netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox
https://firejail.wordpress.com
GNU General Public License v2.0
5.78k stars 566 forks source link

Support iptables with nf_tables backend #2232

Open deb75 opened 5 years ago

deb75 commented 5 years ago

Hello,

I run firejail on debian buster. After an upgrate I suddenly got this error :

Reading profile /etc/firejail/firefox-esr.profile
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 4727, child pid 4728
iptables-restore v1.8.1 (nf_tables): 
line 1: CHAIN_ADD failed (No such file or directory): chain INPUT
line 1: CHAIN_ADD failed (No such file or directory): chain FORWARD
line 1: CHAIN_ADD failed (No such file or directory): chain OUTPUT
line 2: CHAIN_UPDATE failed (No such file or directory): chain INPUT
line 3: CHAIN_UPDATE failed (No such file or directory): chain FORWARD
line 4: CHAIN_UPDATE failed (No such file or directory): chain OUTPUT
line 5: RULE_APPEND failed (No such file or directory): rule in chain INPUT
line 6: RULE_APPEND failed (No such file or directory): rule in chain INPUT
line 9: RULE_APPEND failed (No such file or directory): rule in chain INPUT
line 10: RULE_APPEND failed (No such file or directory): rule in chain INPUT
line 11: RULE_APPEND failed (No such file or directory): rule in chain INPUT
line 13: RULE_APPEND failed (No such file or directory): rule in chain OUTPUT
line 14: RULE_APPEND failed (No such file or directory): rule in chain OUTPUT
line 16: RULE_APPEND failed (No such file or directory): rule in chain OUTPUT
Error: failed to run /sbin/iptables-restore
Error: proc 4727 cannot sync with peer: unexpected EOF
Peer 4728 unexpectedly exited with status 1

with the command firejail --private --net=wlp1s0 firefox-esr, wlp1s0 being my wifi card.

I do not have any error with just : firejail --private firefox-esr.

It seems to be an issue with iptables rules, but I am unable to understand, would you have nay hints ?

Best regards

deb75 commented 5 years ago

Hi,

I am getting stuck with this issue, googling part of the error message does not lead to any hints.

It seems that there had been some changes in iptables packages which are not yet reflected in firejail, but it is little out of scope for me for now.

I am happy with any help, I am pretty sure other people face this issue

netblue30 commented 5 years ago

Probably the new version of iptables is creating the problem.

deb75 commented 5 years ago

Hi,

Thanks for coping with this issue, if you need me to test anything, please ask.

Regards

reinerh commented 5 years ago

iptables-restore v1.8.1 (nf_tables)

Are you by chance using Debian? Since 1.8.1 by default the nf_tables backend is used instead of the xtables backend. See NEWS.Debian: https://sources.debian.org/src/iptables/1.8.1-2/debian/NEWS/ You can try switching to the legacy mode with the following command (assuming Debian): update-alternatives --set iptables /usr/sbin/iptables-legacy

deb75 commented 5 years ago

Hi

You guessed right and your hack makes firejail work again.

Thanks :+1:

reinerh commented 5 years ago

Thanks for confirmation. I'll keep it open and change to an "enchancement" bug for nf_tables support.

ErenjeSimon commented 2 years ago

Thank you @reinerh update-alternatives --set iptables /usr/sbin/iptables-legacy worked for running nipe and anonsurf on WSL2 debian (kali linux)