warp-docker icon indicating copy to clipboard operation
warp-docker copied to clipboard
verified publisher icon cmj2002

nftables and firewall issues on Synology/QNAP NAS

Open baroka opened this issue 1 year ago • 13 comments

Hello,

With latest image I get this error on a Synology NAS:

2024-03-04T10:36:29.807Z DEBUG firewall: Firewall allow managed network endpoints managed_network_endpoints=[] 2024-03-04T10:36:29.807Z INFO firewall: Firewall starting 2024-03-04T10:36:29.813Z WARN firewall::linux: Failed to set firewall rules via stdin. Retrying using temporary file exit_code=ExitStatus(unix_wait_status(256)) 2024-03-04T10:36:29.824Z ERROR firewall::linux: Failed to start firewall with exit code: exit status: 1 2024-03-04T10:36:29.824Z WARN firewall: fw.apply_rules failed e=ApplyError("nft command failed with return code: 256") 2024-03-04T10:36:29.825Z WARN main_loop: warp::warp_service: Unable to update firewall on disconnect e=ApplyError("nft command failed with return code: 256") 2024-03-04T10:36:29.825Z DEBUG main_loop: warp::warp_service: Determining disconnected reason from connectivity state net_info=IPv4: [eth0; 172.18.0.15; Ethernet]; DNS servers:; 127.0.0.11:53; power_state=None disconnect_reason=None 2024-03-04T10:36:29.825Z WARN main_loop: warp::warp_service: Disconnecting, but reason is unknown 2024-03-04T10:36:29.825Z WARN main_loop: warp::warp_service: Reconnect on settings change failed error=FirewallUpdateFailed(ApplyError("nft command failed with return code: 256"))

With previous caomingjun/warp:2023-07-18 everything is ok.

I search for error "nft command failed with return code: 256" but I can't figure out how to fix it.

Seems that with latest version now it's necessary to add this volume: /run/dbus/system_bus_socket:/run/dbus/system_bus_socket

I tried to build my own Dockerfile based on latest Ubuntu or Debian, delete Gost proxy, but nft error is still here.

Can you help me ? Thanks.

baroka avatar Mar 04 '24 11:03 baroka

I just updated the latest tag of image to the newest warp version. Could you please try it out and see if there are still any problems?

Seems that with latest version now it's necessary to add this volume: /run/dbus/system_bus_socket:/run/dbus/system_bus_socket

It's better not to do this. Binding the dbus inside the container to the host's system socket gives the container excessive privileges. While running WARP, we may trust Cloudflare, but it could be dangerous when running other things. Just adding the following two lines in entrypoint.sh is sufficient:

mkdir -p /run/dbus
dbus-daemon --config-file=/usr/share/dbus-1/system.conf

If you still encounter a firewall or nft error, please let me know.

cmj2002 avatar Mar 04 '24 12:03 cmj2002

Same problem. Just for checking, I tried with privileged: true

Another change you should do in entrypoint.sh: warp-cli register is deprecated -> warp-cli registration new

baroka avatar Mar 04 '24 12:03 baroka

Found a possibly related discussion: https://forum.openwrt.org/t/22-02-firewall-fw4-issue/149323/3

Try run nft -i in container and see what happen. The kernel of Synology NAS may not compiled with CONFIG_NF_TABLES_INET.

cmj2002 avatar Mar 04 '24 13:03 cmj2002

Seems to work nft -i.

nft -i

nft>

Any other idea ? Thanks.

baroka avatar Mar 04 '24 14:03 baroka

I'm sorry, I cannot find any other information about this issue. Cloudflare does not even provide the release notes for warp-cli, so I do not know what happened between the two versions.

What is currently known is that the issue was caused by nft (nftables), which resulted in WARP being unable to change firewall settings. But I am still not clear on what caused nftables to malfunction. This may be due to the extremely old version of the Linux kernel of Synology, but I have no evidence.

If anyone can provide additional information, I would be grateful.

cmj2002 avatar Mar 04 '24 14:03 cmj2002

A workaround for having Cloudflare Warp on Synology devices:

  1. Extract Wireguard Cloudflare Warp configuration with: https://github.com/ViRb3/wgcf
  2. Follow steps on: https://www.reddit.com/r/synology/comments/xkxjfh/fya_how_to_connect_synology_to_a_wireguard_vpn/
  3. No need to compile. Just use files on: https://tutoriales.bilito.eu/wireguard-en-dsm-7-2/

Maybe this's useful for somebody.

baroka avatar Mar 05 '24 10:03 baroka

After I added net.ipv4.ip_forward=1, it can run normally. keep to monitor it.

sysctls:
      - net.ipv6.conf.all.disable_ipv6=0
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv4.ip_forward=1

zero-hero-he avatar Mar 29 '24 10:03 zero-hero-he

After I added net.ipv4.ip_forward=1, it can run normally. keep to monitor it.

sysctls:
      - net.ipv6.conf.all.disable_ipv6=0
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv4.ip_forward=1

Thank you for the information you provided! I used to think that docker would provide default values for sysctl inside the container, but it seems that this is incorrect. The network namespace inside the container inherits from the init network namespace (not the host namespace, init namespace defaults is compiled into kernel).^1 WARP wants to change this setting, but programs inside the container do not have this permission.

Due to different kernel compilation settings, we may need to find all the settings required by Cloudflare and set them in the docker-compose file.

I will wait for a few days, and if your settings work properly, I will merge this change into the code.

cmj2002 avatar Mar 30 '24 12:03 cmj2002

This kernel parameter does not take effect.

zero-hero-he avatar Apr 01 '24 13:04 zero-hero-he

This kernel parameter does not take effect.

Do you mean that the net.ipv4.ip_forward=1 you mentioned earlier did not work?

cmj2002 avatar Apr 01 '24 14:04 cmj2002

Switching the WARP mode to Local Proxy and updating the GOST params to route traffic via this local proxy does the trick. Running in that mode it seems that WARP doesn't try to mess with nft so the issue is sidestepped.

Necessary changes below: entrypoint.sh

  • before "warp-cli connect" call: warp-cli mode proxy warp-cli proxy port 40000

Dockerfile

  • update GOST_ARGS="-L :1080 -F=127.0.0.1:40000"
  • update health check HEALTHCHECK --interval=15s --timeout=5s --start-period=30s --retries=3
    CMD curl -fsS --socks5-hostname 127.0.0.1:1080 "https://cloudflare.com/cdn-cgi/trace" | grep -qE "warp=(plus|on)" || exit 1

I hope this helps (at least until we figure out the nft issue)!

davide avatar Apr 04 '24 02:04 davide

@davide with the improvements you suggest, can you share how you configure your container with Synology? I am currently trying this, but the container still stops: docker run -d --name=cf-warp
-v /volume1/docker/cf-warp:/var/lib/cloudflare-warp
--net=bridge
--restart always
--sysctl net.ipv6.conf.all.disable_ipv6=0
--sysctl net.ipv4.conf.all.src_valid_mark=1
--sysctl net.ipv4.ip_forward=1
--cap-add NET_ADMIN
--restart unless-stopped
daseth/warp:nas I did update my entrypoint.sh and the dockerfile and rebuilt the container.

daseth avatar Aug 06 '24 08:08 daseth

Ok, reached here tying to get warp connector running, which it's only supported by official client at this moment. IMHO, problem seems to be that warp-svc uses nftables to override firewall config, so docker images running on both, Synology or QNAP will fail. Only solutions are:

  • NAS providers moves to nftables as default firewall mode (GRRM will probably end GOT earlier...),
  • Cloudflare adds support to legacy iptables (discuss)
  • Run inside a full virtualized image (KVM)

inean avatar Nov 07 '24 20:11 inean