Nftables mode of firewall bouncer

crowdsec
1

Hye,

How can I see the blacklisted list IP in nftables mode ?
in iptables/ipset mode I was using ipset list, and can see a list of IP blacklisted…

But in nftables mode, I cannot get IP elements !?

root@LPM:~# nft list tables
table ip crowdsec
table ip6 crowdsec6
root@LPM:~# nft list table crowdsec
table ip crowdsec {
	set crowdsec_blocklist {
		type ipv4_addr
	}

	chain crowdsec_chain {
		type filter hook input priority filter; policy accept;
		ip saddr @crowdsec_blocklist drop
	}
}
root@LPM:~# nft list chains
table ip crowdsec {
	chain crowdsec_chain {
		type filter hook input priority filter; policy accept;
	}
}
table ip6 crowdsec6 {
	chain crowdsec6_chain {
		type filter hook input priority filter; policy accept;
	}
}
root@LPM:~# nft list ruleset
table ip crowdsec {
	set crowdsec_blocklist {
		type ipv4_addr
	}

	chain crowdsec_chain {
		type filter hook input priority filter; policy accept;
		ip saddr @crowdsec_blocklist drop
	}
}
table ip6 crowdsec6 {
	set crowdsec6_blocklist {
		type ipv6_addr
	}

	chain crowdsec6_chain {
		type filter hook input priority filter; policy accept;
		ip6 saddr @crowdsec6_blocklist drop
	}
}
root@LPM:~# 

root@LPM:~# nft list set ip crowdsec crowdsec_blocklist
table ip crowdsec {
	set crowdsec_blocklist {
		type ipv4_addr
	}
}

root@LPM:~# tail /var/log/crowdsec-firewall-bouncer.log 
time="31-08-2021 15:29:44" level=info msg="backend type : nftables"
time="31-08-2021 15:29:44" level=info msg="nftables initiated"
time="31-08-2021 15:29:44" level=info msg="Processing new and deleted decisions . . ."
time="31-08-2021 15:29:46" level=info msg="deleting '5187' decisions"
time="31-08-2021 15:33:12" level=info msg="adding '1224' decisions"
time="31-08-2021 15:34:47" level=info msg="adding '72' decisions"
time="31-08-2021 15:36:14" level=info msg="deleting '39' decisions"
time="31-08-2021 15:36:24" level=info msg="deleting '72' decisions"
2

Hello,

I am able to list the content of the set with sudo nft list set ip crowdsec crowdsec_blocklist.

One explanation for your issue could be that you are running the command too soon after starting the bouncer.
Removing all the IPs from the set takes a bit of time, during which it will appear empty, this might be the reason.

3

Yes, tried the command today, and I get IP results :
nft list set ip crowdsec crowdsec_blocklist

Thanks…