Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] -ls23 and onwards has issue with adding iptables rules #325

Closed
1 task done
alysak6075 opened this issue Mar 8, 2024 · 6 comments · Fixed by #326
Closed
1 task done

[BUG] -ls23 and onwards has issue with adding iptables rules #325

alysak6075 opened this issue Mar 8, 2024 · 6 comments · Fixed by #326

Comments

@alysak6075
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

when there is a PostUp command iptables break:
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument

Expected Behavior

The tunnel should be up

Steps To Reproduce

add to Interface
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Environment

- OS:Synology DSM 7.1
- How docker service was installed:
Container Manager

CPU architecture

x86-64

Docker creation

docker run -d \
  --name=wireguard \
  --cap-add=NET_ADMIN \
  --cap-add=SYS_MODULE \
  -e PUID=1027 \
  -e PGID=100 \
  -e TZ=America/Chicago \
  -p <PORT>:<PORT>/udp \
  -v /volume3/docker_ssd/wireguard/config:/config \
  --sysctl="net.ipv4.conf.all.src_valid_mark=1" \
  --sysctl="net.ipv4.ip_forward=1" \
  --sysctl="net.ipv6.conf.all.forwarding=1" \
  --sysctl="net.ipv6.conf.default.forwarding=1" \
  --restart unless-stopped \
  linuxserver/wireguard

Container logs

[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument
@github-actions GitHub Actions
Copy link

github-actions bot commented Mar 8, 2024

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

@def324
Copy link

def324 commented Mar 10, 2024

I have the same issue on qnap.

uname -r
5.10.60-qnap

@xankletas
Copy link

Same issue here in a arm64

uname -a
Linux CoreELEC 5.4.210 #1 SMP PREEMPT Mon Feb 19 10:40:19 CET 2024 aarch64 GNU/Linux

I solved it, using "legacy" version --> arm64v8-1.0.20210914-legacy

@aptalca
Copy link
Member

aptalca commented Mar 10, 2024

Looks like this here is the culprit: https://git.alpinelinux.org/aports/tree/main/iptables/iptables.post-upgrade?h=3.19-stable
tl;dr alpine 3.19 switched to nftables under the hood so kernel support for nftables is required. Most newer kernels should support it, but it seems qnap and coreelec do not.

We'll evaluate internally how best to move forward.

@def324
Copy link

def324 commented Mar 10, 2024

My solution/workaround was to pin the version to "v1.0.20210914-ls22". That way there is no need for the "legacy" build.

@aptalca aptalca mentioned this issue Mar 11, 2024
Merged
@cityofships
Copy link

For what it's worth, I had to s/iptables/iptables-nft in wg0.conf in order to get the latest container version working on recent RedHat family system (Rocky Linux 9.4). Without this I was seeing behaviour as in #327, with properly setup /lib/modules mount.

Reference: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/9.0_release_notes/deprecated_functionality#deprecated-functionality_networking

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Issue & PR Tracker
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

use iptables-legacy on alpine 3.19 linuxserver/docker-wireguard
5 participants
@def324 @aptalca @alysak6075 @cityofships @xankletas