"Could not process rule: Invalid argument" after update

[EpicLPer]

Heya,

I'm running qBitTorrent on a Synology NAS, it seems there was an update yesterday. Watchtower updated the container automatically and today I'm getting the following error when trying to start the container back up:

[cont-init.d] 30-network.sh: executing... 
Error: Could not process rule: Invalid argument
add table inet qbt-mark
^^^^^^^^^^^^^^^^^^^^^^^^
Error: Could not process rule: Invalid argument
add table inet qbt-mark
^^^^^^^^^^^^^^^^^^^^^^^^
netlink: Error: cache initialization failed: Invalid argument
netlink: Error: cache initialization failed: Invalid argument
netlink: Error: cache initialization failed: Invalid argument
netlink: Error: cache initialization failed: Invalid argument
Error: Could not process rule: Invalid argument
add table inet firewall
^^^^^^^^^^^^^^^^^^^^^^^^
Error: Could not process rule: Invalid argument
add table inet firewall
^^^^^^^^^^^^^^^^^^^^^^^^

Is there a way to fix this? Or do I have to change something on my end for it to work again?

Thanks already!

[Trigus42]

My guess is that your host doesn't have the nf_tables module loaded. You can check that using lsmod | grep nf_tables. It should output something like this if the module is loaded:

nf_tables             352256  211 nft_ct,nft_reject_inet,nft_fib_ipv6,nft_fib_ipv4,nft_chain_nat,nft_reject,nft_fib,nft_fib_inet
nfnetlink              20480  3 nf_tables,ip_set

If the module isn't loaded, can you add SYS_MODULE to the containers capabilities and the volume /lib/modules:/lib/modules:ro and try the image trigus42/qbittorrentvpn:issue-50 with the environment variable DEBUG=yes?

[EpicLPer]

My guess is that your host doesn't have the nf_tables module loaded. You can check that using lsmod | grep nf_tables. It should output something like this if the module is loaded:

nf_tables             352256  211 nft_ct,nft_reject_inet,nft_fib_ipv6,nft_fib_ipv4,nft_chain_nat,nft_reject,nft_fib,nft_fib_inet
nfnetlink              20480  3 nf_tables,ip_set

If the module isn't loaded, can you add SYS_MODULE to the containers capabilities and the volume /lib/modules:/lib/modules:ro and try the image trigus42/qbittorrentvpn:issue-50 with the environment variable DEBUG=yes?

I tried this but sadly it still results in the same issue.
I'm running Docker on my Synology DS916+, nf_tables is indeed not loaded. But even adding the capability and volume mount it didn't want to work. I get the output 2024-01-09 06:29:16 [ERROR] nf_tables kernel module not loaded. Load manually or add required volume and capability to this container at the end now tho.

[Trigus42]

Have you tried loading the module manually on your host using modprobe -v nf_tables? Does this work? Can you post the output of uname -a and modinfo nf_tables?

[Trigus42]

This seems to be a common issue for Synology DSM: https://github.com/linuxserver/docker-wireguard/issues/191

I don't have a Synology system to experiment with so I am not sure how to fix that without just reverting to iptables-legacy.

EDIT: I checked my commit again an saw that it had a blatant issue. Based on what I have read so far I am not sure if this will fix your issue but please try the updated trigus42/qbittorrentvpn:issue-50 image

[EpicLPer]

Yeah, I even messaged Synology Support about this and they said they can't really do anything anymore as it's a Kernel support issue for that specific hardware, so they can't upgrade it. (Which I don't fuuuully believe but yeah, guess I'll have to live with that :( )

For now I'll use the solution from #52 and just use the older version, I'll potentially move most of my Docker containers to a new Proxmox host anyways cause I've ran into various incompatibility issues by now with Synology's Docker implementation.

[Trigus42]

I have created a legacy-iptables branch. Please try the image. Also please continue the discussion in https://github.com/Trigus42/alpine-qbittorrentvpn/issues/52

[EpicLPer]

I have created a legacy-iptables branch. Please try the image. Also please continue the discussion in #52

Thanks! I've since moved to a proper different Docker host thus I don't have this issue anymore, but I'm sure this will help folks setting it up on their "older" Synology NASes :)