Closed dhaavi closed 4 years ago
/remind @ppacher to investigate in two weeks.
@dhaavi set a reminder for Jul 9th 2020
This is the error message I receive on my Arch Linux based system:
Jun 27 16:02:28 Alien portmaster-control[837029]: 200627 16:02:28.275 dules/mgmt:084 ▶ WARN 025 modules: could not start module interception: could not initialize nfqueue: running [/usr/bin/iptables -t mangle -N C170 --wait]: exit status 3: iptables v1.8.5 (legacy): can't initialize iptables table `mangle': Table does not exist (do you need to insmod?)
Jun 27 16:02:28 Alien portmaster-control[837029]: Perhaps iptables or your kernel needs to be upgraded.
os-release:
NAME="Arch Linux"
PRETTY_NAME="Arch Linux"
ID=arch
BUILD_ID=rolling
ANSI_COLOR="38;2;23;147;209"
HOME_URL="https://www.archlinux.org/"
DOCUMENTATION_URL="https://wiki.archlinux.org/"
SUPPORT_URL="https://bbs.archlinux.org/"
BUG_REPORT_URL="https://bugs.archlinux.org/"
LOGO=archlinux
uname -a
Linux Alien 5.7.5-arch1-1 #1 SMP PREEMPT Mon, 22 Jun 2020 08:10:02 +0000 x86_64 GNU/Linux
pacman -Qs netfilter
local/libnetfilter_conntrack 1.0.8-1
Library providing an API to the in-kernel connection tracking state table
local/libnetfilter_queue 1.0.5-1
Userspace API to packets that have been queued by the kernel packet filter
local/libnfnetlink 1.0.1-4
Low-level library for netfilter related kernel/userspace communication
local/libnftnl 1.1.7-1
Netfilter library providing interface to the nf_tables subsystem
ls -lah $(which iptables)
lrwxrwxrwx 1 root root 20 Jun 7 22:32 /usr/bin/iptables -> xtables-legacy-multi
Output of sudo cat /proc/net/netfilter/nfnetlink_queue
:
cat: /proc/net/netfilter/nfnetlink_queue: No such file or directory
This is on my Manjaro Linux based system:
uname -a
Linux Thin 5.6.16-1-MANJARO #1 SMP PREEMPT Wed Jun 3 14:26:28 UTC 2020 x86_64 GNU/Linux
pacman -Qs netfilter
local/libnetfilter_conntrack 1.0.8-1
Library providing an API to the in-kernel connection tracking state table
local/libnetfilter_queue 1.0.3-2
Userspace API to packets that have been queued by the kernel packet filter
local/libnfnetlink 1.0.1-4
Low-level library for netfilter related kernel/userspace communication
local/libnftnl 1.1.6-1
Netfilter library providing interface to the nf_tables subsystem
local/ufw 0.36-3
Uncomplicated and easy to use CLI tool for managing a netfilter firewall
ls -lah $(which iptables)
lrwxrwxrwx 1 root root 20 Feb 5 10:50 /usr/bin/iptables -> xtables-legacy-multi
and finally sudo cat /proc/net/netfilter/nfnetlink_queue
when portmaster is running:
17040 6737 278 2 65531 0 1030 1326 1
17060 2623861587 203 2 65531 0 51 257 1
17140 4138069207 177 2 65531 0 38 222 1
17160 2802009172 0 2 65531 0 0 1 1
:wave: @ppacher, investigate .
Hi @markusressel,
Thanks for your help!
For your pure arch-system:
iptables v1.8.5 (legacy): can't initialize iptables table `mangle': Table does not exist (do you need to insmod?) Jun 27 16:02:28 Alien portmaster-control[837029]: Perhaps iptables or your kernel needs to be upgraded.
Is it possible that you did an system (kernel) upgrade but didn't reboot? That could explain why the table does not exist.
For your Manjaro system:
I stumbled across a similar issue that has been reported to https://github.com/gustavo-iniguez-goya/opensnitch/issues/41. Seems like this is a kernel/netfilter issue. I'm running two systems with kernel 5.7.7 and libnetfilter_queue 1.0.5-1 without any issue. Could you try updating Manjaro?
I'll keep trying to reproduce this and will keep you updated.
I'm able to reproduce the kernel panic even on a 5.7.7 when using the slub_debug=FZP commandline parameter. @gustavo-iniguez-goya already created a netfilter bugreport for that.
Can you check you kernel command line and see if that option is used in Manjaro? cat /proc/cmdline
should do the trick.
Is it possible that you did an system (kernel) upgrade but didn't reboot? That could explain why the table does not exist.
At the time of reporting I thought about that too, so I did restart several times, but nothing changed. However, I tried to start it again today and it works as expected :thinking: . I have updated the system several times in between, so I do not exactly know what caused this, when it caused it or why. Portmaster version is now Version: 0.4.11
, kernel is now Linux Alien 5.7.7-arch1-1 #1 SMP PREEMPT Wed, 01 Jul 2020 14:53:16 +0000 x86_64 GNU/Linux
. Not sure if this counts as "fixed" :man_shrugging:
I stumbled across a similar issue that has been reported to gustavo-iniguez-goya/opensnitch#41. Seems like this is a kernel/netfilter issue. I'm running two systems with kernel 5.7.7 and libnetfilter_queue 1.0.5-1 without any issue. Could you try updating Manjaro?
I'll keep trying to reproduce this and will keep you updated.
I just tried to start portmaster again with only system updates, but nothing changed. I will try to update to kernel 5.7.0-3
as it seems like this is the latest supported kernel version from manjaro at the time.
This is the output of cat /proc/cmdline
on Manjaro, still running on kernel 5.6.16-1
BOOT_IMAGE=/boot/vmlinuz-5.6-x86_64 root=UUID=8fdf7c08-4d47-4fd1-9417-abcdef01de55 rw quiet apparmor=1 security=apparmor udev.log_priority=3
Updating Manjaro to kernel version 5.7.0-3
seems to have fixed the problem too. I do not see the error message in the portmaster log and the portmaster app is running as expected (also on Version: 0.4.11
).
@markusressel good to hear it's now working for you! Thanks for your support in debugging this! I'll close this issue and add a section to the "Known Issues" page in the wiki. The good news is that Pablo Neira already posted a kernel patch for that bug so we'll likely not see that again once it's merged.
For reference: patch.
Hi,
Just wanted to let you know that I've got the same problem here, on Ubuntu 20.04 LTS with kernel 5.4.0-91-generic.
It's badly freeze after install, and the reboot show a black screen during few minutes, and after logging the desktop apears with this error after few minutes.
For me it's not a great user XP on ubuntu so I've unistalled it - you should drop ubuntu support or handle this with a fallback.
This issue is the continuation of an existing thread, beginning with this comment: https://github.com/safing/portmaster/issues/79#issuecomment-647050441
The original reporter is @markusressel.
Checklist:
What happened: Portmaster was denied access to nfqueue.
What you expected to happen: Portmaster should be able to integrate with Linux by interacting with the nfqueue system.
How to reproduce it (as minimally and precisely as possible): unknown
Anything else we need to know?:
Environment:
Portmaster Version: latest (0.4.9)
Versions from the `About` page in Portmaster's UI
Operating System:
cat /etc/os-release
As mentioned in https://github.com/safing/portmaster/issues/79#issuecomment-649358360, this also applies to a pure Arch Linux based system.
If applicable you can provide related sections from the log files and ensure to remove sensitive or otherwise private information.
/var/lib/portmaster/logs
%PROGRAMDATA%\Portmaster\ļogs