OpenWrt 22.03.0: crowdsec-firewall-bouncer problem

I updated my OpenWrt router today to new version 22.03.0 of OpenWrt.

The crowdsec-firewall-bouncer package is missing.

After installing the package from 21.02.3 branch, the bouncer is available, but seems to be broken / not working with the OpenWrt implementation.

As OpenWrt 23.03.0 is now based on nftables I tried to set up the CrowdSec bouncer accordingly.

  • Regardless of using configuration setting set-only true or false, the CrowdSec bouncer always creates new table and chain.
  • The chain is always hooked into input chain. I need it to be in forward chain (running on a router, not a server).
  • Even when I define the table and chain manually as described on documentation, the CrowdSec bouncer always overwrites this and defines the table and chain hooking into input chain.

This is my crowdsec-firewall-bouncer.yaml:

root@OpenWrt:/tmp/etc/crowdsec/bouncers# cat crowdsec-firewall-bouncer.yaml 
mode: nftables
pid_dir: /var/run/
update_frequency: 10s
daemonize: true
log_mode: file
log_dir: /var/log/
log_level: info
api_url: http://cs-lapi:8014/
api_key: xxxxxxxxxxxxxxxxxxxxx
disable_ipv6: false
deny_action: DROP
deny_log: true
  - ban
#to change log prefix
#deny_log_prefix: "crowdsec: "
#to change the blacklists name
#blacklists_ipv4: crowdsec-blacklists
#blacklists_ipv6: crowdsec6-blacklists
#if present, insert rule in those chains
#  - INPUT
## nftables
    enabled: true
    set-only: true
    table: crowdsec
    chain: crowdsec-chain
    enabled: true
    set-only: true
    table: crowdsec6
    chain: crowdsec6-chain

What’s the problem?

1 Like