failed to intialize firewall: firewall support not found

[glanc]

testing netmaker 0.18.4. netclient ver 0.18.4, on all ubuntu hosts most on 22.04.2 lts with nftables active (iptables-nft), I've all these errors in the netclient docker version: "[netclient] 2023-03-30 10:16:30 Starting firewall...
[netclient] 2023-03-30 10:16:30 iptables is not supported, using nftables
[netclient] 2023-03-30 10:16:30 failed to intialize firewall: firewall support not found" and also this error:"[netclient] 2023-03-30 10:21:29 error adding route no such device". The netclient version is 0.18.4, Ubuntu 22.04.2 LTS and iptables v1.8.7 (nf_tables), nftables v1.0.2 (Lester Gooch). The errors shows up only if I configure egress option on the hosts to reach internal subnets. The routes seems to be correctly added to the rest of the allowed nodes but I can ping only the ip of the node exposing the internal subnet. If I manually add an nft rule to masquerade the outgoing interface (like ens18) I can then ping all the internal hosts. If you need further info just le me know.

[glanc]

testing 0.18.5 and same problem: [netclient] 2023-03-31 13:49:50 Starting firewall...
[netclient] 2023-03-31 13:49:50 iptables is not supported, using nftables
[netclient] 2023-03-31 13:49:50 failed to intialize firewall: firewall support not found

[jalbstmeijer]

Had the same issue, using netclient 0.18.x in Docker.

investigating the logs further I found;

netclient  | ./netclient.sh: line 5: wg: command not found
netclient  | [netclient] joining network

The netclient Docker image seems to be missing the wireguard-tools pakage.

For now fixed it by overriding the entrypoint in docker-compose.

entrypoint: bash -c "apk add wireguard-tools; /bin/bash netclient.sh"

I don't get the firewall error after this anymore.

[FADEC44]

For now fixed it by overriding the entrypoint in docker-compose.

entrypoint: bash -c "apk add wireguard-tools; /bin/bash netclient.sh"

I don't get the firewall error after this anymore.

Have you upgraded to v0.20.0? This workaround no longer works for me after upgrading. Getting "firewall support not found" again.

Update: Appears to be working with this entrypoint override

bash -c "apk add ip6tables ;/bin/bash netclient.sh"

[jalbstmeijer]

@FADEC44

Can confirm the first workaround does not help anymore on docker image v0.20.0

it now reports:

netclient  | [netclient] 2023-05-20 08:56:32 [firewall_linux.go-31] newFirewall(): iptables is not supported, using nftables 
netclient  | [netclient] 2023-05-20 08:56:32 [daemon.go-63] Daemon(): unable to set IPForwarding firewall support not found 

Thank you for finding the next workaround!

But still it should be for now;

entrypoint: bash -c "apk add wireguard-tools ip6tables; /bin/bash netclient.sh"

As the "wg" binary is still missing in the docker image and it is used for the cleanup function when netclient is terminated.

I will open a new issue now to point the docker image maintainers to these missing dependencies.
But maybe also useful for the main developers, as netclient is not very clear on the reason it concludes iptables is not supported.

[mattkasun]

iptables and iptables6 installed in netclient docker image