LAPI stream mode doesn't return active decision when filtering origin "crowdsec"
https://github.com/crowdsecurity/crowdsec/issues/3373
I just made this bug report since it clearly looks like a bug to me, but does anyone have any idea how to fix it ?
GitHub
LAPI stream mode doesn't return active decision when filtering orig...
What happened? LAPI stram mode doesn't return active decision when filtering origin "crowdsec" but will when using querry mode What did you expect to happen? The active decision shoul...
26 Replies
Important Information
This post has been marked as resolved. If this is a mistake please press the red button below or type
/unresolve© Created By WhyAydan for CrowdSec ❤️
Hello,
Can you provide the output of
cscli decisions list ?
crowdsec origin means a local automated decision, so you won't get anything from CAPI in this case (origin can be CAPI , lists), from cscli (origin can be cscli or cscli-import or from the console for the paid plans (console origin)
Seems to work fine for me:
I do want only the local automated decision. I don't want to fill my firewall with the CAPI IPs
In my issue I decribed using
curl --header "X-Api-Key: <REDACTED>" "http://127.0.0.1:8080/v1/decisions?origins=crowdsec&scenarios_containing=ssh&scopes=Ip&startup=true" -s and having a valid result (duplicated decisions since the bouncer didn't work)
However the stream api with the startup argument did not return anything (exact same parameters) curl --header "X-Api-Key: <REDACTED>" "http://127.0.0.1:8080/v1/decisions/stream?origins=crowdsec&scenarios_containing=ssh&scopes=Ip&startup=true" -swhen you did the request for
/stream, are you 100% sure you had specified startup=true ? (assuming you did the request after the non-stream one)
that's really weird, as you can see from my example, it seems to work just fine (i'm filtering on http- instead of ssh, but this has no practical impact)Copy pasted the cmd from the terminal
i may have an idea
can you run
cscli decisions list --all | grep 103.216.116.126 ?
this IP is part of the community blocklist so you may already have a decision for it coming from CAPI, and crowdsec might be a bit confused when it comes to choosing which decisions to takeI think that's the issue. But I really don't want to fill my firewall
I've seen it in the CAPI list when testing
But that shouldn't prevent a local decision from being returned. They are 2 different ones, not one with multiples origin (wich is not possible)
We only take the longest available decision if you have multiple decisions on the same IP.
I need to check the code, but I guess the condition for the duration takes priority and we do not even consider the local one
and what's the reason for not wanting to have every decisions in your firewall ?
What kind of firewall is it ? I only know about very few firewalls that cannot deal with a few 10s of thousands of IPs in a blocklist
but yes, that's indeed a bug, I'll answer to the issue with the details about the duplicated decision with CAPI
It's a ASUSTOR Nas, with a old firewall that does not support ipset
or nft
I had to make a custom bouncer to work with it.
https://gitea.ar2000.me/AR2000/crowdsec-legacy-firewall-bouncer
Gitea
crowdsec-legacy-firewall-bouncer
Crowdsec firewall bouncer for systems that does not support ipset. Base on crowdsec-custom-bouncer
I see
The official firewall bouncer doesn't know how to handle such old firewall
yeah, we require ipset
I don't think I ever remember seeing a machine where ipset was not supported 😄
something that could be important (although if you are ignoring decisions from CAPI, probably not): the custom bouncer supports feeding the decisions to your script standard input, it's much faster than the default behaviour of calling your script for each decision
https://www.ldlc.com/fiche/PB00561760.html?offerId=AR202307060013
OS : ADM 4.3.3.RC92
uname -a : Linux jacinthe 5.13.x #1 SMP Mon Dec 9 00:11:50 CST 2024 x86_64 GNU/LinuxASUSTOR Nimbustor 4 Gen 2 AS5404T - Serveur NAS - LDLC
Achat Serveur NAS ASUSTOR Nimbustor 4 Gen 2 AS5404T (AS5404T) sur LDLC, n°1 du high-tech. Barebone Serveur NAS 4 baies - Intel Celeron N5105 4 Go Dual LAN 2.5 GbE.
Maybe I'll update it someday. But for now it work perfectly (in theory)
is it running a custom linux version or something (or custom kernbel that cannot load modules) ?
as it seems to support docker, the kernel cannot be that old
idk. I just know that ipset is not a thing, and iptable-nft will return a error
https://github.com/crowdsecurity/crowdsec/issues/3373#issuecomment-2554198963
A easy fix would be to apply the origin filters first when looking for the decision
GitHub
LAPI stream mode doesn't return active decision when filtering orig...
What happened? LAPI stram mode doesn't return active decision when filtering origin "crowdsec" but will when using querry mode What did you expect to happen? The active decision shoul...
can you try to add
dedup=false to your curl query ? (although I don't think it's supported in the custom bouncer 😦 )
yes that would be the idea, but it could be a little bit trickier than that: we had some performance issues with this exact query in the past when running on mysqlIt work
fair reason to not do it like that
at least, that confirms the issue, when setting this parameter, we don't do the check for the duration
I just checked, we don't even expose the parameter in our API client
so you'd have to basically reimplement an entire bouncer to work around this (it would be very barebones, but still)
and the custom bouncer doesn't support the querry api, only the stream one. It would have been a valid workaround since the querry api return the correct result
Thx a lot for the info. It didn't help, but at least I know what is happening, and that it is taken seriously by the team
btw ^^ :
I don't know if I'll ever do it, but it's in the issue list
Gitea
Support reading input from stdin for performance increase
something that could be important (although if you are ignoring decisions from CAPI, probably not): the custom bouncer supports feeding the decisions to your script standard input, it's much faster than the default behaviour of calling your script for each decisionFrom crowdsec team discord...
Resolving LAPI stream mode doesn't return active decision when filtering origin "crowdsec"
This has now been resolved. If you think this is a mistake please run
/unresolve