Found unexpected rule --comment '"CNI'

[DennisGaida]

Describe the bug
Checked /var/log/messages and every couple of seconds I get the error message Dream-Router ubios-udapi-server[3290]: firewall: Found unexpected rule --comment '"CNI'.

Checking iptables -S | grep CNI I see the following rules:

-N CNI-ADMIN
-N CNI-FORWARD
-A FORWARD -m comment --comment "CNI firewall plugin rules" -j CNI-FORWARD
-A CNI-FORWARD -m comment --comment "CNI firewall plugin admin overrides" -j CNI-ADMIN

To Reproduce
Steps to reproduce the behavior:

1. Install CNI tools / plugins: https://github.com/unifi-utilities/unifios-utilities/blob/main/cni-plugins/05-install-cni-plugins.sh
2. Observe /var/log/messages

Expected behavior
I suppose there shouldn't be any error messages / unexpected rules? Or maybe this is related to Unifi not knowing about these rules?

UDM Information

• UDR
• Firmware Version: v3.0.13
• Controller Version 7.3.76

[bennettp123]

Same

• UDM
• Firmware version: 2.4.23
• Controller version: 7.3.76

root@udm0-office:/data/on_boot.d# ubnt-device-info summary; echo
Device information summary:
        Subsystem ID: ea11
              Family: UniFi Dream Machine (UDM)
               Model: UniFi Dream Machine (UDM)
 Default MAC address: (removed)
Default IPv4 address: 127.0.0.1
            Firmware: 2.4.23 (2.4.23)

[boostchicken]

This rule is created by the firewall CNI plugin. Make sure your CNI plugins are up to date and that you're not using firewall

[DennisGaida]

I'm not quite sure I understand what you are saying @boostchicken. Are you saying this isn't an issue of unifi-utilities but of https://github.com/containernetworking?

I installed the latest version of the CNI-plugins, i.e. v1.2.0, and I still receive this message in /var/log/messages. I'm not sure about "not using firewall" - UniFi always has the firewall up or are you talking about anything in particular?

[boostchicken]

-A FORWARD -m comment --comment "CNI firewall plugin rules" -j CNI-FORWARD
-A CNI-FORWARD -m comment --comment "CNI firewall plugin admin overrides" -j CNI-ADMIN

Those rule are absolutely made by the CNI plugins, when and where I am not sure.

[DennisGaida]

To me it appears like unifi is checking iptables rules and those coming not from Unifi are marked as "unexpected". Checking the rules, I see that unifi rules have some kind of ID, e.g. (00000001095216660285):

-A UBIOS_POSTROUTING_USER_HOOK -o ppp0 -m comment --comment 00000001095216660285 -j MASQUERADE

the iptables rules generated by CNI(?) don't have these IDs and have comments such as the following:

-A CNI-<id> -d 10.88.0.0/16 -m comment --comment "name: \"podman\" id: \"<very-long-id>\"" -j ACCEPT

Currently I get the following warnings in /var/log/messages every minute (!):

2023-01-18T09:41:33+01:00 Dream-Router ubios-udapi-server[4601]: firewall: Found unexpected rule --comment '"CNI'
2023-01-18T09:41:33+01:00 Dream-Router ubios-udapi-server[4601]: firewall: Found unexpected rule --comment '"name:'
2023-01-18T09:41:33+01:00 Dream-Router ubios-udapi-server[4601]: firewall: Found unexpected rule --comment '"name:'
2023-01-18T09:41:33+01:00 Dream-Router ubios-udapi-server[4601]: firewall: Found unexpected rule --comment '"name:'
2023-01-18T09:41:33+01:00 Dream-Router ubios-udapi-server[4601]: firewall: Found unexpected rule --comment '"dnat'
2023-01-18T09:41:33+01:00 Dream-Router ubios-udapi-server[4601]: firewall: Found unexpected rule --comment '"CNI'
2023-01-18T09:41:33+01:00 Dream-Router ubios-udapi-server[4601]: firewall: Found unexpected rule --comment '"CNI'
2023-01-18T09:41:33+01:00 Dream-Router ubios-udapi-server[4601]: firewall: Found unexpected rule --comment '"CNI'

And since more containers mean more iptables rules, there will be more warnings. I believe these warnings will be generated by anyone using current unifi software. Maybe we will need some documentation on this in the installation documentation such as here: https://github.com/unifi-utilities/unifios-utilities/tree/main/container-common

Currently these warnings don't do anything besides spamming the logs. Similar warnings were already noted in another issue: #49

I found a German blogpost detailing the same warnings (https://nerdig.es/udm-pro-netzwerktrennung-2/) and it states that the solution is to create iptables rules without comments. I don't think you can change the way CNI-plugins work, but you may be able to remove the comments from the existing rules.

[boostchicken]

You could open an issue in the CNI repo and send them a PR to fix it

[DennisGaida]

I sure could, if I was an expert in creating iptable rules. Since this is a warning that Unifi creates, I don't think CNI will care about it. Maybe there could be a switch like "create rules without comments" when using CNI, but I don't see that happening soon.

I still believe we need a note in unifios-utilities that the warnings created by unifi don't mean anything - just that unify doesn't know the rules. When searching for the CNI installation, it is referenced many times throughout this repo: https://github.com/search?q=repo%3Aunifi-utilities%2Funifios-utilities%20install-cni-plugins.sh&type=code and once people install newer versions of Unifi, they will all receive this warning.

Maybe the best way would be to have a README in https://github.com/unifi-utilities/unifios-utilities/tree/main/cni-plugins and update all references that call directly for running 05-install-cni-plugins.sh to link to that README instead.