iptables: Extension MASQUERADE revision 0 not supported

lisenet / docker-openvpn

OpenVPN server in a Docker container.

MIT License

19 stars 2 forks source link

iptables: Extension MASQUERADE revision 0 not supported #4

Closed DavidBertet closed 3 months ago

DavidBertet commented 9 months ago

I've been getting this error with the latest image (haven't tried previous ones)

Warning: Extension MASQUERADE revision 0 not supported, missing kernel module?
iptables v1.8.9 (nf_tables): Could not fetch rule set generation id: Invalid argument

Using legacy version of iptables by running

apk add iptables-legacy
rm /sbin/iptables
ln -s /sbin/iptables-legacy /sbin/iptables

Fixed the issue

Could you take a look to fix the image itself? Thanks!

lisenet commented 9 months ago

What platform/OS do you run the OpenVPN container on so that I can replicate this?

Could you please restart your container and send me its full log please? Thanks.

DavidBertet commented 9 months ago

I'm on a Synology NAS

DSM 7.1.1-42962 Update 6 Docker version 20.10.3, build 55f0773

I don't have much more logs than that

david:~$ docker run --volume openvpn-data:/etc/openvpn --rm -it --entrypoint sh --cap-add=NET_ADMIN lisenet/openvpn
/ # ovpn_run
Warning: Extension MASQUERADE revision 0 not supported, missing kernel module?
iptables v1.8.9 (nf_tables): Could not fetch rule set generation id: Invalid argument

Using this image works

FROM lisenet/openvpn

RUN apk add iptables-legacy && \
    rm /sbin/iptables && \
    ln -s /sbin/iptables-legacy /sbin/iptables

CMD ["ovpn_run"]

From https://gitlab.com/postmarketOS/pmaports/-/issues/2122#note_1418204524

lisenet commented 9 months ago

Does Synology NAS use an old version of iptables (legacy) and not nftables? If so, that might explain the problem that you are having.

This is a tricky one to be honest with you because the world (Red Hat, Canonical) is moving to nftables. It's been the default backend for the firewall since RHEL 8 and Ubuntu 21.10.

ruimarinho commented 8 months ago

I'm getting the same error. Would be great to support an environment variable allowing the usage of legacy iptables for use cases such as Synology NAS where the kernel version is not user-upgradable.

lisenet commented 8 months ago

Where would you expect to have an environment variable defined? Inside a Dockerfile so that it builds an image with iptables-legacy if say "env legacy" is set to true? Or would you build the image with iptables-legacy installed by default, and then use some clever logic to invoke it based on some environment variable?

ruimarinho commented 8 months ago

My preference would be to build the image with iptables-legacy and conditionally use the binary iptables or nftables based on the environment variable.