I updated my OpenWrt router today to new version 22.03.0 of OpenWrt.
The crowdsec-firewall-bouncer package is missing.
After installing the package from 21.02.3 branch, the bouncer is available, but seems to be broken / not working with the OpenWrt implementation.
As OpenWrt 23.03.0 is now based on nftables I tried to set up the CrowdSec bouncer accordingly.
- Regardless of using configuration setting set-only true or false, the CrowdSec bouncer always creates new table and chain.
- The chain is always hooked into input chain. I need it to be in forward chain (running on a router, not a server).
- Even when I define the table and chain manually as described on documentation, the CrowdSec bouncer always overwrites this and defines the table and chain hooking into input chain.
This is my crowdsec-firewall-bouncer.yaml:
root@OpenWrt:/tmp/etc/crowdsec/bouncers# cat crowdsec-firewall-bouncer.yaml
mode: nftables
pid_dir: /var/run/
update_frequency: 10s
daemonize: true
log_mode: file
log_dir: /var/log/
log_level: info
api_url: http://cs-lapi:8014/
api_key: xxxxxxxxxxxxxxxxxxxxx
disable_ipv6: false
deny_action: DROP
deny_log: true
supported_decisions_types:
- ban
#to change log prefix
#deny_log_prefix: "crowdsec: "
#to change the blacklists name
#blacklists_ipv4: crowdsec-blacklists
#blacklists_ipv6: crowdsec6-blacklists
#if present, insert rule in those chains
#iptables_chains:
# - INPUT
# - FORWARD
# - DOCKER-USER
## nftables
nftables:
ipv4:
enabled: true
set-only: true
table: crowdsec
chain: crowdsec-chain
ipv6:
enabled: true
set-only: true
table: crowdsec6
chain: crowdsec6-chain
What’s the problem?
1 Like