Closed mjsjml closed 3 months ago
github-actions[bot]
commented
5 months ago @qdm12 is more or less the only maintainer of this project and works on it in his free time. Please:
qdm12
commented
4 months ago Hi there, thanks for reporting this. It's likely due to a bug in Alpine 3.19's nf_tables usage - I created a bug report for the netfilter project. This should be fixed with 06c9bc5 which changes the preference from using the ip6tables-legacy instead of the ip6tables which now defaults to using nf_tables. This was done similarly for iptables in ce642a6d8b079d9a8cf7959171e27ee8b95517d0 2 months ago, but I forgot to change it for the ipv6 version as well!
Can you please try pulling the latest image and see if it works?
I'm also planning on upgrading to Alpine 3.20 which appears to resolve this problem, so I will switch back the iptables preference to using nf_tables again.
mjsjml
commented
4 months ago I get the same error with the latest version: version latest built on 2024-07-09T14:47:46.048Z (commit 0501743).
2024-07-09T11:54:20-07:00 INFO [firewall] removing allowed port 15554... 2024-07-09T11:54:20-07:00 ERROR [vpn] cannot remove allowed input port from firewall: removing allowed port 15554 on interface tun0: command failed: "ip6tables --delete INPUT -i tun0 -p tcp --dport 15554 -j ACCEPT": ip6tables: Bad rule (does a matching rule exist in that chain?).: exit status 1 2024-07-09T11:54:20-07:00 ERROR [vpn] getting public IP address information: context canceled
Reverting to 3.37.0, c826707, works well for me though.
qdm12
commented
4 months ago Uh, that's problematic.. Is it not working on v3.38.0??? That would be strange given the changes not touching iptables/ipv6 😕
Assuming this problem arises only in the latest image, what do you get when running docker exec gluetun ip6tables -nvL and docker exec gluetun ip6tables-legacy -nvL against a running Gluetun container? It should contain a rule (i..e for port 15554) in the INPUT chain similar to:
0 0 ACCEPT 6 -- tun0 * ::/0 ::/0 tcp dpt:15554If it does show the rule, what happens if you run:
docker exec gluetun ip6tables --delete INPUT -i tun0 -p tcp --dport 15554 -j ACCEPT(And replace ip6tables by ip6tables-legacy if needed, as well as the port number 15554 according to your setup).
mjsjml
commented
4 months ago on :v3.37:
$ docker exec gluetun ip6tables -nvL
# and
$ docker exec gluetun ip6tables-legacy -nvL
# both give:
modprobe: can't change directory to '/lib/modules': No such file or directory
ip6tables v1.8.9 (legacy): can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.on latest 3.38:
$ docker exec gluetun ip6tables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- lo * ::/0 ::/0
0 0 ACCEPT 0 -- * * ::/0 ::/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT 6 -- tun0 * ::/0 ::/0 tcp dpt:63799
0 0 ACCEPT 17 -- tun0 * ::/0 ::/0 udp dpt:63799
0 0 ACCEPT 6 -- tun0 * ::/0 ::/0 tcp dpt:15554
0 0 ACCEPT 17 -- tun0 * ::/0 ::/0 udp dpt:15554
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- * lo ::/0 ::/0
0 0 ACCEPT 0 -- * * ::/0 ::/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT 0 -- * eth0 ::/0 ff02::/104
0 0 ACCEPT 0 -- * tun0 ::/0 ::/0$ docker exec gluetun ip6tables-legacy -nvL
modprobe: can't change directory to '/lib/modules': No such file or directory
ip6tables v1.8.10 (legacy): can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.$ docker exec gluetun ip6tables --delete INPUT -i tun0 -p tcp --dport 15554 -j ACCEPT
ip6tables: Bad rule (does a matching rule exist in that chain?).
cspark-development
commented
4 months ago Hiya, I'm experiencing a similar issue after updating gluetun to the latest 2024-07-09T14:47:46.048Z (commit 0501743) that may be related.
iptables-legacy --delete INPUT -i tun0 -p tcp --dport 3000 -j ACCEPT": iptables: Bad rule (does a matching rule exist in that chain?).: exit status 1
So I executed a shell within the container and ran iptables-legacy -S, this is the corresponding rule;
-A INPUT -i tun0 -p tcp -m tcp --dport 3000 -j ACCEPT
Running iptables-legacy --delete INPUT -i tun0 -p tcp --dport 3000 -j ACCEPT I face the previous error:
iptables: Bad rule (does a matching rule exist in that chain?).
I ran iptables-legacy --delete INPUT -i tun0 -p tcp -m tcp --dport 3000 -j ACCEPT instead which removed the rule.
I'm not sure where the -m match comes from but it appears necessary to remove the rule, this may be the issue that has been reported here. I'd recommend you run ip6tables -S for yourself to confirm if this is the case.
I hope this info helps, if this appears to be a different issue I'll raise it as appropriate. If this is the same issue, gluetun I assume will either need to ensure that -m match rule is not added or it is accounted for in deletion.
Thanks,
mjsjml
commented
4 months ago On version b3ceece (one that doesn't work right for me), when I run "iptables-legacy --delete INPUT -i tun0 -p tcp --dport 15554 -j ACCEPT", the rule gets deleted fine. So your issue is probably different from mine.
qdm12
commented
4 months ago @cspark-development I pushed 73832d8b49fa62feef678a5b48d85f321728f452 to add -m tcp/udp for accepting/removing the input port, let me know if it helps.
@mjsjml But does it work at all on a previous released images :v3.37 or :v3.38?
Also when you say
on latest 3.38:
Note latest and v3.38 are NOT the same. qmcgaw/gluetun:latest points to the master branch in the repository (with Alpine 3.19), whereas qmcgaw/gluetun:v3.38 points to the release tag v3.38.0 (with Alpine 3.18). Please confirm this is on the latest image and NOT v3.38.
On version b3ceece (one that doesn't work right for me), when I run "iptables-legacy --delete INPUT -i tun0 -p tcp --dport 15554 -j ACCEPT", the rule gets deleted fine.
So the problematic version seems to be v3.38 right??? Also you mention iptables-legacy which is not related to ipv6, not too sure why?
Please clarify the versions which work and the versions which don't, since I'm kind of majorly confused on that 😄 Thanks!
cspark-development
commented
4 months ago @qdm12 Thanks for getting back to me, I'll let you know whether the hotfix change fixes my issue or not. Issue only arises on healthcheck failures so may take a while to confirm.
cspark-development
commented
4 months ago On version b3ceece (one that doesn't work right for me), when I run "iptables-legacy --delete INPUT -i tun0 -p tcp --dport 15554 -j ACCEPT", the rule gets deleted fine. So your issue is probably different from mine.
@mjsjml You may be experiencing the same issue as me just on IPv6, i'd disregard the remarks about iptables-legacy and run ip6tables -S to double check the exact rules that were added yourself. If you have a similar issue you should see that the -m match field is present in the rules.
mjsjml
commented
4 months ago The image that works for me is c826707 (version 3.37). Ones that don't work are b3ceece, 0501743, and 73832d8.
I might have found the problem. The latest container (73832d8) fails running "ip6tables --delete INPUT -i tun0 -p tcp -m tcp --dport 63799 -j ACCEPT" giving the error about a matching rule.
If I first delete the udp rule with "ip6tables --delete INPUT -i tun0 -p udp -m udp --dport 63799 -j ACCEPT" then the tcp rule can be deleted without an error.
qdm12
commented
4 months ago If I first delete the udp rule with "ip6tables --delete INPUT -i tun0 -p udp -m udp --dport 63799 -j ACCEPT" then the tcp rule can be deleted without an error.
Well this doesn't make any sense 😄 As in, ip6tables doesn't make sense, you do make sense 👍 Anyway, due to some various other errors with iptables, I decided to go ahead and upgrade Alpine from 3.19 to 3.20 in 9807d5f8f5ce178e355c27e3c5ef5d6e4f6449bc ~and to drop support for iptables-legacy in ddbfdc9f148a8e940cddc7da7be0fe6e9961f84f so that now it's only the 'fixed' iptables-nft that will be used~. Can you try these new 'latest' image and see if it helps?? It might be just alpine 3.19 iptables being quite buggy.
billsbdb3
commented
4 months ago Still happening
Running version latest built on 2024-07-28T14:31:52.048Z (commit ddbfdc9)
2024-07-29T05:24:49Z INFO [vpn] stopping
2024-07-29T05:24:49Z INFO [firewall] removing allowed port 58632...
2024-07-29T05:24:49Z ERROR [vpn] cannot remove allowed input port from firewall: removing allowed port 58632 on interface tun0: command failed: "iptables --delete INPUT -i tun0 -p udp -m udp --dport 58632 -j ACCEPT": iptables: Bad rule (does a matching rule exist in that chain?).: exit status 1
2024-07-29T05:24:49Z INFO [vpn] startingSame error for me on "latest", 7bc2972. I would try ddbfdc9 but I don't know how to choose specific commit in docker compose. My error is different from @billsbdb3 . Mine complains about removing the tcp port in ip6tables and his is about the udp port in iptables. When I do the "ip6tables -S" command I can see that both the udp and tcp ports are still there. I can then remove the udp port followed by the tcp port successfully in the terminal.
Running version latest built on 2024-07-30T20:03:23.398Z (commit 7bc2972)
2024-07-31T00:16:30-07:00 ERROR [vpn] cannot remove allowed input port from firewall: removing allowed port 63799 on interface tun0: command failed: "ip6tables --delete INPUT -i tun0 -p tcp -m tcp --dport 63799 -j ACCEPT": ip6tables: Bad rule (does a matching rule exist in that chain?).: exit status 1For all of you ideally: do you have the same bug on :v3.38.0?
Two cases:
PS: I hope it's 1., and marked this as urgent so I'll definitely do it first thing after the release.
mjsjml
commented
3 months ago yes, same bug on 3.38.0.
jagaimoworks
commented
3 months ago I ran into seemingly the same issue not being able to remove udp ports while working on #2392. Both iptables and ip6tables refuse to delete udp rules. Even stranger is that it seems to only affects up to two rules, one of which sometimes can be deleted manually. Also since #2392 lets you add ports to the firewall via the control server it might be useful for testing.
gh57gh
commented
3 months ago How can we revert back to the last working release in docker compose? the ":3.37" after the image doesn't work for me.
Gluetun's giving me trouble as soon as soon as gluetun hasn't been healthy for six seconds. I get the following issues similar to others:
2024-08-07T07:50:24+02:00 INFO [healthcheck] program has been unhealthy for 6s: restarting VPN 2024-08-07T07:50:24+02:00 INFO [vpn] stopping 2024-08-07T07:50:24+02:00 INFO [firewall] removing allowed port 55405... 2024-08-07T07:50:24+02:00 ERROR [vpn] cannot remove allowed input port from firewall: removing allowed port 56405 on interface tun0: command failed: "iptables --delete INPUT -i tun0 -p tcp -m tcp --dport 55405 -j ACCEPT": iptables: Bad rule (does a matching rule exist in that chain?).: exit status 1 2024-08-07T07:50:24+02:00 INFO [vpn] starting 2024-08-07T07:50:24+02:00 INFO [firewall] allowing VPN connection... 2024-08-07T07:50:24+02:00 ERROR [firewall] cannot remove outdated VPN connection rule: command failed: "iptables --delete OUTPUT -d 141.98.102.432 -o eth0 -p udp -m udp --dport 1637 -j ACCEPT": iptables: Bad rule (does a matching rule exist in that chain?).: exit status 1 2024-08-07T07:50:24+02:00 ERROR [firewall] cannot remove outdated VPN interface rule: command failed: "iptables --delete OUTPUT -o tun0 -j ACCEPT": iptables: Bad rule (does a matching rule exist in that chain?).: exit status 1
qdm12
commented
3 months ago I'm working on a fix (latest image) and will do a v3.37.2 + v3.38.2 + v3.39.1 release sometime later with that fix.
mjsjml
commented
3 months ago @gh57gh , try image: qmcgaw/gluetun:v3.37.0
@qdm12 , thank you
qdm12
commented
3 months ago Please see and try #2411 (image :pr-2411) 🙏 Thanks!
Also, FYI, this is a rather thick PR of ~1000 lines of code because it involves:
iptables -D INPUT -s 1.2.3.4 -i tun0 -j REJECT)iptables -t filter -n -v --line-numbers -L INPUT)In particular steps 1 to 3 are tedious and prone to error. It looks like it's working, but some testing from you would be appreciated to make sure it doesn't break something! 😉
DaBlincx
commented
3 months ago sadly not fixed :/
its giving the same error and then restarting the entire container
...
2024-08-14 19:48:51 2024-08-14T17:48:51Z INFO [vpn] stopping
2024-08-14 19:48:51 2024-08-14T17:48:51Z INFO [port forwarding] stopping
2024-08-14 19:48:51 2024-08-14T17:48:51Z INFO [firewall] removing allowed port 41709...
2024-08-14 19:48:51 2024-08-14T17:48:51Z ERROR port forwarding loop crashed: stopping previous service: blocking previous port in firewall: removing allowed port 41709 on interface tun0: finding iptables chain rule line number: parsing chain list: parsing chain general data line: iptables chain list output is malformed: expected 8 fields in "# Warning: iptables-legacy tables present use iptables-legacy to see them"
...
2024-08-14 19:48:53 2024-08-14T17:48:53Z INFO Shutdown successfulsadly not fixed :/
This is likely still fixed for many setups, so to others, please still try it 😉 Now regarding your case, let's see!
its giving the same error
Not exactly the same error iptables chain list output is malformed: expected 8 fields in "# Warning: iptables-legacy tables present use iptables-legacy to see them", although, yes, it has the same end effect.
This is fixed by 2ea501b242a9a6c3f35626e116557888c7696fce where comment lines (starting with #) are discarded.
Now this error is a bit interesting too, showing listing iptables gives the warning iptables-legacy tables present use iptables-legacy to see them. I did not get that error on my machine, since it's not using iptables-legacy at all.
Can you report what output you get from the following commands on a running Gluetun container:
docker exec gluetun iptables-legacy -t filter -vLdocker exec gluetun iptables-nft -t filter -vLdocker exec gluetun iptables -t filter -vLdocker exec gluetun iptables-legacy -t nat -vLdocker exec gluetun iptables-nft -t nat -vLdocker exec gluetun iptables -t nat -vLDaBlincx
commented
3 months ago these were run immediately after starting gluetun (and the rest of my docker-compose config) and waiting for it to be connected
E:\mediaConfig>docker exec gluetun iptables-legacy -t filter -vL
Chain INPUT (policy ACCEPT 18167 packets, 13M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 25567 packets, 2969K bytes)
pkts bytes target prot opt in out source destinationE:\mediaConfig>docker exec gluetun iptables-nft -t filter -vL
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain INPUT (policy DROP 115 packets, 18652 bytes)
pkts bytes target prot opt in out source destination
1139 101K ACCEPT all -- lo any anywhere anywhere
54402 45M ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
34 2040 ACCEPT all -- eth0 any anywhere 172.18.0.0/16
119 6784 ACCEPT tcp -- tun0 any anywhere anywhere tcp dpt:55054
116 13651 ACCEPT udp -- tun0 any anywhere anywhere udp dpt:55054
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 39159 packets, 3108K bytes)
pkts bytes target prot opt in out source destination
1139 101K ACCEPT all -- any lo anywhere anywhere
24396 3848K ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- any eth0 f07d39b24ba9 172.18.0.0/16
1 60 ACCEPT tcp -- any eth0 anywhere unn-149-88-19-225.datapacket.com tcp dpt:https
12739 1269K ACCEPT all -- any tun0 anywhere anywhereE:\mediaConfig>docker exec gluetun iptables -t filter -vL
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain INPUT (policy DROP 115 packets, 18652 bytes)
pkts bytes target prot opt in out source destination
1149 102K ACCEPT all -- lo any anywhere anywhere
54421 45M ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
34 2040 ACCEPT all -- eth0 any anywhere 172.18.0.0/16
125 7124 ACCEPT tcp -- tun0 any anywhere anywhere tcp dpt:55054
116 13651 ACCEPT udp -- tun0 any anywhere anywhere udp dpt:55054
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 39159 packets, 3108K bytes)
pkts bytes target prot opt in out source destination
1149 102K ACCEPT all -- any lo anywhere anywhere
24412 3850K ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- any eth0 f07d39b24ba9 172.18.0.0/16
1 60 ACCEPT tcp -- any eth0 anywhere unn-149-88-19-225.datapacket.com tcp dpt:https
12739 1269K ACCEPT all -- any tun0 anywhere anywhereE:\mediaConfig>docker exec gluetun iptables-legacy -t nat -vL
Chain PREROUTING (policy ACCEPT 221 packets, 21845 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 200 packets, 18129 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 45284 packets, 3877K bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER_OUTPUT all -- any any anywhere 127.0.0.11
Chain POSTROUTING (policy ACCEPT 6125 packets, 769K bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER_POSTROUTING all -- any any anywhere 127.0.0.11
Chain DOCKER_OUTPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- any any anywhere 127.0.0.11 tcp dpt:domain to:127.0.0.11:44693
0 0 DNAT udp -- any any anywhere 127.0.0.11 udp dpt:domain to:127.0.0.11:54288
Chain DOCKER_POSTROUTING (1 references)
pkts bytes target prot opt in out source destination
0 0 SNAT tcp -- any any 127.0.0.11 anywhere tcp spt:44693 to::53
0 0 SNAT udp -- any any 127.0.0.11 anywhere udp spt:54288 to::53E:\mediaConfig>docker exec gluetun iptables-nft -t nat -vL
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destinationE:\mediaConfig>docker exec gluetun iptables -t nat -vL
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destinationi mean, the qbittorrent container seems to stay connected tho? it just restarted and i can still access the qbit webui.
it still restarts the vpn a lot (like every minute or two)
qdm12
commented
3 months ago @DaBlincx
i mean, the qbittorrent container seems to stay connected tho? it just restarted and i can still access the qbit webui. it still restarts the vpn a lot (like every minute or two)
Let's continue the conversation on #2407 not here - marking some comments as off topic.
these were run immediately after starting gluetun (and the rest of my docker-compose config) and waiting for it to be connected
Let's continue the conversation on #2414 - also please read the observations 😉 The fact your iptables-legacy chains are getting traffic is a bit alarming, although I cannot reproduce it on my machines 🤔
Marking this and the few last comments as off-topic, since this is about fixing the iptables deletion only.
qdm12
commented
3 months ago Anyone else can confirm this works fine now with image qmcgaw/gluetun:pr-2411? 🙏
mjsjml
commented
3 months ago Have been testing this but took a few days to finally fail a healthcheck. I get an error but it does successfully start a new connection and allow required ports...
Running version pr-2411 built on 2024-08-14T18:45:31.229Z (commit 6c8fe37)
2024-08-15T23:20:13-07:00 INFO [vpn] stopping
2024-08-15T23:20:13-07:00 INFO [firewall] removing allowed port 63799...
2024-08-15T23:20:13-07:00 INFO [firewall] removing allowed port 15554...
2024-08-15T23:20:14-07:00 INFO [vpn] starting
2024-08-15T23:20:14-07:00 INFO [firewall] allowing VPN connection...
2024-08-15T23:20:14-07:00 ERROR [firewall] cannot remove outdated VPN connection rule: parsing iptables command: parsing "--delete OUTPUT -d 184.75.214.162 -o eth0 -p udp -m udp --dport 1637 -j ACCEPT": parsing destination IP CIDR: netip.ParsePrefix("184.75.214.162"): no '/'
2024-08-15T23:20:14-07:00 ERROR [firewall] cannot remove outdated VPN interface rule: finding iptables chain rule line number: parsing chain list: parsing chain rule "3 27 1590 ACCEPT 0 -- * eth0 172.18.0.6 172.18.0.0/16 ": parsing chain rule field: parsing source IP CIDR: netip.ParsePrefix("172.18.0.6"): no '/'
2024-08-15T23:20:14-07:00 INFO [wireguard] Using available kernelspace implementation
2024-08-15T23:20:14-07:00 INFO [wireguard] Connecting to 193.37.254.34:1637
2024-08-15T23:20:14-07:00 INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2024-08-15T23:20:14-07:00 INFO [firewall] setting allowed input port 63799 through interface tun0...
2024-08-15T23:20:14-07:00 INFO [firewall] setting allowed input port 15554 through interface tun0...
2024-08-15T23:20:14-07:00 INFO [healthcheck] healthy!Thanks @mjsjml !
The following errors are fixed in 3d41cc16917d41b1dcf70f7bd47d6fa5107d5f5e where it now handles source/destination networks without the /32 suffix for single IP addresses.
2024-08-15T23:20:14-07:00 ERROR [firewall] cannot remove outdated VPN connection rule: parsing iptables command: parsing "--delete OUTPUT -d 184.75.214.162 -o eth0 -p udp -m udp --dport 1637 -j ACCEPT": parsing destination IP CIDR: netip.ParsePrefix("184.75.214.162"): no '/' 2024-08-15T23:20:14-07:00 ERROR [firewall] cannot remove outdated VPN interface rule: finding iptables chain rule line number: parsing chain list: parsing chain rule "3 27 1590 ACCEPT 0 -- * eth0 172.18.0.6 172.18.0.0/16 ": parsing chain rule field: parsing source IP CIDR: netip.ParsePrefix("172.18.0.6"): no '/'
Let me know if you get any other firewall errors, even if it's not critical/doesn't crash the container.
Lokilicious
commented
3 months ago Can confirm that up until now all healthchecks are recovering properly.
github-actions[bot]
commented
3 months ago Closed issues are NOT monitored, so commenting here is likely to be not seen. If you think this is still unresolved and have more information to bring, please create another issue.
This is an automated comment setup because @qdm12 is the sole maintainer of this project which became too popular to monitor issues closed.
LordMike
commented
3 months ago I just tried to set gluetun up with an asian VPN endpoint and I'm seeing stuff like the below. I think the endpoint is broken, so the container can't connect - that's fine, but I noticed the error below. :)
2024-08-18T11:54:32.769580445Z 2024-08-18T11:54:32Z ERROR [firewall] cannot remove outdated VPN interface rule: finding iptables chain rule line number: parsing chain list: parsing chain rule "3 0 0 ACCEPT 0 -- * eth0 ::/0 ff02::/104 ": parsing chain rule field: parsing destination IP CIDR: netip.ParsePrefix("ff02::/104/32"): ParseAddr("ff02::/104"): each colon-separated field must have at least one digit (at "/104")
I'm running a gluetun docker image with the source revision bc55c25e73125f5363885eedab28f863491999e5 which is quite recent. So I found this issue.
Might the fix have missed something related to IPv6 addresses.. ff02::/104/32 seems like a mangled CIDR :)?
I've added in my current iptables rules for this container.
``` 2024-08-18T11:54:16.552618213Z 2024-08-18T11:54:16Z INFO [vpn] starting 2024-08-18T11:54:16.552833482Z 2024-08-18T11:54:16Z INFO [firewall] allowing VPN connection... 2024-08-18T11:54:16.560562617Z 2024-08-18T11:54:16Z INFO [openvpn] OpenVPN 2.6.11 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] 2024-08-18T11:54:16.560858469Z 2024-08-18T11:54:16Z INFO [openvpn] library versions: OpenSSL 3.3.1 4 Jun 2024, LZO 2.10 2024-08-18T11:54:16.563152752Z 2024-08-18T11:54:16Z INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]194.5.49.72:1195 2024-08-18T11:54:16.563494544Z 2024-08-18T11:54:16Z INFO [openvpn] UDPv4 link local: (not bound) 2024-08-18T11:54:16.563735643Z 2024-08-18T11:54:16Z INFO [openvpn] UDPv4 link remote: [AF_INET]194.5.49.72:1195 2024-08-18T11:54:32.672382248Z 2024-08-18T11:54:32Z INFO [healthcheck] program has been unhealthy for 16s: restarting VPN 2024-08-18T11:54:32.672686728Z 2024-08-18T11:54:32Z INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md 2024-08-18T11:54:32.672978298Z 2024-08-18T11:54:32Z INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION 2024-08-18T11:54:32.673257380Z 2024-08-18T11:54:32Z INFO [vpn] stopping 2024-08-18T11:54:32.673526608Z 2024-08-18T11:54:32Z INFO [vpn] starting 2024-08-18T11:54:32.673786978Z 2024-08-18T11:54:32Z INFO [firewall] allowing VPN connection... 2024-08-18T11:54:32.769580445Z 2024-08-18T11:54:32Z ERROR [firewall] cannot remove outdated VPN interface rule: finding iptables chain rule line number: parsing chain list: parsing chain rule "3 0 0 ACCEPT 0 -- * eth0 ::/0 ff02::/104 ": parsing chain rule field: parsing destination IP CIDR: netip.ParsePrefix("ff02::/104/32"): ParseAddr("ff02::/104"): each colon-separated field must have at least one digit (at "/104") 2024-08-18T11:54:32.778128293Z 2024-08-18T11:54:32Z INFO [openvpn] OpenVPN 2.6.11 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] 2024-08-18T11:54:32.778457360Z 2024-08-18T11:54:32Z INFO [openvpn] library versions: OpenSSL 3.3.1 4 Jun 2024, LZO 2.10 2024-08-18T11:54:32.780701815Z 2024-08-18T11:54:32Z INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]64.64.121.6:1195 2024-08-18T11:54:32.781595808Z 2024-08-18T11:54:32Z INFO [openvpn] UDPv4 link local: (not bound) 2024-08-18T11:54:32.782402554Z 2024-08-18T11:54:32Z INFO [openvpn] UDPv4 link remote: [AF_INET]64.64.121.6:1195 2024-08-18T11:54:36.132406137Z 2024-08-18T11:54:36Z INFO [openvpn] read UDPv4 [EHOSTUNREACH|EHOSTUNREACH]: Host is unreachable (fd=4,code=113) 2024-08-18T11:54:41.600795228Z 2024-08-18T11:54:41Z INFO [openvpn] read UDPv4 [EHOSTUNREACH]: Host is unreachable (fd=4,code=113) 2024-08-18T11:54:49.524211313Z 2024-08-18T11:54:49Z INFO [openvpn] read UDPv4 [EHOSTUNREACH]: Host is unreachable (fd=4,code=113) 2024-08-18T11:54:53.888152508Z 2024-08-18T11:54:53Z INFO [healthcheck] program has been unhealthy for 21s: restarting VPN 2024-08-18T11:54:53.888651013Z 2024-08-18T11:54:53Z INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md 2024-08-18T11:54:53.888997691Z 2024-08-18T11:54:53Z INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION 2024-08-18T11:54:53.889292900Z 2024-08-18T11:54:53Z INFO [vpn] stopping 2024-08-18T11:54:53.892470317Z 2024-08-18T11:54:53Z INFO [vpn] starting 2024-08-18T11:54:53.892778659Z 2024-08-18T11:54:53Z INFO [firewall] allowing VPN connection... 2024-08-18T11:54:53.899979025Z 2024-08-18T11:54:53Z INFO [openvpn] OpenVPN 2.6.11 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] 2024-08-18T11:54:53.900268212Z 2024-08-18T11:54:53Z INFO [openvpn] library versions: OpenSSL 3.3.1 4 Jun 2024, LZO 2.10 2024-08-18T11:54:53.902606140Z 2024-08-18T11:54:53Z INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]64.64.121.6:1195 2024-08-18T11:54:53.902973823Z 2024-08-18T11:54:53Z INFO [openvpn] UDPv4 link local: (not bound) 2024-08-18T11:54:53.903271649Z 2024-08-18T11:54:53Z INFO [openvpn] UDPv4 link remote: [AF_INET]64.64.121.6:1195 2024-08-18T11:54:57.251463111Z 2024-08-18T11:54:57Z INFO [openvpn] read UDPv4 [EHOSTUNREACH|EHOSTUNREACH]: Host is unreachable (fd=4,code=113) 2024-08-18T11:55:03.106005016Z 2024-08-18T11:55:03Z INFO [openvpn] read UDPv4 [EHOSTUNREACH]: Host is unreachable (fd=4,code=113) 2024-08-18T11:55:10.880037905Z 2024-08-18T11:55:10Z INFO [openvpn] read UDPv4 [EHOSTUNREACH]: Host is unreachable (fd=4,code=113) 2024-08-18T11:55:20.005848274Z 2024-08-18T11:55:20Z INFO [healthcheck] program has been unhealthy for 26s: restarting VPN 2024-08-18T11:55:20.006165037Z 2024-08-18T11:55:20Z INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md 2024-08-18T11:55:20.015805668Z 2024-08-18T11:55:20Z INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION 2024-08-18T11:55:20.016631684Z 2024-08-18T11:55:20Z INFO [vpn] stopping 2024-08-18T11:55:20.051784092Z 2024-08-18T11:55:20Z INFO [vpn] starting 2024-08-18T11:55:20.052110439Z 2024-08-18T11:55:20Z INFO [firewall] allowing VPN connection... 2024-08-18T11:55:20.145963512Z 2024-08-18T11:55:20Z ERROR [firewall] cannot remove outdated VPN interface rule: finding iptables chain rule line number: parsing chain list: parsing chain rule "3 0 0 ACCEPT 0 -- * eth0 ::/0 ff02::/104 ": parsing chain rule field: parsing destination IP CIDR: netip.ParsePrefix("ff02::/104/32"): ParseAddr("ff02::/104"): each colon-separated field must have at least one digit (at "/104") 2024-08-18T11:55:20.153713001Z 2024-08-18T11:55:20Z INFO [openvpn] OpenVPN 2.6.11 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] 2024-08-18T11:55:20.153951688Z 2024-08-18T11:55:20Z INFO [openvpn] library versions: OpenSSL 3.3.1 4 Jun 2024, LZO 2.10 2024-08-18T11:55:20.155903159Z 2024-08-18T11:55:20Z INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]194.5.49.72:1195 2024-08-18T11:55:20.156221143Z 2024-08-18T11:55:20Z INFO [openvpn] UDPv4 link local: (not bound) 2024-08-18T11:55:20.156541557Z 2024-08-18T11:55:20Z INFO [openvpn] UDPv4 link remote: [AF_INET]194.5.49.72:1195 2024-08-18T11:55:51.253889795Z 2024-08-18T11:55:51Z INFO [healthcheck] program has been unhealthy for 31s: restarting VPN 2024-08-18T11:55:51.254175887Z 2024-08-18T11:55:51Z INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md 2024-08-18T11:55:51.254465528Z 2024-08-18T11:55:51Z INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION 2024-08-18T11:55:51.254758101Z 2024-08-18T11:55:51Z INFO [vpn] stopping 2024-08-18T11:55:51.255144869Z 2024-08-18T11:55:51Z INFO [vpn] starting 2024-08-18T11:55:51.255457654Z 2024-08-18T11:55:51Z INFO [firewall] allowing VPN connection... 2024-08-18T11:55:51.260488074Z 2024-08-18T11:55:51Z INFO [openvpn] OpenVPN 2.6.11 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] 2024-08-18T11:55:51.260734346Z 2024-08-18T11:55:51Z INFO [openvpn] library versions: OpenSSL 3.3.1 4 Jun 2024, LZO 2.10 2024-08-18T11:55:51.262408053Z 2024-08-18T11:55:51Z INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]194.5.49.72:1195 2024-08-18T11:55:51.262713905Z 2024-08-18T11:55:51Z INFO [openvpn] UDPv4 link local: (not bound) 2024-08-18T11:55:51.262998385Z 2024-08-18T11:55:51Z INFO [openvpn] UDPv4 link remote: [AF_INET]194.5.49.72:1195 2024-08-18T11:56:27.355685510Z 2024-08-18T11:56:27Z INFO [healthcheck] program has been unhealthy for 36s: restarting VPN 2024-08-18T11:56:27.355998151Z 2024-08-18T11:56:27Z INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md 2024-08-18T11:56:27.356651547Z 2024-08-18T11:56:27Z INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION 2024-08-18T11:56:27.357459658Z 2024-08-18T11:56:27Z INFO [vpn] stopping 2024-08-18T11:56:27.365080851Z 2024-08-18T11:56:27Z INFO [vpn] starting 2024-08-18T11:56:27.365335657Z 2024-08-18T11:56:27Z INFO [firewall] allowing VPN connection... 2024-08-18T11:56:27.365600444Z 2024-08-18T11:56:27Z INFO [openvpn] OpenVPN 2.6.11 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] 2024-08-18T11:56:27.365856835Z 2024-08-18T11:56:27Z INFO [openvpn] library versions: OpenSSL 3.3.1 4 Jun 2024, LZO 2.10 2024-08-18T11:56:27.367155384Z 2024-08-18T11:56:27Z INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]194.5.49.72:1195 2024-08-18T11:56:27.393158400Z 2024-08-18T11:56:27Z INFO [openvpn] UDPv4 link local: (not bound) 2024-08-18T11:56:27.393845123Z 2024-08-18T11:56:27Z INFO [openvpn] UDPv4 link remote: [AF_INET]194.5.49.72:1195 2024-08-18T11:57:08.483371552Z 2024-08-18T11:57:08Z INFO [healthcheck] program has been unhealthy for 41s: restarting VPN 2024-08-18T11:57:08.483763827Z 2024-08-18T11:57:08Z INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md 2024-08-18T11:57:08.484055365Z 2024-08-18T11:57:08Z INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION 2024-08-18T11:57:08.484351326Z 2024-08-18T11:57:08Z INFO [vpn] stopping 2024-08-18T11:57:08.484604629Z 2024-08-18T11:57:08Z INFO [vpn] starting 2024-08-18T11:57:08.484876118Z 2024-08-18T11:57:08Z INFO [firewall] allowing VPN connection... 2024-08-18T11:57:08.541431550Z 2024-08-18T11:57:08Z ERROR [firewall] cannot remove outdated VPN interface rule: finding iptables chain rule line number: parsing chain list: parsing chain rule "3 0 0 ACCEPT 0 -- * eth0 ::/0 ff02::/104 ": parsing chain rule field: parsing destination IP CIDR: netip.ParsePrefix("ff02::/104/32"): ParseAddr("ff02::/104"): each colon-separated field must have at least one digit (at "/104") 2024-08-18T11:57:08.625288050Z 2024-08-18T11:57:08Z INFO [openvpn] OpenVPN 2.6.11 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] 2024-08-18T11:57:08.626131515Z 2024-08-18T11:57:08Z INFO [openvpn] library versions: OpenSSL 3.3.1 4 Jun 2024, LZO 2.10 2024-08-18T11:57:08.626988493Z 2024-08-18T11:57:08Z INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]64.64.121.6:1195 2024-08-18T11:57:08.627936951Z 2024-08-18T11:57:08Z INFO [openvpn] UDPv4 link local: (not bound) 2024-08-18T11:57:08.628519875Z 2024-08-18T11:57:08Z INFO [openvpn] UDPv4 link remote: [AF_INET]64.64.121.6:1195 2024-08-18T11:57:11.952435902Z 2024-08-18T11:57:11Z INFO [openvpn] read UDPv4 [EHOSTUNREACH|EHOSTUNREACH]: Host is unreachable (fd=4,code=113) 2024-08-18T11:57:19.040289372Z 2024-08-18T11:57:19Z INFO [openvpn] read UDPv4 [EHOSTUNREACH]: Host is unreachable (fd=4,code=113) 2024-08-18T11:57:26.439409210Z 2024-08-18T11:57:26Z INFO [openvpn] read UDPv4 [EHOSTUNREACH]: Host is unreachable (fd=4,code=113) 2024-08-18T11:57:41.555397430Z 2024-08-18T11:57:41Z INFO [openvpn] read UDPv4 [EHOSTUNREACH]: Host is unreachable (fd=4,code=113) 2024-08-18T11:57:54.664828635Z 2024-08-18T11:57:54Z INFO [healthcheck] program has been unhealthy for 46s: restarting VPN 2024-08-18T11:57:54.665204421Z 2024-08-18T11:57:54Z INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md 2024-08-18T11:57:54.665510904Z 2024-08-18T11:57:54Z INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION 2024-08-18T11:57:54.665787923Z 2024-08-18T11:57:54Z INFO [vpn] stopping 2024-08-18T11:57:54.708616703Z 2024-08-18T11:57:54Z INFO [vpn] starting 2024-08-18T11:57:54.708899563Z 2024-08-18T11:57:54Z INFO [firewall] allowing VPN connection... 2024-08-18T11:57:54.714884274Z 2024-08-18T11:57:54Z INFO [openvpn] OpenVPN 2.6.11 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] 2024-08-18T11:57:54.715148176Z 2024-08-18T11:57:54Z INFO [openvpn] library versions: OpenSSL 3.3.1 4 Jun 2024, LZO 2.10 2024-08-18T11:57:54.717776451Z 2024-08-18T11:57:54Z INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]64.64.121.6:1195 2024-08-18T11:57:54.717995959Z 2024-08-18T11:57:54Z INFO [openvpn] UDPv4 link local: (not bound) 2024-08-18T11:57:54.718613781Z 2024-08-18T11:57:54Z INFO [openvpn] UDPv4 link remote: [AF_INET]64.64.121.6:1195 2024-08-18T11:57:55.143268967Z 2024-08-18T11:57:55Z INFO [openvpn] read UDPv4 [EHOSTUNREACH]: Host is unreachable (fd=4,code=113) 2024-08-18T11:57:59.657062259Z 2024-08-18T11:57:59Z INFO [openvpn] read UDPv4 [EHOSTUNREACH]: Host is unreachable (fd=4,code=113) 2024-08-18T11:58:04.167443088Z 2024-08-18T11:58:04Z INFO [openvpn] read UDPv4 [EHOSTUNREACH]: Host is unreachable (fd=4,code=113) ```
``` / # iptables -S -P INPUT DROP -P FORWARD DROP -P OUTPUT DROP -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -d 172.80.20.0/24 -i eth0 -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -s 172.80.20.6/32 -d 172.80.20.0/24 -o eth0 -j ACCEPT -A OUTPUT -s 172.80.20.6/32 -d 192.168.0.0/22 -o eth0 -j ACCEPT -A OUTPUT -d 64.64.121.6/32 -o eth0 -p udp -m udp --dport 1195 -j ACCEPT -A OUTPUT -o tun0 -j ACCEPT / # ip6tables -S -P INPUT DROP -P FORWARD DROP -P OUTPUT DROP -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -d ff02::/104 -o eth0 -j ACCEPT -A OUTPUT -o tun0 -j ACCEPT -A OUTPUT -o tun0 -j ACCEPT -A OUTPUT -o tun0 -j ACCEPT -A OUTPUT -o tun0 -j ACCEPT -A OUTPUT -o tun0 -j ACCEPT -A OUTPUT -o tun0 -j ACCEPT ```
ggogel
commented
2 months ago I encountered this issue when moving to AirVPN using port forwarding. I can confirm that it is indeed fixed with pr-2411.
qdm12
commented
1 month ago Don't use pr-* image tags, use the latest image or v3.x.x. image tags. v3.39.1 release image tag contains the fix now.
Is this urgent?
No
Host OS
Ubuntu 22.04
CPU arch
x86_64
VPN service provider
AirVPN
What are you using to run the container
docker-compose
What is the version of Gluetun
Running version latest built on 2024-06-17T22:37:52.988Z (commit 93ed87d)
What's the problem 🤔
When gluetun fails a healthcheck and gets a new vpn connection, it can't resume port forwarding. The desired ports will be closed on the new connection. Things used to work fine with an older version of gluetun (don't know which one).
ERROR [vpn] cannot remove allowed input port from firewall: removing allowed port 63799 on interface tun0: command failed: "ip6tables --delete INPUT -i tun0 -p tcp --dport 63799 -j ACCEPT": ip6tables: Bad rule (does a matching rule exist in that chain?).: exit status 1
Share your logs (at least 10 lines)
Share your configuration