Page 1 of 1

CC_DENY match-set is not created anymore (Sets cannot be swapped)

Posted: 11 Jul 2017, 16:21
by Smjork
Hello

I have a very weird problem on a server which has CSF/LFD installed. For long CSF/LFD just worked very fine. But today, while watching some logs, I noticed that countries which are in CC_DENY were not blocked anymore.
Trying to understand this problem, I 1st blamed GeoIP. but no, GeoIP data is updated and my geoiplookup <ip> responses are correct.
Then, to my surprise, I think I found out why those countries are not blocked anymore: the CC_DENY ipset is no more created.
My /var/log/lfd.log is full of entries like (see a fragment below):

[...] CC: Extracting zone from GeoLite Country IPv6 database for [IQ]
[...] CC: Repopulating ipset cc_6_cn with IP addresses from [CN]
[...] IPSET: loading set new_6_cn with 1301 entries
[...] IPSET: switching set new_6_cn to cc_6_cn
[...] *Error* IPSET: [ipset v6.11: Sets cannot be swapped: the second set does not exist]

... while other ipsets are re-created and load as usual

[...] Retrieved and blocking blocklist SPAMDROP IP address ranges
[...] IPSET: loading set new_SPAMDROP with 53 entries
[...] IPSET: switching set new_SPAMDROP to bl_SPAMDROP

I read somewhere that we need to restart both csf and lfd services. I did it multiple times. Same result
I tried "csf -ra", "service csf stop, service lfd stop" (and then start ... no difference

My "csf -l" listing shows no cc_deny set (see below),
[...]
Chain CC_DENY (0 references)
num pkts bytes target prot opt in out source destination
[...]
Chain SPAMDROP (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set bl_SPAMDROP src
[...]

Any idea on how to solve this ? Do I need to delete something to force a "clean" re-create of those ipsets ?

Re: CC_DENY match-set is not created anymore (Sets cannot be swapped)

Posted: 29 May 2018, 02:56
by PrescientInfo
Same problem here.

IPSET: [ipset v6.11: Sets cannot be swapped: the second set does not exist]