Peers not reachable using linux kernel 5.4.193 (with patches)

[KlausPopp]

We try to get netbird running using Linux yocto for an embedded device (arm64) using Linux kernel 5.4.193 with patches.

The node is connected to the netbird cloud servers, and can see all the peers in the network. The strange thing is that I can ping from my node only to some of the peers. For the peers that don't work, I see that the wireguard handshake isn't working and the transfer status shows that the transfer works only in one direction.

Further investigation shows errors in the netbird client.log:

2024-01-30T10:11:48Z ERRO client/firewall/nftables/route_linux.go:82: failed to create containers for route: nftables: unable to initialize table: conn.Receive: netlink receive: operation not supported
2024-01-30T10:11:48Z ERRO client/firewall/create_linux.go:54: failed to create nftables manager: nftables: unable to initialize table: conn.Receive: netlink receive: operation not supported
2024-01-30T10:11:48Z ERRO client/internal/engine.go:266: failed creating firewall manager: nftables: unable to initialize table: conn.Receive: netlink receive: operation not supported

We were able to workaround the issue by setting NB_SKIP_NFTABLES_CHECK=true when starting netbird. With that setting, the error entries disapear from the log and we can access all peers.

For further info, see https://netbirdio.slack.com/archives/C02KHAE8VLZ/p1706609731470089

To Reproduce

I can reproduce it easily on my machine, by just starting netbird.

Expected behavior

Peers should be accessible.

Are you using NetBird Cloud?

NetBird Cloud

NetBird version

0.25.5

[adasauce]

@KlausPopp Thanks for posting the workaround, I'm experiencing this too on an arm64 machine using kernel 5.4.180 running in a docker container.

I'm using netbird selfhosted on version 0.26.

Do we know why disabling the nftables check makes things start to work normally?