search

linuxserver / docker-wireguard

GNU General Public License v3.0
2.9k stars 360 forks source link

[BUG] -ls23 and onwards has issue with adding iptables rules #325

Closed alysak6075 closed 6 months ago

alysak6075 commented 7 months ago

Is there an existing issue for this?

Current Behavior

when there is a PostUp command iptables break: [#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument

Expected Behavior

The tunnel should be up

Steps To Reproduce

add to Interface PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Environment

- OS:Synology DSM 7.1
- How docker service was installed:
Container Manager

CPU architecture

x86-64

Docker creation

docker run -d \
  --name=wireguard \
  --cap-add=NET_ADMIN \
  --cap-add=SYS_MODULE \
  -e PUID=1027 \
  -e PGID=100 \
  -e TZ=America/Chicago \
  -p <PORT>:<PORT>/udp \
  -v /volume3/docker_ssd/wireguard/config:/config \
  --sysctl="net.ipv4.conf.all.src_valid_mark=1" \
  --sysctl="net.ipv4.ip_forward=1" \
  --sysctl="net.ipv6.conf.all.forwarding=1" \
  --sysctl="net.ipv6.conf.default.forwarding=1" \
  --restart unless-stopped \
  linuxserver/wireguard

Container logs

[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument
github-actions[bot] commented 7 months ago

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

def324 commented 6 months ago

I have the same issue on qnap.

uname -r 5.10.60-qnap

xankletas commented 6 months ago

Same issue here in a arm64

uname -a Linux CoreELEC 5.4.210 #1 SMP PREEMPT Mon Feb 19 10:40:19 CET 2024 aarch64 GNU/Linux

I solved it, using "legacy" version --> arm64v8-1.0.20210914-legacy

aptalca commented 6 months ago

Looks like this here is the culprit: https://git.alpinelinux.org/aports/tree/main/iptables/iptables.post-upgrade?h=3.19-stable tl;dr alpine 3.19 switched to nftables under the hood so kernel support for nftables is required. Most newer kernels should support it, but it seems qnap and coreelec do not.

We'll evaluate internally how best to move forward.

def324 commented 6 months ago

My solution/workaround was to pin the version to "v1.0.20210914-ls22". That way there is no need for the "legacy" build.

cityofships commented 3 months ago

For what it's worth, I had to s/iptables/iptables-nft in wg0.conf in order to get the latest container version working on recent RedHat family system (Rocky Linux 9.4). Without this I was seeing behaviour as in https://github.com/linuxserver/docker-wireguard/issues/327, with properly setup /lib/modules mount.

Reference: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/9.0_release_notes/deprecated_functionality#deprecated-functionality_networking