Bug: Alpine upgrade to 3.19 iptables no longer working: Could not fetch rule set generation id: Invalid argument

[jimbo5678]

Is this urgent?

None

Host OS

QNAP OS 5.1

CPU arch

x86_64

VPN service provider

ProtonVPN

What are you using to run the container

Portainer

What is the version of Gluetun

Running version latest built on 2024-05-02T08:16:52.183Z (commit e0a977c)

What's the problem 🤔

Since updating, the container exits almost immediately with an error that iptables is not found. The same config was working fine until updated, and rolling back the config to :v3.38 instead of :latest make it work fine again.

Share your logs (at least 10 lines)

Running version latest built on 2024-05-02T08:16:52.183Z (commit e0a977c)

2024-05-02T11:17:56Z INFO [routing] default route found: interface eth0, gateway 172.29.40.1, assigned IP 172.29.40.2 and family v4
2024-05-02T11:17:56Z INFO [routing] local ethernet link found: eth0
2024-05-02T11:17:56Z INFO [routing] local ipnet found: 172.29.40.0/22
2024-05-02T11:17:56Z ERROR no iptables supported found: errors encountered are: iptables-nft: iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument (exit status 4); iptables: iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument (exit status 4)
2024-05-02T11:17:56Z INFO Shutdown successful
....
filler to make it up to 10 lines, since there are only 7 lines of log before the container exits
.....
filler to make it up to 10 lines, since there are only 7 lines of log before the container exits
.....

Share your configuration

services:
  vpn:
    image: qmcgaw/gluetun:latest
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    environment:
      - VPN_SERVICE_PROVIDER=custom
      - VPN_TYPE=wireguard
      - VPN_ENDPOINT_IP=149.40.48.65
      - VPN_ENDPOINT_PORT=51820
      - WIREGUARD_PUBLIC_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
      - WIREGUARD_PRIVATE_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
      - WIREGUARD_ADDRESSES=10.2.0.2/32
      - VPN_PORT_FORWARDING=on
      - VPN_PORT_FORWARDING_PROVIDER=protonvpn

[github-actions]

@qdm12 is more or less the only maintainer of this project and works on it in his free time.
Please:

• do not ask for updates, be patient
• 👍 the issue to show your support instead of commenting
  @qdm12 usually checks issues at least once a week, if this is a new urgent bug,
  revert to an older tagged container image

[qdm12]

That's the upgrade from Alpine 3.18 to 3.19 causing this. Damn this Docker image is so tight with the host, this is frustrating 😄
This also looks very similar to #2200 (comment) can you try the 4 tries listed there: #2200 (comment) and report back if you have different results?

[qdm12]

This is due to the recent (today) upgrade to Alpine 3.19 causing some errors on some hosts (not mine - WSL and Arch linux both on x86_64). Please report what your host machine OS and architecture is ideally to help debug this. Also try the steps detailed in #2200 (comment) to help me find out what's wrong with iptables 1.8.10 and Alpine 3.19. Thanks!

[qdm12]

Can any of you try on the host running modprobe nf_tables? I believe these errors might be caused by your Kernel not supporting nftables, which is now the default used by iptables going forward.

EDIT to future me: if this is indeed the case, install dpkg in the Docker image, and run update-alternatives --set iptables /usr/sbin/iptables-legacy when encountering the error Could not fetch rule set generation id: Invalid argument when testing iptables.

[Trombalcazar]

Thanks for your quick answer. I am not skilled enough at this stage to run the suggested commands. I am running DSM 7.2 on a Synology DS224+ NAS, Architecture is x86_64ThanksLe 2 mai 2024 à 18:43, Quentin McGaw ***@***.***> a écrit : This is due to the recent (today) upgrade to Alpine 3.19 causing some errors on some hosts (not mine - WSL and Arch linux both on x86_64). Please report what your host machine OS and architecture is ideally to help debug this. Also try the steps detailed in #2200 (comment) to help me find out what's wrong with iptables 1.8.10 and Alpine 3.19. Thanks! —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you commented.Message ID: ***@***.***>

[kevindelaney]

Can any of you try on the host running modprobe nf_tables? I believe these errors might be caused by your Kernel not supporting nftables, which is now the default used by iptables going forward.

sudo modprobe nf_tables
modprobe: FATAL: Module nf_tables not found.

Synology DSM 7.2.1-69057 Update 4 (x86_64)

Wonder if these might be helpful?

• "Could not process rule: Invalid argument" after update Trigus42/alpine-qbittorrentvpn#50
• Recent updates breaks WireGuard docker on Synology DSM7 linuxserver/docker-wireguard#191

[qdm12]

Yeah that's very likely the problem, it's the nf_tables missing in the kernel (damn you Synology!).

For alpine 3.18 and before, the default was legacy:

docker run -it --rm alpine:3.18 /bin/sh -c "apk add iptables && iptables -v"
iptables v1.8.9 (legacy): no command specified

But for alpine 3.19 the default is now nf_tables:

docker run -it --rm alpine:3.19 /bin/sh -c "apk add iptables && iptables -v"
iptables v1.8.10 (nf_tables): no command specified

So I pushed fb145d6 which adds the iptables-legacy package, and checks if it's usable in the Gluetun code, so it should fix this issue. The installation size for the legacy package is less than 1MB, so it's pretty good to maintain retro-compatibility! Let me know how it goes 😉

[kevindelaney]

That works! Thanks so much for the quick fix @qdm12

[rslalo]

Running version latest built on 2024-05-02T16:57:20.083Z (commit fb145d6)
2024-05-02T13:09:35-04:00 INFO Alpine version: 3.19.1
2024-05-02T13:09:35-04:00 INFO IPtables version: v1.8.10
2024-05-02T13:09:40-04:00 INFO [healthcheck] healthy!

Working once again on Synology DSM 7.2.1-69057 Update 5, thanks!

[qdm12]

Awesome thanks for confirming!

[github-actions]

Closed issues are NOT monitored, so commenting here is likely to be not seen.
If you think this is still unresolved and have more information to bring, please create another issue.

This is an automated comment setup because @qdm12 is the sole maintainer of this project
which became too popular to monitor issues closed.

[jimbo5678]

Confirmed fixed on QNAP NAS as well. Thanks for the ridiculously fast update!

[mikefromnj]

Hi,

I am running on an Asustor NAS. I am now getting this after updating:

2024-05-02T23:07:34Z INFO [storage] creating /gluetun/servers.json with 19425 hardcoded servers
2024-05-02T23:07:35Z INFO Alpine version: 3.19.1
2024-05-02T23:07:35Z INFO OpenVPN 2.5 version: 2.5.8
2024-05-02T23:07:35Z INFO OpenVPN 2.6 version: 2.6.8
2024-05-02T23:07:35Z INFO Unbound version: 1.19.3
2024-05-02T23:07:35Z ERROR getting IPtables version: exit status 1
2024-05-02T23:07:35Z INFO Shutdown successful

Thanks!

[jimbo5678]

@mikefromnj As it says in the comment two above yours, this issue is now closed, so your report is unlikely to be seen. If you're still having an issue, you need to open a new bug report.

Also, from reading your logs, your bug is different to the one in this thread. It's may well have a related / similar cause, but it is not the same bug, so please submit a complete bug report with all the requested details / logs / configs / descriptions in it.

[qdm12]

@mikefromnj and others, see #2260 (comment) which might solve this. Sorry I didn't see this problem either, especially since this is all kernel-specific so hard to reproduce and check all corner cases 😉

[OrpheeGT]

Hi,

Thanks for "iptables-legacy"

I had to modify qbittorrent-natmap to use it :
soxfor/qbittorrent-natmap#23

Once done it works again :)

I'm still using qbittorrent-natmap container as if I'm not wrong, custom provider wireguard (with protonvpn) is not able to handle natmap / pmp from gluetun directly.