Latest release undefined error when flushing iptables rules

[owenvoke]

Since updating to yesterdays release, I am getting the following error when the latest Docker image tries to boot.

[INFO] Setting firewall
* Block everything
* Deleting all iptables rules... iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument
[ERROR] Undefined error, with status 4

I'm assuming this is maybe related to the Alpine 3.20 upgrade? 🤔 However, looking at 3.19 and 3.20, iptables is version 1.8.10-r3 for both. 🤷🏻

[jordilaforge]

Hi There I get exactly the same error. Is there already a fix?

[j4ym0]

@owenvoke When you created the docker did you use --cap-add=NET_ADMIN

What host are you running. The container seems to run fine on my docker for windows, my Ubuntu 24 and rpi

[jordilaforge]

I run the latest j4ym0/pia-qbittorrent:latest on a synlogy nas. NET_ADMIN is already added.

[j4ym0]

@jordilaforge Doing some quick research, Synology DSM does not come with nft. If you are able to SSH into you Nas can you try running 'nft --version' to see if it is installed. If not try installing it apt-get update && apt-get install nftables

Nftables is the new backend for iptables firewall in 1.8.x. I suspect this could be the issue.

[jordilaforge]

could you provide the old version till I can have a look into that. On dockerhub I only see the lastest. Would be nice to have older verisons too. Thanks

[j4ym0]

@jordilaforge I will rebuild them when I get back later this afternoon. Have you tried the Ubuntu image or is it just the alpine/latest?

[jordilaforge]

Same error with ubuntu image....

[owenvoke]

Sorry, I completely missed these notifications. I'm also on Synology NAS (DSM 7.2.1). I can confirm that nft --version mentions that the command does not exist on Synology (and yes, I used --cap-add=NET_ADMIN).

Various other projects seem to use update-alternatives --set iptables /usr/sbin/iptables-legacy to get around the issue. But not sure if that's a good solution (looks like Alpine qBittorrent used an env variable to toggle between nftables and iptables.

RE installing it, apt isn't a thing on Synology, but nftables doesn't seem available through Synology packages anyway. 🫤 That's pretty poor, as I thought nftables had been around for ages. 🤔

[j4ym0]

@owenvoke here was a jump from Alpine 3.16 to Alpine 3.20 due to a dependent requirement that is not available in alpine 3.17+ this has now been worked round. Hens the jump. You would have to use SSH to get access to the underlying Synology OS to install nftables, it woud not be a package though the webUI.

@jordilaforge i am rebuilding the old alpine 3.16 container with should be pushed in a few hours. j4ym0/pia-qbittorrent:alpine-3.16"

So looks like it is the host that does not have the nftables package causing the issue, even though the container firewall rules are using iptables. I will do some testing and come back.

[owenvoke]

Thanks for looking into this.

I was looking for the nftables package via SSH (rather than in the web UI). But I'm happy with using the alpine-3.16 image for now. I can confirm it works fine! Thanks. 👍🏻

[marc115uk]

same issue here, on synology. Am using the alpine-3.16 image to temporarily fix it. Doesn't look like you can install nftable via ssh

[j4ym0]

I have a fix that will be pushed into the latest feed when i have done some more testing.

i have pushed a preview with the docker tag synology. Set LEGACY_IPTABLES to true in your environment variables, tested on my DSM Vbox and works here.

[owenvoke]

Testing the new tag with LEGACY_IPTABLES=true on my Synology NAS and it seems to be working perfectly! Thanks.

[j4ym0]

pushed to latest feed on docker