Open pdfrg opened 2 months ago
@qdm12 is more or less the only maintainer of this project and works on it in his free time. Please:
Thanks for the detailed issue and investigation! Try having ip6tables working in a container, for example does this work:
docker run -it --rm alpine:3.19
apk add ip6tables
ip6tables -L
Doesn't look like it. I'm not exactly proficient in alpine, but I appear to be acting as root and still get this error
/ # id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
/ # apk add ip6tables
fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/main/aarch64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/community/aarch64/APKINDEX.tar.gz
(1/4) Installing libmnl (1.0.5-r2)
(2/4) Installing libnftnl (1.2.6-r0)
(3/4) Installing libxtables (1.8.10-r3)
(4/4) Installing iptables (1.8.10-r3)
Executing busybox-1.36.1-r15.trigger
OK: 16 MiB in 19 packages
/ # ip6tables -L
ip6tables v1.8.10 (nf_tables): Could not fetch rule set generation id: Permission denied (you must be root)
/ # sudo ip6tables -L
/bin/sh: sudo: not found
How about, the following, which one does work?
docker run -it --rm --cap-add=NET_ADMIN alpine:3.19
apk add ip6tables
ip6tables -L
exit
docker run -it --rm --privileged --cap-add=NET_ADMIN alpine:3.19
apk add ip6tables
ip6tables -L
exit
docker run -it --rm alpine:3.19
apk add iptables-legacy
ip6tables-legacy -L
docker run -it --rm --cap-add=NET_ADMIN alpine:3.19
apk add iptables-legacy
ip6tables-legacy -L
Doesn't look like any of them do.
~$ docker run -it --rm --cap-add=NET_ADMIN alpine:3.19
/ # apk add ip6tables
fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/main/aarch64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/community/aarch64/APKINDEX.tar.gz
(1/4) Installing libmnl (1.0.5-r2)
(2/4) Installing libnftnl (1.2.6-r0)
(3/4) Installing libxtables (1.8.10-r3)
(4/4) Installing iptables (1.8.10-r3)
Executing busybox-1.36.1-r15.trigger
OK: 16 MiB in 19 packages
/ # ip6tables -L
ip6tables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument
/ # exit
~$ docker run -it --rm --privileged --cap-add=NET_ADMIN alpine:3.19
/ # apk add ip6tables
fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/main/aarch64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/community/aarch64/APKINDEX.tar.gz
(1/4) Installing libmnl (1.0.5-r2)
(2/4) Installing libnftnl (1.2.6-r0)
(3/4) Installing libxtables (1.8.10-r3)
(4/4) Installing iptables (1.8.10-r3)
Executing busybox-1.36.1-r15.trigger
OK: 16 MiB in 19 packages
/ # ip6tables -L
ip6tables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument
/ # exit
~$ docker run -it --rm alpine:3.19
/ # apk add iptables-legacy
fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/main/aarch64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/community/aarch64/APKINDEX.tar.gz
(1/4) Installing libip4tc (1.8.10-r3)
(2/4) Installing libip6tc (1.8.10-r3)
(3/4) Installing libxtables (1.8.10-r3)
(4/4) Installing iptables-legacy (1.8.10-r3)
Executing busybox-1.36.1-r15.trigger
OK: 8 MiB in 19 packages
/ # ip6tables-legacy -L
modprobe: can't change directory to '/lib/modules': No such file or directory
ip6tables v1.8.10 (legacy): can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
/ # exit
~$ docker run -it --rm --cap-add=NET_ADMIN alpine:3.19
/ # apk add iptables-legacy
fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/main/aarch64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/community/aarch64/APKINDEX.tar.gz
(1/4) Installing libip4tc (1.8.10-r3)
(2/4) Installing libip6tc (1.8.10-r3)
(3/4) Installing libxtables (1.8.10-r3)
(4/4) Installing iptables-legacy (1.8.10-r3)
Executing busybox-1.36.1-r15.trigger
OK: 8 MiB in 19 packages
/ # ip6tables-legacy -L
modprobe: can't change directory to '/lib/modules': No such file or directory
ip6tables v1.8.10 (legacy): can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
/ # exit
The error ip6tables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument
is possibly unsolvable, except using a workaround described at https://github.com/P0cL4bs/wifipumpkin3/issues/140#issuecomment-1294201623
On the other hand, the error ip6tables v1.8.10 (legacy): can't initialize ip6tables table 'filter': Table does not exist (do you need to insmod?)
can possibly be solved in a less ugly way, can you try running on your host:
sudo modprobe ip6table_filter
And run the 3rd or 4th command again?
Sorry I can't help more, this Docker/Apple update is pretty bad (2 other issues popped up as well because of its bad IPv6 support).
Actually reviewing all this, I think it's just your Kernel not supporting nftables, try running on your host as root: modprobe nf_tables
?
Actually this might just be fixed in the latest image (please pull it and try if it works?), see https://github.com/qdm12/gluetun/issues/2256#issuecomment-2091074306 on additional explanations.
Problem solved with "latest". Thanks for your responsiveness.
Also fd4689ee70888e780e18572e67507b87c8163581 might help to avoid detecting IPv6 as supported when it's only available on the loopback interface.
Is this urgent?
No
Host OS
Ubuntu server 20.04
CPU arch
aarch64
VPN service provider
Mullvad
What are you using to run the container
docker-compose
What is the version of Gluetun
Running version v3.37.0 built on 2024-01-02T00:01:06.245Z (commit c826707)
What's the problem 🤔
Gluetun shuts down immediately on startup.
Had been running it successfully for 1-2 months. After a reboot, did manual apt update/upgrade, then pulled latest gluetun. Had been running version from prior to v3.38 update. Gluetun would not fully startup due to problem with firewall citing ip6tables (see attached logs). I downgraded to gluetun:v3.37 and problem was unchanged.
After some investigation, some docker updates were installed by apt, including this update from the apt logs:
From the Docker engine release notes
From gluetun wiki (in order to enable ipv6, I wanted to disable it)
So I changed my docker-compose.yml file to include ( =1 to disable)
Recreated the container, now everything is working as before.
Gluetun logs suggest upgrading my kernel, but I am not sure how or if I can update it, as I have a Radxa Rockpi-4 and am on their latest release, which is 4.4.194-10-rk3399-rockchip-gf9d08dbd6762
My initial suspicion was the update to gluetun v3.38, but now it looks like the gluetun upgrade is unrelated.
I am submitting this because when others upgrade their docker install, the same problem may be encountered. v26 was just released on 2024-03-20.
Thank you.
Share your logs (at least 10 lines)
Share your configuration
No response