Exception: nft issue: exit:1; out:; err:Error: syntax e...le ip filter OUTPUT ip daddr xxx.xxx.xxx.xx counter accept ^^^^

[tammo 5]

Hello,

I am using Eddie 2.20.0-1 on Linux Manjaro KDE (installed from the AUR).
However, I only use the network lock, the actual openVPN connection runs via the network manager.
Unfortunately I had to arrange it this way, because otherwise Eddie always crashed at the latest after a few wakeups (of the operating system) from standby, respectively hung up (didn't react anymore).

The settings of Eddie/Network Lock are as follows:

Mode: Automatic
Incoming: Block
Outgoing: Block
Allow lan/private: Check
Allow DHCP: Check
Allow Ping: Check
Allow detected DNS: No Check
IPs allowed for incomming: No entry
IPs allowed for outgoing: No entry

So for the first few months, since I've been using Eddie only as a "killswitch" (network lock), it worked fine.
But lately from time to time a small window pops up from Eddie (minimized in tray), saying the following:
 

Exception: nft issue: exit:1; out:; err:Error: syntax e...le ip filter OUTPUT ip daddr xxx.xxx.xxx.xx counter accept ^^^^

(I made the IP address unrecognizable).

I have copied everything else including the punctuation.

I honestly can't do anything with it. What does this mean?

Translated with www.DeepL.com/Translator (free version).

[OpenSourcerer 1435]

9 minutes ago, tammo said:

Exception: nft issue: exit:1; out:; err:Error: syntax e...le ip filter OUTPUT ip daddr xxx.xxx.xxx.xx counter accept ^^^^

This doesn't look like the complete error message. There's a syntax e(rror) somewhere.
When it happens, please go to the Logs tab of Eddie and click the lifebelt icon on the right, then paste/upload the output here. Don't worry about the logs, they'll be part of the output, and so will the complete error. Thanks.

[tammo 5]

1 hour ago, OpenSourcerer said:

This doesn't look like the complete error message. ...

May be. That was what was displayed in the little popup. And then when I clicked on the Eddie icon in the tray to display the main Eddie window, that message was in the title bar of Eddie.
What I did not know is that I could have viewed the message again under Logs ...

Enclosed as a text file the log (lifebelt).

Eddie-protocoll.txt

PS: I had a closer look at the list under Logs (where the error messages are all stored) ... It shows that when the PC is on, this error message is generated every half hour.

[Staff 9968]

@tammo

Hello!

The required syntax in some nft versions was different and the command issued by Eddie is incorrect for your version, hence the syntax error. A fix under this respect has been implemented in Eddie 2.21 beta, can you please test Eddie latest 2.21.3 beta version?

Please see here to download it:
https://airvpn.org/forums/topic/49638-eddie-desktop-221-beta-released/

We are looking forward to hearing from you.

Kind regards
 

[tammo 5]

Again to the version 2.20:
I noticed that when I restart Eddie, the error does not appear for a while. This can go on for hours or even days. But at some point the error message comes and from then on, always every 30 minutes (as long as the PC is on).
If I quit Eddie and restart, the error is gone again ...


Now I have installed the version 2.21.3, but unfortunately it does not work together with the Network Manager!
Means: OpenVPN is realized via the Network Manager and with Eddie only the Network Lock is activated.

Now nothing works with activated Network Lock (and established openVPN connection via Network Manager).
Then no internet connection is possible anymore! :(

I have not changed anything in the Eddie settings, I have only uninstalled the program and installed the new program version. The settings were still there afterwards (these are stored as far as I know under ~/.config/eddie.

[tammo 5]

I have now also tried again with version 2.21.3 to establish an openVPN connection (and to use the network lock).
But that only worked exactly once!
After waking up from standby for the first time, I got a lot of error messages and even after a reboot I can't get a connection with Eddie anymore.
I have attached the two logs, the first after waking up from standby, the second after a system reboot.

Translated with www.DeepL.com/Translator (free version)

Eddie-Systemreport.txt Eddie-Systemreport-2.txt

[tammo 5]

Can someone tell me then how to assess this error message from my first post? I mean, is this an IP leak or something?
Because, as it looks, I have to continue using Eddie version 2.20.0-1, since the newer beta 2.21.3 doesn't work for me at all.

The complete error message (concerning version 2.20) is attached as TXT file in the following post:
https://airvpn.org/forums/topic/50236-exception-nft-issue-exit1-out-errerror-syntax-ele-ip-filter-output-ip-daddr-xxxxxxxxxxx-counter-accept/?do=findComment&comment=173490

Since I went back to version 2.20 two days ago, however, the error message has not reappeared either. I have a suspicion that this is triggered by some program (maybe qBittorrent?).

[OpenSourcerer 1435]

6 hours ago, tammo said:

Can someone tell me then how to assess this error message from my first post? I mean, is this an IP leak or something?

No, a simple syntax error when calling the program nft. Between 2.20.0 and 2.21.3 there are many code changes, some of which may have changed how nft is called. We don't know as development versions are de-facto closed source.

[iwih2gk 93]

OP,

I wanted to chime in here and let you know that I was having this exact issue on 6 of my systems.  I use NFT with bullseye as my firewall to prevent any connection before mounting Eddie.

When I switched to the Eddie 2.21.3 beta as Staff suggested above it fixed this issue completely.  This release feels very stable to me (not technically being called stable yet).   Once I installed it and verified it works slick and sure I set my source files list so that I have to manually approve any further experimental version updates.  This way even though I am using the beta version my systems will not update without my intervention.  When I notice a new release I can observe the forum for a few weeks to see if there are any glitches being noticed.  This method is safe and works well for me anyway!

[tammo 5]

This is all very strange!
While beta 2.21.3 seems to work fine for you, it is unusable for me.
(See my post https://airvpn.org/forums/topic/50236-exception-nft-issue-exit1-out-errerror-syntax-ele-ip-filter-output-ip-daddr-xxxxxxxxxxx-counter-accept/?do=findComment&comment=173498)

What Linux are you using, also Manjaro KDE?
Did you delete or leave the configuration under ~/.config/eddie when you switched?
 

On 2/9/2022 at 4:32 PM, iwih2gk said:

... I use NFT with bullseye as my firewall to prevent any connection before mounting Eddie.
 

You seem to be using Eddie the opposite way I do though. I only use the networklock, the openVPN connection I run via the networkmanager. Why? Because Eddie unfortunately always stops working after a few standbys (see post 1). It should actually then automatically reconnect after standby, but instead the program freezes and becomes unusable.

Since I, after the beta did not work, the "stable" Versionn 2.20 installed again, however, the error has not occurred with me either! As I said, all very strange!

If it would go on like this, it would be good. But it leaves an uneasy feeling, especially since it was already written here that 2.20 is actually no longer properly compatible with my system.

@iwih2gk
If this is not too cumbersome ... can you explain the "I use NFT with bullseye as my firewall" a bit more?
I'm not really familiar with this stuff unfortunately! I only played around with IP tables in the past (which even worked!). But my current Linux seems to be based on NFT.
Because if Eddie (Networklock) doesn't work properly one day (again) (and the new version doesn't work at all for me at the moment) I would have no other choice than to try to realize a killswitch via NF-Tables.

[iwih2gk 93]

Quote

@iwih2gk

If this is not too cumbersome ... can you explain the "I use NFT with bullseye as my firewall" a bit more?
I'm not really familiar with this stuff unfortunately! I only played around with IP tables in the past (which even worked!). But my current Linux seems to be based on NFT.
Because if Eddie (Networklock) doesn't work properly one day (again) (and the new version doesn't work at all for me at the moment) I would have no other choice than to try to realize a killswitch via NF-Tables.

My use is very unique as I will explain briefly.  On my machines (the family use computers) I wanted to make SURE that no user goes online without being connected to an Airvpn tunnel.  I accomplish this by writing a very simple NFT ruleset during system mount, which blocks any of my machines from going online ---- period!  I pasted this elsewhere in the forum quite awhile ago so I'll paste it here for any others that might like to use it.  Its simple and works flawlessly.

#Paste ruleset:

flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iifname "lo" accept
ct state established,related accept
}

chain forward {
type filter hook forward priority 0; policy drop;
}

chain output {
type filter hook output priority 0; policy drop;
oifname "lo" accept
ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 accept
}
}

#End paste:

If you visualize this you will see that the internet is blocked at system mount.  Sure I could write a much more complicated script but it isn't needed since this simple one accomplishes the task without error.  Eddie is on all my family machine desktops and when Eddie is mounted the Airvpn client (Eddie) replaces my ruleset with the network locked on the client itself.  When Eddie is exited it writes back the NFT ruleset created at mount rendering the computer locked again.  So, in this simple fashion I am CERTAIN my  machines never go online without being connected to AirVpn and while still using the simplicity of Eddie to switch servers, connection modes, etc.... anytime I wish.

As the Admin of my machines I can easily temporarily suspend the ruleset by opening a terminal and using the simple command: sudo nft flush ruleset .  I use this command when I need access to LAN with only my raw ISP, but I don't allow my users to know this method at all.


I hope this helps.

[tammo 5]

Ah, I think I understand more or less! So you rely mainly on Eddie and want to protect yourself only for the moment additionally, as long as Eddie is not yet active (or is no longer active).

I would also like to do that, but unfortunately that is not an option for me. I would rather go the opposite way and do without Eddie completely.

Because as I have already written, Eddie does not work after a few times from standby awakening, he then no longer establishes a connection and freezes. The network lock still exists at this time.

But after I had this error message regarding the networklock (now strangely no longer, since I have reinstalled version 2.20 - hope of course, that remains as long as possible!) and the beta version 2.21.3 was not the solution for me, I will probably have no other option in the long term, as a self-built networklock / killswitch via NF-Tables to use and also openVPN via the network manager (which I currently already use, and that works very well).

So I would need NF tables that block everything except the openVPN connection via networkmanager and my internal network traffic running via LAN.

Really bummer that Eddie is running so poorly for me - now I had just recently renewed for three years!

[iwih2gk 93]

I am pretty sure we could code your problems away on Linux Manjaro KDE but I don't know how much time you want to invest in the learning curve?  I hope you don't take this wrong but is there a reason you are married to "Linux Manjaro KDE"?  Would it be acceptable to simply swap distros to Debian Bullseye, etc.....   That distro works perfectly out of the box with Eddie.  Just a thought.  We all have our favorites and I get that.  It took me a long time to get really comfortable "under the hood" using Bullseye and NFT specifically.  NFT completely out-classes the capabilities of IP tables so its time to move on to NFT, although the learning curve was really sharp for me.

[Staff 9968]

19 hours ago, tammo said:

 I would rather go the opposite way and do without Eddie completely.

Hello!

Have you tested the AirVPN Suite? If not, please see here:
https://airvpn.org/linux/suite/

User manual:
https://airvpn.org/suite/readme/

Kind regards
 

[tammo 5]

On 2/23/2022 at 11:58 PM, iwih2gk said:

... is there a reason you are married to "Linux Manjaro KDE"?  ...

How much time do you have for reading? :)

Well, first of all I wanted to get away from Windows (increasing restrictions, advertising, MS-Windows is going a way I don't want to go). After looking at the different Linux desktops it was clear: it should be KDE. Then I compared (at first mainly in the virtual machine) different systems that were as beginner-friendly as possible. (It should be noted: I have tried the switch for years, each time for a few months, but always failed, because sooner or later I got into an unsolvable dependency spiral and the systems then at some point no longer worked! Whereupon I always gave up for a while.)
Among the distributions were Linux Mint (when it was still available with KDE), OpenSuse (Leap and Tumbleweed), MX Linux (should have access to the same sources as Debian + some special MX Linux tools) and a few Arch based systems, e.g. ArcoLinux and Manjaro. I probably looked at some other stuff too, like KDE-Neon or Kubuntu, but I honestly can't even remember those!

The point is: my learning curve is rather flat, unfortunately!
But finally, on the third or fourth try, I did manage to get closer to one system, and that was Manjaro KDE. There may be many reasons for this, but now, months later, it is difficult to list them in detail. With Manjaro I simply got along best overall, it somehow ran the smoothest. There was some software that I only found there. By the way, I really like Pamac as a "software center" where you can manage software from the Manjaro repos, AUR, Flatpak and Snap together. By the way, I also thought it might not be bad to have a rolling release, because theoretically (!) you can always keep that and you have more up to date software (drivers, kernel and so on, but at the moment it's also more of a theoretical advantage than I really need that, but could change if I ever buy new hardware for example).
The software I needed also ran best under Manjaro. Of course this is not true for every single software, this is just an average, a view on the whole.
Also Eddie ran better under Manjaro than under MX Linux (Debian based). E.g. the setting "Don't ask elevation every run" just didn't work under MX Linux. And then I think Eddie could not be terminated more often, but maybe I'm confusing this with e.g. OpenSuse. Also to what extent Eddie froze after a once awakening from standby with MX Linux I don't know anymore.
Last but not least Manjaro has one or the other forum in my language.

In short, after a few months of more or less successfully switching to Linux, I'm glad that I got my system set up with (for my circumstances and my possibilities) a lot of effort.
But I did not become a real Linuxer. And that's why I can't imagine switching to Debian at the moment ... that would be very tedious for me.

And to "learn" and understand the topic of NF-Tables, so that I could really build something myself, I don't think will happen anymore (due to lack of time and also, honestly, mental capacities!).

With iptables, for example, I stole some stuff from a forum in my language. There was discussed by chance pretty much exactly what I needed (at another VPN provider). But to learn it myself, I would not have managed.

Now I finally know what was meant by the "bullseye": That's the code name of Debian 11!

Staff has given me a lot of homework with the AirVPN suite! :) I would have to look now first, what that is ... but I will honestly also postpone that again, probably until it is no longer otherwise. As long as the network lock of Eddie now works properly again with me, I use it.
The AirVPN suite seems to be without a GUI and is aimed more at advanced users. The documentation alone is very extensive (and I understand hardly anything there).
I would have to learn a longer time, if I would succeed at all.