nft INPUT chain does not filter through cPanel-HostAccessControl chain
I was hoping there might be a way to inspect the details behind CPANEL-49983, which was fixed in a recent release. I'm trying to track down an issue on my server that may or may not be related to that fix. I can't find any place to inspect such records.
-
Hey there! Unless we create an article to go with the case, these are generally not accessible. If you let me know what specific info you're looking for related to that case I can likely find out.
0 -
I was having an issue where no matter what you put into Host Access Control, it had no effect. I was wondering if it was related to CPANEL-49983, but the problem my hosting provider found looks suspiciously identical to CPANEL-47070 instead. Originally I was interested to find out what the actual cause of CPANEL-49983 was so I could figure out if anything I did had triggered it; now the same curiosity has moved to CPANEL-47070 since I've never done any playing with the input chain, but maybe something I do play with had a side effect.
0 -
No, I wouldn't expect that to be related to CPANEL-49983.
The best information for CPANEL-47070 is likely here: https://support.cpanel.net/hc/en-us/community/posts/32788800309655
0 -
On my server, the line in the input chain that jumped into (through?) the cpHulk and Host Access Control chains just flat wasn't there one day. I was curious if some bug in cPanel was causing that, and what triggered it.
0 -
That one I'm not sure about as I haven't heard of them just going missing after they've been working for some time.
0 -
OK, the problem persists and I know more about it now.
As a result of the issue described here, I'm storing the nft chain for Host Access Control permanently at /etc/sysconfig/nftables.conf, a file that didn't exist previously so I wasn't overwriting anything. It's worked perfectly for maintaining the persistence of the rules across reboots, but it's uncovered another problem that looks an AWFUL lot like CPANEL-47070 is described.
Every time I reboot the system for any reason, the "jump cPanel-HostAccessControl" line disappears from the input chain.
Today, I rebooted the system, logged in immediately with ssh, and did "nft list ruleset" over and over. Initially, I see only the cPanel-HostAccessControl chain as loaded from /etc/sysconfig/nftables.conf . After 20 seconds or so, I see other chains being added, presumably from wherever cPanel keeps its persistent copies: cphulk-TempBan, cphulk, and INPUT. But the INPUT chain always consists of
chain INPUT {
type filter hook input priority filter; policy accept;
counter packets 15 bytes 852 jump cphulk
}where there should be a "jump cPanel-HostAccessControl" between those two rules.
I've jerried up a (somewhat unwieldy) manual procedure to stuff it back in there (if I forget, I am reminded by the dozens of "IP address X has been blocked for too many bad ssh passwords" messages I begin accumulating), but I have to do it every reboot.
Does this fit the profile of the original symptom of CPANEL-47070? I'm running 13.0.23, so that bug is supposed to be fixed in it.
(I'm wondering if maybe cPanel gens up the INPUT chain on the fly, and leaves that line out on the basis of, "*I* didn't create such a chain, so there mustn't be one"?)
0 -
This does sound like 47070 but that hasn't been resolved yet.
0 -
My mistake -- I was remembering CPANEL-49983, which did get fixed. It actually makes me feel better knowing that it's still an open bug.
0
Please sign in to leave a comment.
Comments
8 comments