Failed to import the iplist

[AlexNBY]

Hi,

after running the "geoip-shell-install.sh" and answering the questions i got this error message:

Parsing ip list for 'DE_ipv4'... Ok.
Validating 'DE_ipv4'... Ok.
Validated subnets for 'DE_ipv4': 10649.

Parsing ip list for 'DE_ipv6'... Ok.
Validating 'DE_ipv6'... Ok.
Validated subnets for 'DE_ipv6': 3025.

Adding ip set 'DE_4_2024-10-31'... netlink: Error: Could not process rule: Message too long
Destroying temporary ipsets...
apply: Error: Failed to import the iplist from '/tmp/geoip-shell/DE_ipv4.iplist' into ip set 'DE_4_2024-10-31'.
manage: Warning: Discrepancy detected between the firewall state and the config file.
manage: Warning: missing ip lists in the firewall: 'DE_ipv4 DE_ipv6'
manage: Error: Failed to apply geoip-shell config.
install: Error: geoip-shell-manage.sh exited with error code 1.
root@nginx:~/geoip-shell-0.5.10# sh geoip-shell-install.sh 

i hope someone can help me

[friendly-bits]

Hi, what's the output of sudo sysctl -a | grep wmem

[AlexNBY]

sysctl: Zugriff verweigert auf Schlüssel »kernel.apparmor_display_secid_mode«
sysctl: Zugriff verweigert auf Schlüssel »kernel.apparmor_restrict_unprivileged_io_uring«
sysctl: Zugriff verweigert auf Schlüssel »kernel.apparmor_restrict_unprivileged_userns_complain«
sysctl: Zugriff verweigert auf Schlüssel »kernel.apparmor_restrict_unprivileged_userns_force«
sysctl: Zugriff verweigert auf Schlüssel »kernel.cad_pid«
sysctl: Zugriff verweigert auf Schlüssel »kernel.unprivileged_userns_apparmor_policy«
sysctl: Zugriff verweigert auf Schlüssel »kernel.usermodehelper.bset«
sysctl: Zugriff verweigert auf Schlüssel »kernel.usermodehelper.inheritable«
net.ipv4.tcp_wmem = 4096        16384   4194304
net.ipv4.udp_wmem_min = 4096
vm.lowmem_reserve_ratio = 256   256     32      0       0
sysctl: Zugriff verweigert auf Schlüssel »vm.mmap_rnd_bits«
sysctl: Zugriff verweigert auf Schlüssel »vm.mmap_rnd_compat_bits«
sysctl: Zugriff verweigert auf Schlüssel »vm.stat_refresh«

Zugriff verweigert auf Schlüssel = permission denied
maybe the problem is, that its a unprivileged lxc container?

[friendly-bits]

This definitely has something to do with running inside a container, but I'm not entirely sure what's causing this. References to this error message I can find are all related to using large sets inside a container. The suggested workarounds are to increase the value of wmem.max on the host. I think it's safe to try this (on the host):
sudo sysctl -w net.core.wmem_max=16777216
If that works, add this line to /etc/sysctl.conf on the host:

net.core.wmem_max = 16777216

to make this permanent.

References:
https://www.reddit.com/r/Proxmox/comments/scnoav/lxc_container_debian_11_nftables_geoblocking/
http://git.netfilter.org/nftables/commit/?id=375505a4a8068bf7cb623e18c3aedb831c17fd0e

If this doesn't work, you could try with a newer kernel...

[AlexNBY]

unfortunately increasing the value did not worked and i already have the newest kernel.
i will try it again with a privileged container and will let you know

[friendly-bits]

I'm not sure if updating the wmem_max value takes immediate effect inside the container. One thing you could try would be restarting the container after issuing the command sudo sysctl -w net.core.wmem_max=16777216 on the host.

Also, what's the output of sudo nft --version?

[AlexNBY]

It works now! First I changed the value on the host and restarted the container. Unfortunately, that didn't help. Then I started the container as privileged, which didn't help either.
Then I noticed that the checkbox for "nesting" was checked (I don't know why it was activated). I unchecked it and then it worked. It seems to be a wild combination of everything.

I would like to thank you for your help and your great project.
Is there a way I can buy you a coffee?

[friendly-bits]

Glad you got it working! No need to buy a coffee. Your research may help other people and that's a welcome contribution. I'll link to this issue somewhere in the readme.