAGE-1 all -- any any anywhere anywhere
68507 84M ACCEPT all -- any br-d367e697ec9d anywhere anywhere ctstate RELATED,ESTABLISHED
2167 128K DOCKER all -- any br-d367e697ec9d anywhere anywhere
42122 34M ACCEPT all -- br-d367e697ec9d !br-d367e697ec9d anywhere anywhere
1643 98580 ACCEPT all -- br-d367e697ec9d br-d367e697ec9d anywhere anywhere
137K 207M ACCEPT all -- any br-6c8a8a8cb928 anywhere anywhere ctstate RELATED,ESTABLISHED
1121 67260 DOCKER all -- any br-6c8a8a8cb928 anywhere anywhere
8087 1072K ACCEPT all -- br-6c8a8a8cb928 !br-6c8a8a8cb928 anywhere anywhere
1121 67260 ACCEPT all -- br-6c8a8a8cb928 br-6c8a8a8cb928 anywhere anywhere
0 0 ACCEPT all -- any docker0 anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- any docker0 anywhere anywhere
0 0 ACCEPT all -- docker0 !docker0 anywhere anywhere
0 0 ACCEPT all -- docker0 docker0 anywhere anywhere
11M 4399M ACCEPT all -- any br-c728babc3830 anywhere anywhere ctstate RELATED,ESTABLISHED
841 50460 DOCKER all -- any br-c728babc3830 anywhere anywhere
45 4054 ACCEPT all -- br-c728babc3830 !br-c728babc3830 anywhere anywhere
841 50460 ACCEPT all -- br-c728babc3830 br-c728babc3830 anywhere anywhere
53M 9896M ACCEPT all -- any br-94af337920c8 anywhere anywhere ctstate RELATED,ESTABLISHED
1562 93720 DOCKER all -- any br-94af337920c8 anywhere anywhere
7784 437K ACCEPT all -- br-94af337920c8 !br-94af337920c8 anywhere anywhere
1562 93720 ACCEPT all -- br-94af337920c8 br-94af337920c8 anywhere anywhere
0 0 ACCEPT all -- any br-91eedf386e54 anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- any br-91eedf386e54 anywhere anywhere
0 0 ACCEPT all -- br-91eedf386e54 !br-91eedf386e54 anywhere anywhere
0 0 ACCEPT all -- br-91eedf386e54 br-91eedf386e54 anywhere anywhere
8880K 2065M ACCEPT all -- any br-82838f93c317 anywhere anywhere ctstate RELATED,ESTABLISHED
77608 4656K DOCKER all -- any br-82838f93c317 anywhere anywhere
468K 38M ACCEPT all -- br-82838f93c317 !br-82838f93c317 anywhere anywhere
77608 4656K ACCEPT all -- br-82838f93c317 br-82838f93c317 anywhere anywhere
3817K 540M ACCEPT all -- any br-mailcow anywhere anywhere ctstate RELATED,ESTABLISHED
417K 26M DOCKER all -- any br-mailcow anywhere anywhere
327K 42M ACCEPT all -- br-mailcow !br-mailcow anywhere anywhere
416K 26M ACCEPT all -- br-mailcow br-mailcow anywhere anywhere
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (8 references)
pkts bytes target prot opt in out source destination
738 39520 ACCEPT tcp -- !br-mailcow br-mailcow anywhere 172.22.1.2 tcp dpt:8443
455 24495 ACCEPT tcp -- !br-mailcow br-mailcow anywhere 172.22.1.2 tcp dpt:http
0 0 ACCEPT tcp -- !br-c728babc3830 br-c728babc3830 anywhere 172.19.0.2 tcp dpt:2342
0 0 ACCEPT tcp -- !br-94af337920c8 br-94af337920c8 anywhere 172.23.0.4 tcp dpt:http
0 0 ACCEPT tcp -- !br-82838f93c317 br-82838f93c317 anywhere 172.25.0.6 tcp dpt:http
0 0 ACCEPT tcp -- !br-mailcow br-mailcow anywhere 172.22.1.6 tcp dpt:8983
0 0 ACCEPT tcp -- !br-mailcow br-mailcow anywhere 172.22.1.249 tcp dpt:redis
0 0 ACCEPT tcp -- !br-mailcow br-mailcow anywhere 172.22.1.10 tcp dpt:mysql
524 29884 ACCEPT tcp -- !br-d367e697ec9d br-d367e697ec9d anywhere 192.168.32.2 tcp dpt:https
0 0 ACCEPT tcp -- !br-mailcow br-mailcow anywhere 172.22.1.250 tcp dpt:12345
0 0 ACCEPT tcp -- !br-mailcow br-mailcow anywhere 172.22.1.250 tcp dpt:sieve
0 0 ACCEPT tcp -- !br-mailcow br-mailcow anywhere 172.22.1.250 tcp dpt:pop3s
0 0 ACCEPT tcp -- !br-mailcow br-mailcow anywhere 172.22.1.250 tcp dpt:imaps
0 0 ACCEPT tcp -- !br-mailcow br-mailcow anywhere 172.22.1.250 tcp dpt:imap2
0 0 ACCEPT tcp -- !br-mailcow br-mailcow anywhere 172.22.1.250 tcp dpt:pop3
7 356 ACCEPT tcp -- !br-mailcow br-mailcow anywhere 172.22.1.253 tcp dpt:submission
0 0 ACCEPT tcp -- !br-mailcow br-mailcow anywhere 172.22.1.253 tcp dpt:submissions
0 0 ACCEPT tcp -- !br-mailcow br-mailcow anywhere 172.22.1.253 tcp dpt:smtp
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
42122 34M DOCKER-ISOLATION-STAGE-2 all -- br-d367e697ec9d !br-d367e697ec9d anywhere anywhere
8087 1072K DOCKER-ISOLATION-STAGE-2 all -- br-6c8a8a8cb928 !br-6c8a8a8cb928 anywhere anywhere
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 anywhere anywhere
45 4054 DOCKER-ISOLATION-STAGE-2 all -- br-c728babc3830 !br-c728babc3830 anywhere anywhere
7784 437K DOCKER-ISOLATION-STAGE-2 all -- br-94af337920c8 !br-94af337920c8 anywhere anywhere
0 0 DOCKER-ISOLATION-STAGE-2 all -- br-91eedf386e54 !br-91eedf386e54 anywhere anywhere
468K 38M DOCKER-ISOLATION-STAGE-2 all -- br-82838f93c317 !br-82838f93c317 anywhere anywhere
327K 42M DOCKER-ISOLATION-STAGE-2 all -- br-mailcow !br-mailcow anywhere anywhere
79M 18G RETURN all -- any any anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (8 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any br-d367e697ec9d anywhere anywhere
0 0 DROP all -- any br-6c8a8a8cb928 anywhere anywhere
0 0 DROP all -- any docker0 anywhere anywhere
0 0 DROP all -- any br-c728babc3830 anywhere anywhere
0 0 DROP all -- any br-94af337920c8 anywhere anywhere
0 0 DROP all -- any br-91eedf386e54 anywhere anywhere
0 0 DROP all -- any br-82838f93c317 anywhere anywhere
0 0 DROP all -- any br-mailcow anywhere anywhere
1002K 145M RETURN all -- any any anywhere anywhere
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any anywhere anywhere match-set crowdsec-blacklists src
79M 18G RETURN all -- any any anywhere anywhere
Chain MAILCOW (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- !br-mailcow br-mailcow anywhere anywhere /* mailcow isolation */