Bug: iptables-nft on host without nftables

[Fabricio20]

Is this urgent?

No

Host OS

Ubuntu 16.04

CPU arch

x86_64

VPN service provider

Private Internet Access

What are you using to run the container

docker-compose

What is the version of Gluetun

Running version latest built on 2022-03-15T08:20:32.863Z (commit 984e143)

What's the problem 🤔

Running on a host with IPv6 enabled, looks like gluetun is now attempting to use nftables to drop incoming ipv6 traffic, however it seems that nftables is unable to locate the default chain (the host is running iptables not nftables).

ERROR cannot enable firewall: command failed: "ip6tables-nft --policy INPUT DROP": ip6tables v1.8.7 (nf_tables):  CHAIN_UPDATE failed (No such file or directory): chain INPUT: exit status 4

This issue does not happen on gluetun v3.28.0.

Share your logs

gluetun     | ========================================
gluetun     | ========================================
gluetun     | =============== gluetun ================
gluetun     | ========================================
gluetun     | =========== Made with ❤️ by ============
gluetun     | ======= https://github.com/qdm12 =======
gluetun     | ========================================
gluetun     | ========================================
gluetun     | 
gluetun     | Running version latest built on 2022-03-15T08:20:32.863Z (commit 984e143)
gluetun     | 
gluetun     | 🔧 Need help? https://github.com/qdm12/gluetun/discussions/new
gluetun     | 🐛 Bug? https://github.com/qdm12/gluetun/issues/new
gluetun     | ✨ New feature? https://github.com/qdm12/gluetun/issues/new
gluetun     | ☕ Discussion? https://github.com/qdm12/gluetun/discussions/new
gluetun     | 💻 Email? quentin.mcgaw@gmail.com
gluetun     | 💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
gluetun     | 2022/03/15 12:51:51 WARN You are using the old environment variable VPNSP, please consider changing it to VPN_SERVICE_PROVIDER
gluetun     | 2022/03/15 12:51:51 WARN You are using the old environment variable REGION, please consider changing it to SERVER_REGIONS
gluetun     | 2022/03/15 12:51:51 WARN You are using the old environment variable PROTOCOL, please consider changing it to OPENVPN_PROTOCOL
gluetun     | 2022/03/15 12:51:51 WARN You are using the old environment variable PIA_ENCRYPTION, please consider changing it to PRIVATE_INTERNET_ACCESS_OPENVPN_ENCRYPTION_PRESET
gluetun     | 2022/03/15 12:51:51 WARN You are using the old environment variable PORT_FORWARDING, please consider changing it to PRIVATE_INTERNET_ACCESS_VPN_PORT_FORWARDING
gluetun     | 2022/03/15 12:51:51 WARN You are using the old environment variable PIA_ENCRYPTION, please consider changing it to PRIVATE_INTERNET_ACCESS_OPENVPN_ENCRYPTION_PRESET
gluetun     | 2022/03/15 12:51:51 INFO routing: default route found: interface eth0, gateway 172.29.0.1 and assigned IP 172.29.0.2
gluetun     | 2022/03/15 12:51:51 INFO routing: local ethernet link found: eth0
gluetun     | 2022/03/15 12:51:51 INFO routing: local ipnet found: 172.29.0.0/16
gluetun     | 2022/03/15 12:51:51 INFO firewall: enabling...
gluetun     | 2022/03/15 12:51:51 ERROR cannot enable firewall: command failed: "ip6tables-nft --policy INPUT DROP": ip6tables v1.8.7 (nf_tables):  CHAIN_UPDATE failed (No such file or directory): chain INPUT: exit status 4
gluetun     | 2022/03/15 12:51:51 INFO Shutdown successful

Share your configuration

version: '3.7'
services:
  gluetun:
    container_name: gluetun
    image: qmcgaw/gluetun:v3.28
    cap_add:
      - NET_ADMIN
    volumes:
      - ./gluetun:/gluetun
    devices:
      - /dev/net/tun:/dev/net/tun
    environment:
      - VPNSP=private internet access
      - REGION=
      - OPENVPN_USER=
      - OPENVPN_PASSWORD=
      - PIA_ENCRYPTION=strong
      - PROTOCOL=udp
      - PORT_FORWARDING=on
      - DOT=on
      - DOT_PROVIDERS=cloudflare
      - DOT_IPV6=off
      - BLOCK_MALICIOUS=on
      - BLOCK_SURVEILLANCE=on
      - BLOCK_ADS=off
      - SHADOWSOCKS=off
      - HTTPPROXY=off
      - TZ=UTC

[qdm12]

Interesting, can you try:

docker run -it --rm --cap-add=NET_ADMIN alpine:3.15
apk add ip6tables
ip6tables -L
echo $?
ip6tables-nft -L
echo $?

What do you get?

Gluetun tries ip6tables -L, if it doesn't work it tries ip6tables-nft -L and if it works it uses that one. I guess in your case it shouldn't use any ip6tables firewall 🤔

[Fabricio20]

Interesting, on the alpine container as you provided it seems that ip6tables-nft is the one that works? haha.

packages installed:

/ # apk add ip6tables
fetch https://dl-cdn.alpinelinux.org/alpine/v3.15/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.15/community/x86_64/APKINDEX.tar.gz
(1/4) Installing libmnl (1.0.4-r2)
(2/4) Installing libnftnl (1.2.1-r0)
(3/4) Installing iptables (1.8.7-r1)
(4/4) Installing ip6tables (1.8.7-r1)

ip6tables:

/ # ip6tables -L
modprobe: can't change directory to '/lib/modules': No such file or directory
ip6tables v1.8.7 (legacy): can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
/ # echo $?
3

ip6tables-nft:

/ # ip6tables-nft -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
/ # echo $?
0

Host kernel is 4.4.0-210-generic.

However! Even if -L works on ip6tables-nft, the policy command does not!

/ # ip6tables-nft --policy INPUT DROP
ip6tables v1.8.7 (nf_tables):  CHAIN_UPDATE failed (No such file or directory): chain INPUT
/ # echo $?
4

[qdm12]

How about ip6tables -L INPUT && echo $? (after the Docker commands above)? Does that work?

If it still works, what do you get with:

ip6tables -A INPUT -i lo -j ACCEPT
echo $?

Anyway, it looks like some iptables bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=915187
Maybe upgrading Ubuntu / your kernel would fix it... ⚠️ but please don't upgrade yet, so I can test a fix since some other users might be in the same situation as yours.

I also created #898 which should offer a better handling of the firewall for nftables compatible systems.

[Fabricio20]

It seems that neither command works.

/ # ip6tables -L INPUT && echo $?
modprobe: can't change directory to '/lib/modules': No such file or directory
ip6tables v1.8.7 (legacy): can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.

/ # ip6tables -A INPUT -i lo -j ACCEPT
modprobe: can't change directory to '/lib/modules': No such file or directory
ip6tables v1.8.7 (legacy): can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
/ # echo $?
3

However running ip6tables-nft it seems to work:

/ # ip6tables-nft -L INPUT && echo $?
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
0

/ # ip6tables-nft -A INPUT -i lo -j ACCEPT
/ # echo $?
0

/ # ip6tables-nft -L INPUT
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all      anywhere             anywhere

[qdm12]

So I guess only a policy change will fail? That's rather odd, but I can twist the code to react on this, although it's not totally ideal.

Can you try:

docker run -it --rm --cap-add=NET_ADMIN alpine:3.15
apk add ip6tables
ip6tables-nft --policy INPUT DROP
echo $?

[arsenicks]

Can you try:

docker run -it --rm --cap-add=NET_ADMIN alpine:3.15
apk add ip6tables
ip6tables-nft --policy INPUT DROP
echo $?

Just wanted to follow as I have the exact same problem, using qmcgaw/gluetun:v3.28.0 as a workaround untill a fix is released.

Here's the output on a fresh install of ubuntu server 20.04:

$ docker run -it --rm --cap-add=NET_ADMIN alpine:3.15
Unable to find image 'alpine:3.15' locally
3.15: Pulling from library/alpine
3aa4d0bbde19: Pull complete 
Digest: sha256:ceeae2849a425ef1a7e591d8288f1a58cdf1f4e8d9da7510e29ea829e61cf512
Status: Downloaded newer image for alpine:3.15
/ # apk add ip6tables
fetch https://dl-cdn.alpinelinux.org/alpine/v3.15/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.15/community/x86_64/APKINDEX.tar.gz
(1/4) Installing libmnl (1.0.4-r2)
(2/4) Installing libnftnl (1.2.1-r0)
(3/4) Installing iptables (1.8.7-r1)
(4/4) Installing ip6tables (1.8.7-r1)
Executing busybox-1.34.1-r4.trigger
OK: 8 MiB in 18 packages
/ # ip6tables-nft --policy INPUT DROP
/ # echo $?
0

And some more info

• fresh ubuntu server 20.04 install

$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 20.04.4 LTS
Release:	20.04
Codename:	focal

$ uname -a
Linux newmediaserver 5.4.0-105-generic #119-Ubuntu SMP Mon Mar 7 18:49:24 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

---

And here's the output on my old server that never had problem with gluetun and it's working with v3.28.0

$ docker run -it --rm --cap-add=NET_ADMIN alpine:3.15
Unable to find image 'alpine:3.15' locally
3.15: Pulling from library/alpine
3aa4d0bbde19: Pull complete 
Digest: sha256:ceeae2849a425ef1a7e591d8288f1a58cdf1f4e8d9da7510e29ea829e61cf512
Status: Downloaded newer image for alpine:3.15
/ # apk add ip6tables
fetch https://dl-cdn.alpinelinux.org/alpine/v3.15/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.15/community/x86_64/APKINDEX.tar.gz
(1/4) Installing libmnl (1.0.4-r2)
(2/4) Installing libnftnl (1.2.1-r0)
(3/4) Installing iptables (1.8.7-r1)
(4/4) Installing ip6tables (1.8.7-r1)
Executing busybox-1.34.1-r4.trigger
OK: 8 MiB in 18 packages
/ # ip6tables-nft --policy INPUT DROP
ip6tables v1.8.7 (nf_tables):  CHAIN_UPDATE failed (No such file or directory): chain INPUT
/ # echo $?
4

$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 16.04.7 LTS
Release:	16.04
Codename:	xenial

---

I've found this issue with openvpn image that look similar if this can help.

kylemanna/docker-openvpn#564

[Fabricio20]

Oops, I forgot about this issue, I can confirm the output by arsenicks also happens to me as well, ip6tables-nft --policy INPUT DROP works just fine.

I also ran this same test on an archlinux-based machine, updated today, and I'm able to reproduce the original issue, so it seems to be an issue with the alpine base container.

[qdm12]

I pushed 20f20f0 on the latest image, it now tries to do ip6tables-nft -A INPUT -i <randomname> -j REJECT to detect support for it, which should work. It then cleans up the rule after the test. Let me know if this resolved it for you.

[Fabricio20]

I've just tested the latest image from docker hub and it seems to have resolved the issue, thanks!

[arsenicks]

Using the latest image, as far as I can tell I still get the error and the vpn doesn't start.

[qdm12]

@arsenicks can you share the logs you got (essentially the error you get and the version logged a the top).

[arsenicks]

Sure, here it is.

Recreating gluetun ... done
Attaching to gluetun
gluetun             | ========================================
gluetun             | ========================================
gluetun             | =============== gluetun ================
gluetun             | ========================================
gluetun             | =========== Made with ❤️ by ============
gluetun             | ======= https://github.com/qdm12 =======
gluetun             | ========================================
gluetun             | ========================================
gluetun             | 
gluetun             | Running version latest built on 2022-04-02T17:35:24.679Z (commit be386a8)
gluetun             | 
gluetun             | 🔧 Need help? https://github.com/qdm12/gluetun/discussions/new
gluetun             | 🐛 Bug? https://github.com/qdm12/gluetun/issues/new
gluetun             | ✨ New feature? https://github.com/qdm12/gluetun/issues/new
gluetun             | ☕ Discussion? https://github.com/qdm12/gluetun/discussions/new
gluetun             | 💻 Email? quentin.mcgaw@gmail.com
gluetun             | 💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
gluetun             | 2022-04-07T00:53:59Z INFO [routing] default route found: interface eth0, gateway 172.17.0.1 and assigned IP 172.17.0.2
gluetun             | 2022-04-07T00:53:59Z INFO [routing] local ethernet link found: eth0
gluetun             | 2022-04-07T00:53:59Z INFO [routing] local ipnet found: 172.17.0.0/16
gluetun             | 2022-04-07T00:53:59Z INFO [firewall] enabling...
gluetun             | 2022-04-07T00:53:59Z ERROR cannot enable firewall: command failed: "ip6tables-nft --policy OUTPUT DROP": ip6tables v1.8.7 (nf_tables):  CHAIN_UPDATE failed (No such file or directory): chain OUTPUT: exit status 4
gluetun             | 2022-04-07T00:53:59Z INFO Shutdown successful
gluetun exited with code 1

[qdm12]

@arsenicks can you try:

docker run -it --rm --cap-add=NET_ADMIN alpine:3.15
apk add ip6tables
ip6tables-nft -A INPUT -i blabla -j REJECT
echo $?
ip6tables-nft -A OUTPUT -i blabla -j REJECT
echo $?
ip6tables-nft -A FORWARD -i blabla -j REJECT
echo $?
exit

What a strange bug, I think you can modify the input table but not the output one. Let me know and I'll add additional checks to detect support with gluetun.

[arsenicks]

In fact, the error message state -i cannot be used with OUTPUT table, it's been a long time since I played with iptables, let along this new nft thing but as far as I can tell from the manpage the -i is used for in-interface

-i,  --in-interface [!] name
The interface (bridge port) via which a frame is received (this option is useful in the INPUT, FORWARD, PREROUTING and BROUTING chains). If the interface name ends with '+', then any interface name that begins with this name (disregarding '+') will match. The flag --in-if is an alias for this option.

-o looks more like the option we should use

-o,  --out-interface [!] name
The interface (bridge port) via which a frame is going to be sent (this option is useful in the OUTPUT, FORWARD and POSTROUTING chains). If the interface name ends with '+', then any interface name that begins with this name (disregarding '+') will match. The flag --out-if is an alias for this option.

/ # apk add ip6tables
fetch https://dl-cdn.alpinelinux.org/alpine/v3.15/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.15/community/x86_64/APKINDEX.tar.gz
(1/4) Installing libmnl (1.0.4-r2)
(2/4) Installing libnftnl (1.2.1-r0)
(3/4) Installing iptables (1.8.7-r1)
(4/4) Installing ip6tables (1.8.7-r1)
Executing busybox-1.34.1-r4.trigger
OK: 8 MiB in 18 packages
/ # ip6tables-nft -A INPUT -i blabla -j REJECT
/ # echo $?
0
/ # ip6tables-nft -A OUTPUT -i blabla -j REJECT
ip6tables v1.8.7 (nf_tables): Can't use -i with OUTPUT

Try `ip6tables -h' or 'ip6tables --help' for more information.
/ # echo $?
2
/ # ip6tables-nft -A FORWARD -i blabla -j REJECT
/ # echo $?
0
/ # exit

Result of -o:

 # ip6tables-nft -A OUTPUT -o blabla -j REJECT
/ # echo $?
0

[qdm12]

I just changed the iptables test to use OUTPUT with -o instead of INPUT+-i, can you confirm it works on the latest image (docker pull qmcgaw/gluetun)? Commit is 71ab041

I'll make a release as soon as this issue is fixed.

[qdm12]

Is this fixed now? Please everyone make sure the latest image works correctly, I would like to make a release this weekend. Thanks!

[arsenicks]

sorry for the delay, it looks like it doesn't work, it's the input that seems to be problematic that time..

========================================,
2022-04-16T23:34:04Z INFO Shutdown successful,
=============== gluetun ================,
======= https://github.com/qdm12 =======,
=========== Made with ❤️ by ============,
Running version latest built on 2022-04-16T20:29:56.414Z (commit bddead5),
🐛 Bug? https://github.com/qdm12/gluetun/issues/new,
🔧 Need help? https://github.com/qdm12/gluetun/discussions/new,
✨ New feature? https://github.com/qdm12/gluetun/issues/new,
☕ Discussion? https://github.com/qdm12/gluetun/discussions/new,
💻 Email? quentin.mcgaw@gmail.com,
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12,
2022-04-16T23:34:04Z INFO [routing] default route found: interface eth0, gateway 172.17.0.1 and assigned IP 172.17.0.2,
2022-04-16T23:34:04Z INFO [routing] local ipnet found: 172.17.0.0/16,
2022-04-16T23:34:04Z INFO [firewall] enabling...,
2022-04-16T23:34:04Z INFO [routing] local ethernet link found: eth0,
2022-04-16T23:34:04Z ERROR cannot enable firewall: command failed: "ip6tables-nft --policy INPUT DROP": ip6tables v1.8.7 (nf_tables):  CHAIN_UPDATE failed (No such file or directory): chain INPUT: exit status 4

[qdm12]

Very strange, adding a reject rule works but changing its policy doesn't... Can you try

docker run -it --rm --cap-add=NET_ADMIN alpine:3.15
apk add ip6tables
ip6tables-nft --policy INPUT ACCEPT
echo $?

I hope this one fails, that way I can test ip6tables support using that random rule + setting the policy as the existing one (ACCEPT in this case).

If it does not fail, I'm not 100% sure how to address the problem since that would mean we would have to cut off traffic (change policy to drop) to test support. That is fine for now in a container, but I'd like one day to have gluetun work outside docker too and that becomes problematic (aka we don't want to shutdown the machine network, even for a quick moment).

[arsenicks]

Hi, it does fail:

$ docker run -it --rm --cap-add=NET_ADMIN alpine:3.15
/ # apk add ip6tables
fetch https://dl-cdn.alpinelinux.org/alpine/v3.15/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.15/community/x86_64/APKINDEX.tar.gz
(1/4) Installing libmnl (1.0.4-r2)
(2/4) Installing libnftnl (1.2.1-r0)
(3/4) Installing iptables (1.8.7-r1)
(4/4) Installing ip6tables (1.8.7-r1)
Executing busybox-1.34.1-r4.trigger
OK: 8 MiB in 18 packages
/ # ip6tables-nft --policy INPUT ACCEPT
ip6tables v1.8.7 (nf_tables):  CHAIN_UPDATE failed (No such file or directory): chain INPUT
/ # echo $?
4
/ # ip6tables-nft -L 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

I'm personally out of idea but this post and the links provided might give you the answer https://unix.stackexchange.com/questions/588998/check-whether-iptables-or-nftables-are-in-use

A variant of this problem was addressed recently in Kubernetes, so it’s worth looking at what was done there. (The variant is whether to use iptables-legacy or iptables-nft and their IPv6 variants to drive the host’s rules.)

The approach taken in Kubernetes is to look at the number of lines output by the respective “save” commands, iptables-legacy-save and iptables-nft-save (and their IPv6 variants). If the former produces ten lines or more of output, or produces more output than the latter, then it’s assumed that iptables-legacy should be used; otherwise, that iptables-nft should be used.

Here's the output from the alpine container I started as stated in your previous post with the output of both commands:

/ # iptables-legacy-save
# Generated by iptables-save v1.8.7 on Mon Apr 18 21:35:56 2022
*filter
:INPUT ACCEPT [1685:2943614]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1011:54890]
COMMIT
# Completed on Mon Apr 18 21:35:56 2022
# Generated by iptables-save v1.8.7 on Mon Apr 18 21:35:56 2022
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [4:264]
:POSTROUTING ACCEPT [4:264]
COMMIT
# Completed on Mon Apr 18 21:35:56 2022
/ # iptables-nft-save
# Warning: iptables-legacy tables present, use iptables-legacy-save to see them

As you can see, nft-save tell us legacy is used, so we can just use the output of those commands to decide which mode we'll use, sounds like that should do the trick

[qdm12]

Awesome thanks for sharing this @arsenicks

fc5cf44 addresses this, can you please try the latest image again? The strategy is now to:

1. Try setting a dummy output rule
2. Remove the dummy output rule
3. Get the INPUT table policy
4. Set the INPUT table policy to its existing policy

To detect which iptables is really supported. It works for me, but I'm obviously curious if it works for your weirdo kernels 😄

[arsenicks]

Hi, it looks like it's fixed now!

========================================
========================================
=============== gluetun ================
========================================
=========== Made with ❤️ by ============
======= https://github.com/qdm12 =======
========================================
========================================
Running version latest built on 2022-04-23T12:58:11.855Z (commit a1d70f7)
🔧 Need help? https://github.com/qdm12/gluetun/discussions/new
🐛 Bug? https://github.com/qdm12/gluetun/issues/new
✨ New feature? https://github.com/qdm12/gluetun/issues/new
☕ Discussion? https://github.com/qdm12/gluetun/discussions/new
💻 Email? quentin.mcgaw@gmail.com
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2022-04-24T13:17:58Z INFO [routing] default route found: interface eth0, gateway 172.17.0.1 and assigned IP 172.17.0.2
2022-04-24T13:17:58Z INFO [routing] local ethernet link found: eth0
2022-04-24T13:17:58Z INFO [routing] local ipnet found: 172.17.0.0/16
2022-04-24T13:17:59Z INFO [firewall] enabling...
2022-04-24T13:17:59Z INFO [firewall] enabled successfully

Thanks for your time and help!

[qdm12]

Awesome thanks I'll do a release v3.29.0 soon then!