Synology DSM - nftables not supported

[poudenes]

Didn't use qBittorrent for some days but its was not reachable. Saw some errors. App is working with VPN off. But with VPN on I get the errors see below the compose information:

version: "3.9"
services:

  qbittorrent:
    image: trigus42/qbittorrentvpn:latest
    container_name: qbittorrent
    hostname: qbittorrent
    restart: always
    ports:
      - 8084:8080
      - 20000:20000
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /volumeUSB2/usbshare/docker/qbittorrent/:/config:rw
      - /volumeUSB2/usbshare/docker/qbittorrent/downloads:/downloads:rw
      - /volume1/data/torrents:/data/torrents:rw
    environment:
      TZ: Europe/Amsterdam
      WEBUI_ALLOWED_NETWORKS: 192.168.100.0/24
      DEBUG: yes
      VPN_ENABLED: yes
      VPN_TYPE: openvpn
      NAME_SERVERS: 1.1.1.1
      VPN_USERNAME: KS2-<MY-USERNAME>
      VPN_PASSWORD: <MY-PASSWORD>
      PUID: 1026
      PGID: 100
      FIREWALL_OUTBOUND_SUBNETS: 172.30.33.0/24,192.168.100.0/24
      UNPRIVILEGED: No
      HEALTH_CHECK_HOST: 1.1.1.1
      HEALTH_CHECK_INTERVAL: 5
      HEALTH_CHECK_TIMEOUT: 5
    mem_limit: 2g
    cpu_shares: 768
    cap_add:
      - NET_ADMIN
    networks:
       synology:
         ipv4_address: 172.30.33.106

networks:
  synology:
    external: true

Debug log information

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 10-environment.sh: executing... 
2024-01-09 16:33:25 [INFO] WEBUI_ALLOWED_NETWORKS is defined as 192.168.100.0/24
2024-01-09 16:33:25 [DEBUG] Docker interface defined as eth0
2024-01-09 16:33:25 [DEBUG] Docker IPv4 address defined as 172.30.33.106
2024-01-09 16:33:25 [INFO] Docker IPv4 network defined as 172.30.32.0/23
2024-01-09 16:33:25 [DEBUG] Default IPv4 gateway defined as 172.30.32.1
2024-01-09 16:33:25 [INFO] PUID defined as 1026
2024-01-09 16:33:25 [INFO] PGID defined as 100
2024-01-09 16:33:26 [INFO] An user with PUID 1026 does not exist, adding an user called 'qbittorrent' with PUID 1026
2024-01-09 16:33:29 [INFO] VPN_ENABLED defined as 'yes'
2024-01-09 16:33:29 [INFO] VPN_TYPE defined as 'openvpn'
dos2unix: converting file /config/openvpn/vpn_unlimited_torrent_fr.ovpn to Unix format...
2024-01-09 16:33:29 [INFO] NAME_SERVERS defined as '1.1.1.1'
2024-01-09 16:33:29 [INFO] Adding 1.1.1.1 to resolv.conf
[cont-init.d] 10-environment.sh: exited 0.
[cont-init.d] 20-vpn.sh: executing... 
2024-01-09 16:33:29 [INFO] Choosen VPN config: 'vpn_unlimited_torrent_fr.ovpn'
2024-01-09 16:33:29 [INFO] Using credentials from /config/openvpn/vpn_unlimited_torrent_fr_credentials.conf
2024-01-09 16:33:29 [INFO] VPN remote line defined as 'fr.vpnunlimitedapp.com 1197'
2024-01-09 16:33:29 [INFO] VPN_REMOTE defined as 'fr.vpnunlimitedapp.com'
2024-01-09 16:33:29 [INFO] VPN_PORT defined as '1197'
2024-01-09 16:33:29 [INFO] VPN_PROTOCOL defined as 'udp'
2024-01-09 16:33:29 [INFO] VPN_DEVICE_TYPE defined as 'tun0'
2024-01-09 16:33:30 [DEBUG] Route: 1.1.1.1 via 172.30.32.1 dev eth0 src 172.30.33.106 
2024-01-09 16:33:30 [DEBUG] Ping to 1.1.1.1 succeeded
2024-01-09 16:33:31 [DEBUG] fr.vpnunlimitedapp.com resolved to 195.154.221.54
2024-01-09 16:33:41 [DEBUG] Ping to 195.154.221.54 via eth0 failed
2024-01-09 16:33:41 [INFO] Starting OpenVPN...
--------------------
2024-01-09 16:33:41 [DEBUG] OpenVPN PID: 320
2024-01-09 16:33:41 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations. 
2024-01-09 16:33:41 WARNING: file '/config/openvpn/vpn_unlimited_torrent_fr_credentials.conf' is group or others accessible
2024-01-09 16:33:41 OpenVPN 2.6.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2024-01-09 16:33:41 library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10
2024-01-09 16:33:41 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-01-09 16:33:41 TCP/UDP: Preserving recently used remote address: [AF_INET]195.154.221.54:1197
2024-01-09 16:33:41 UDPv4 link local: (not bound)
2024-01-09 16:33:41 UDPv4 link remote: [AF_INET]195.154.221.54:1197
2024-01-09 16:34:41 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2024-01-09 16:34:41 TLS Error: TLS handshake failed
2024-01-09 16:34:41 SIGUSR1[soft,tls-error] received, process restarting
2024-01-09 16:34:42 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-01-09 16:34:42 TCP/UDP: Preserving recently used remote address: [AF_INET]62.210.188.244:1197
2024-01-09 16:34:42 UDPv4 link local: (not bound)
2024-01-09 16:34:42 UDPv4 link remote: [AF_INET]62.210.188.244:1197
2024-01-09 16:34:42 [server.ironnodes.com] Peer Connection Initiated with [AF_INET]62.210.188.244:1197
2024-01-09 16:34:43 TUN/TAP device tun0 opened
2024-01-09 16:34:43 /sbin/ip link set dev tun0 up mtu 1500
2024-01-09 16:34:43 /sbin/ip link set dev tun0 up
2024-01-09 16:34:43 /sbin/ip addr add dev tun0 local 10.80.0.54 peer 10.80.0.53
2024-01-09 16:34:43 Initialization Sequence Completed
--------------------
2024-01-09 16:34:43 [DEBUG] Route: 1.1.1.1 via 10.80.0.53 dev tun0 src 10.80.0.54 
2024-01-09 16:34:43 [DEBUG] Ping to 1.1.1.1 succeeded
2024-01-09 16:34:43 [DEBUG] fr.vpnunlimitedapp.com resolved to 195.154.222.168
2024-01-09 16:34:53 [DEBUG] Ping to 195.154.222.168 via eth0 failed
[cont-init.d] 20-vpn.sh: exited 0.
[cont-init.d] 30-network.sh: executing... 
Error: Could not process rule: Not supported
add table inet qbt-mark
^^^^^^^^^^^^^^^^^^^^^^^^
netlink: Error: cache initialization failed: Invalid argument
netlink: Error: cache initialization failed: Invalid argument
netlink: Error: cache initialization failed: Invalid argument
netlink: Error: cache initialization failed: Invalid argument
Error: Could not process rule: Not supported
add table inet firewall
^^^^^^^^^^^^^^^^^^^^^^^^
ipcalc: bad IPv4 address: fr.vpnunlimitedapp.com
ipcalc: bad IPv6 address: fr.vpnunlimitedapp.com
netlink: Error: cache initialization failed: Invalid argument
netlink: Error: cache initialization failed: Invalid argument
netlink: Error: cache initialization failed: Invalid argument
netlink: Error: cache initialization failed: Invalid argument
netlink: Error: cache initialization failed: Invalid argument
netlink: Error: cache initialization failed: Invalid argument
netlink: Error: cache initialization failed: Invalid argument
netlink: Error: cache initialization failed: Invalid argument
netlink: Error: cache initialization failed: Invalid argument
netlink: Error: cache initialization failed: Invalid argument
netlink: Error: cache initialization failed: Invalid argument
netlink: Error: cache initialization failed: Invalid argument
netlink: Error: cache initialization failed: Invalid argument
netlink: Error: cache initialization failed: Invalid argument
netlink: Error: cache initialization failed: Invalid argument
netlink: Error: cache initialization failed: Invalid argument
netlink: Error: cache initialization failed: Invalid argument
netlink: Error: cache initialization failed: Invalid argument
netlink: Error: cache initialization failed: Invalid argument
netlink: Error: cache initialization failed: Invalid argument
netlink: Error: cache initialization failed: Invalid argument
netlink: Error: cache initialization failed: Invalid argument
netlink: Error: cache initialization failed: Invalid argument
netlink: Error: cache initialization failed: Invalid argument
netlink: Error: cache initialization failed: Invalid argument
netlink: Error: cache initialization failed: Invalid argument
netlink: Error: cache initialization failed: Invalid argument
netlink: Error: cache initialization failed: Invalid argument
netlink: Error: cache initialization failed: Invalid argument
netlink: Error: cache initialization failed: Invalid argument
netlink: Error: cache initialization failed: Invalid argument
netlink: Error: cache initialization failed: Invalid argument
2024-01-09 16:34:53 [DEBUG] 'main' routing table defined as follows...
--------------------
0.0.0.0/1 via 10.80.0.53 dev tun0 
default via 172.30.32.1 dev eth0 
10.80.0.1 via 10.80.0.53 dev tun0 metric 1 
10.80.0.53 dev tun0 proto kernel scope link src 10.80.0.54 
62.210.188.244 via 172.30.32.1 dev eth0 
128.0.0.0/1 via 10.80.0.53 dev tun0 
172.30.32.0/23 dev eth0 proto kernel scope link src 172.30.33.106 
--------------------
2024-01-09 16:34:53 [DEBUG] ip rules defined as follows...
--------------------
0:  from all lookup local
32764:  from all fwmark 0x1f90 lookup main suppress_prefixlength 1
32765:  from all fwmark 0x1f90 lookup webui
32766:  from all lookup main
32767:  from all lookup default
--------------------
2024-01-09 16:34:53 [DEBUG] nft ruleset defined as follows...
--------------------
netlink: Error: cache initialization failed: Invalid argument
--------------------
2024-01-09 16:34:53 [DEBUG] Route: 1.1.1.1 via 10.80.0.53 dev tun0 src 10.80.0.54 
2024-01-09 16:34:53 [DEBUG] Ping to 1.1.1.1 succeeded
2024-01-09 16:34:53 [DEBUG] fr.vpnunlimitedapp.com resolved to 62.210.206.27
2024-01-09 16:34:53 [DEBUG] Ping to 62.210.206.27 via eth0 succeeded
[cont-init.d] 30-network.sh: exited 0.
[cont-init.d] 40-qbittorrent-setup.sh: executing... 
2024-01-09 16:34:53 [WARNING] ENABLE_SSL is set to , SSL is not enabled. This could cause issues with logging if other apps use the same Cookie name (SID).
2024-01-09 16:34:53 [WARNING] If you manage the SSL config yourself, you can ignore this.
2024-01-09 16:34:53 [WARNING] UMASK not defined (via -e UMASK), defaulting to '002'
[cont-init.d] 40-qbittorrent-setup.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
2024-01-09 16:34:53 [INFO] Logging to /config/qBittorrent/data/logs/qbittorrent.log.
2024-01-09 16:34:53 [INFO] Trying to ping 1.1.1.1 and 8.8.8.8 over the docker interface for 500ms each...
[services.d] done.
2024-01-09 16:34:53 [ERROR] Firewall is down! Exiting..
2024-01-09 16:34:54 [INFO] Logging to /config/qBittorrent/data/logs/qbittorrent.log.
2024-01-09 16:34:54 [INFO] Trying to ping 1.1.1.1 and 8.8.8.8 over the docker interface for 500ms each...
2024-01-09 16:34:54 [ERROR] Firewall is down! Exiting..
2024-01-09 16:34:55 [INFO] Logging to /config/qBittorrent/data/logs/qbittorrent.log.
2024-01-09 16:34:55 [INFO] Trying to ping 1.1.1.1 and 8.8.8.8 over the docker interface for 500ms each...
2024-01-09 16:34:55 [ERROR] Firewall is down! Exiting..
2024-01-09 16:34:56 [INFO] Logging to /config/qBittorrent/data/logs/qbittorrent.log.
2024-01-09 16:34:56 [INFO] Trying to ping 1.1.1.1 and 8.8.8.8 over the docker interface for 500ms each...
2024-01-09 16:34:56 [ERROR] Firewall is down! Exiting..
2024-01-09 16:34:57 [INFO] Logging to /config/qBittorrent/data/logs/qbittorrent.log.
2024-01-09 16:34:57 [INFO] Trying to ping 1.1.1.1 and 8.8.8.8 over the docker interface for 500ms each...
2024-01-09 16:34:57 [ERROR] Firewall is down! Exiting..
2024-01-09 16:34:58 [INFO] Logging to /config/qBittorrent/data/logs/qbittorrent.log.
2024-01-09 16:34:58 [INFO] Trying to ping 1.1.1.1 and 8.8.8.8 over the docker interface for 500ms each...
2024-01-09 16:34:58 [ERROR] Firewall is down! Exiting..
2024-01-09 16:34:59 [INFO] Logging to /config/qBittorrent/data/logs/qbittorrent.log.
2024-01-09 16:34:59 [INFO] Trying to ping 1.1.1.1 and 8.8.8.8 over the docker interface for 500ms each...
2024-01-09 16:34:59 [ERROR] Firewall is down! Exiting..

[Trigus42]

You seem to be using Synology. The error message is a little different but this might be related to: https://github.com/Trigus42/alpine-qbittorrentvpn/issues/50. Could you please add SYS_MODULE to the containers capabilities and the volume /lib/modules:/lib/modules:ro and try the image trigus42/qbittorrentvpn:issue-50?

[poudenes]

Its running for almost a year on my Synology.

Here log output:

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 10-environment.sh: executing... 
2024-01-09 18:52:45 [INFO] WEBUI_ALLOWED_NETWORKS is defined as 192.168.100.0/24
2024-01-09 18:52:46 [DEBUG] Docker interface defined as eth0
2024-01-09 18:52:47 [DEBUG] Docker IPv4 address defined as 172.30.33.106
2024-01-09 18:52:47 [INFO] Docker IPv4 network defined as 172.30.32.0/23
2024-01-09 18:52:47 [DEBUG] Default IPv4 gateway defined as 172.30.32.1
2024-01-09 18:52:47 [INFO] PUID defined as 1026
2024-01-09 18:52:47 [INFO] PGID defined as 100
2024-01-09 18:52:47 [INFO] An user with PUID 1026 does not exist, adding an user called 'qbittorrent' with PUID 1026
2024-01-09 18:52:49 [INFO] VPN_ENABLED defined as 'yes'
2024-01-09 18:52:49 [INFO] VPN_TYPE defined as 'openvpn'
2024-01-09 18:52:49 [INFO] NAME_SERVERS defined as '1.1.1.1'
2024-01-09 18:52:49 [INFO] Adding 1.1.1.1 to resolv.conf
[cont-init.d] 10-environment.sh: exited 0.
[cont-init.d] 20-vpn.sh: executing... 
2024-01-09 18:52:49 [INFO] Choosen VPN config: 'vpn_unlimited_torrent_fr.ovpn'
2024-01-09 18:52:49 [INFO] Using credentials from /config/openvpn/vpn_unlimited_torrent_fr_credentials.conf
dos2unix: converting file /config/openvpn/vpn_unlimited_torrent_fr.ovpn to Unix format...
2024-01-09 18:52:49 [INFO] VPN remote line defined as 'fr.vpnunlimitedapp.com 1197'
2024-01-09 18:52:49 [INFO] VPN_REMOTE defined as 'fr.vpnunlimitedapp.com'
2024-01-09 18:52:49 [INFO] VPN_PORT defined as '1197'
2024-01-09 18:52:49 [INFO] VPN_PROTOCOL defined as 'udp'
2024-01-09 18:52:49 [INFO] VPN_DEVICE_TYPE defined as 'tun0'
2024-01-09 18:52:49 [DEBUG] Route: 1.1.1.1 via 172.30.32.1 dev eth0 src 172.30.33.106 
2024-01-09 18:52:49 [DEBUG] Ping to 1.1.1.1 succeeded
2024-01-09 18:52:50 [DEBUG] fr.vpnunlimitedapp.com resolved to 195.154.166.20
2024-01-09 18:52:50 [DEBUG] Ping to 195.154.166.20 via eth0 succeeded
2024-01-09 18:52:50 [INFO] Starting OpenVPN...
--------------------
2024-01-09 18:52:50 [DEBUG] OpenVPN PID: 320
2024-01-09 18:52:51 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations. 
2024-01-09 18:52:51 WARNING: file '/config/openvpn/vpn_unlimited_torrent_fr_credentials.conf' is group or others accessible
2024-01-09 18:52:51 OpenVPN 2.6.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2024-01-09 18:52:51 library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10
2024-01-09 18:52:51 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-01-09 18:52:51 TCP/UDP: Preserving recently used remote address: [AF_INET]195.154.221.54:1197
2024-01-09 18:52:51 UDPv4 link local: (not bound)
2024-01-09 18:52:51 UDPv4 link remote: [AF_INET]195.154.221.54:1197
2024-01-09 18:53:51 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2024-01-09 18:53:51 TLS Error: TLS handshake failed
2024-01-09 18:53:51 SIGUSR1[soft,tls-error] received, process restarting
2024-01-09 18:53:52 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-01-09 18:53:52 TCP/UDP: Preserving recently used remote address: [AF_INET]195.154.204.36:1197
2024-01-09 18:53:52 UDPv4 link local: (not bound)
2024-01-09 18:53:52 UDPv4 link remote: [AF_INET]195.154.204.36:1197
2024-01-09 18:53:52 [server.ironnodes.com] Peer Connection Initiated with [AF_INET]195.154.204.36:1197
2024-01-09 18:53:52 TUN/TAP device tun0 opened
2024-01-09 18:53:52 /sbin/ip link set dev tun0 up mtu 1500
2024-01-09 18:53:52 /sbin/ip link set dev tun0 up
2024-01-09 18:53:52 /sbin/ip addr add dev tun0 local 10.80.0.66 peer 10.80.0.65
2024-01-09 18:53:53 Initialization Sequence Completed
--------------------
2024-01-09 18:53:53 [DEBUG] Route: 1.1.1.1 via 10.80.0.65 dev tun0 src 10.80.0.66 
2024-01-09 18:53:53 [DEBUG] Ping to 1.1.1.1 succeeded
2024-01-09 18:53:53 [DEBUG] fr.vpnunlimitedapp.com resolved to 195.154.204.36
2024-01-09 18:53:53 [DEBUG] Ping to 195.154.204.36 via eth0 succeeded
[cont-init.d] 20-vpn.sh: exited 0.
[cont-init.d] 30-network.sh: executing... 
2024-01-09 18:53:53 [DEBUG] nf_tables kernel module not loaded
2024-01-09 18:53:53 [ERROR] Failed to load nf_tables kernel module:
--------------------
modprobe: can't change directory to '4.4.302+': No such file or directory
--------------------
Try adding the required volume and capability to this container or load nf_tables manually

[poudenes]

Maybe its was nothing. But after I started the container with the extra lines etc. It seems my whole network get unstable....

[Trigus42]

Can you try loading the module manually on your host (synology) using modprobe -v nf_tables? Does this work? Can you post the output of uname -a and modinfo nf_tables?

[poudenes]

Nothing...

ash-4.4# modprobe -v nf_tables
modprobe: FATAL: Module nf_tables not found.

ash-4.4# uname -a
Linux Synology 4.4.302+ #69057 SMP Mon Nov 13 14:19:30 CST 2023 x86_64 GNU/Linux synology_geminilake_220+

ash-4.4# modinfo nf_tables
ash: modinfo: command not found

[Trigus42]

Yeah it seems like the Synology DSM Kernel isn't built with nftables support enabled. I didn't expect to come across any up-to-date systems without nftables support as it is supported since kernel version 3.13 and has been slowly replacing iptables-legacy since then.

For now, please use the old image trigus42/qbittorrentvpn:7871e66f8529db34ac58b54e1df56d9db51cf2e5.

Once I got a little more time, I'll see how to deal with that. I'd rather not switch back to iptables, but I might be left with no choice if I wanna support Synology. I am open to suggestions btw

[poudenes]

Revert back to trigus42/qbittorrentvpn:7871e66f8529db34ac58b54e1df56d9db51cf2e5 and its working. Let me know if I can do something to test. Can create a second container for testing

[schnillerman]

Yeah it seems like the Synology DSM Kernel isn't built with nftables support enabled. I didn't expect to come across any up-to-date systems without nftables support as it is supported since kernel version 3.13 and has been slowly replacing iptables-legacy since then.

For now, please use the old image trigus42/qbittorrentvpn:7871e66f8529db34ac58b54e1df56d9db51cf2e5.

Once I got a little more time, I'll see how to deal with that. I'd rather not switch back to iptables, but I might be left with no choice if I wanna support Synology. I am open to suggestions btw

Which one is newer?

• trigus42/qbittorrentvpn:7871e66f8529db34ac58b54e1df56d9db51cf2e5 -> works for me as of 2024-05 (read this today)
• trigus42/qbittorrentvpn:qbt4.6.2-20231128 -> worked for me since last year regarding this issue

I'm sorry but I can't figure it out by myself

[krazeedrivr]

Just letting everyone know, this doesn't only affect a Synology NAS. I ran into the same issue on a Tinkerboard S running Tinker OS. The "trigus42/qbittorrentvpn:7871e66f8529db34ac58b54e1df56d9db51cf2e5" image fixed the issue for me, but I'm guessing it can never be updated from there?

[Trigus42]

I have created a legacy-iptables branch. Please try the image

[krazeedrivr]

legacy-iptables didn't work for me. It looked like the vpn would connect, but errors adding rules, though I don't have the output. Had to go back to 7871e66f8529db34ac58b54e1df56d9db51cf2e5 which still works for me.