gvisor icon indicating copy to clipboard operation
gvisor copied to clipboard
verified publisher icon google

Issue with iptables in gVisor - Failed to initialize nft and iptables-legacy errors

Open yarona1993 opened this issue 1 year ago • 3 comments

Description

I am encountering an issue with the gVisor project when trying to use iptables. The issue arises with both the regular iptables and iptables-legacy. The errors are as follows:

  1. Failed to initialize nft: Protocol not supported:

    iptables/1.8.7 Failed to initialize nft: Protocol not supported

  2. iptables-legacy error: can't initialize iptables table `filter': Table does not exist (do you need to insmod?):

    iptables v1.8.7 (legacy): can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

Steps to reproduce

  1. Install gVisor on the system.
  2. Attempt to use iptables with the following command: 
    iptables -A INPUT -p tcp --dport 80 -j ACCEPT
    Or try using iptables-legacy: 
    iptables-legacy -A INPUT -p tcp --dport 80 -j ACCEPT

runsc version

runsc version release-20240115.0
spec: 1.1.0-rc.1

docker version (if using docker)

Client:
 Version:           24.0.5
 API version:       1.43
 Go version:        go1.20.3
 Git commit:        24.0.5-0ubuntu1~22.04.1
 Built:             Mon Aug 21 19:50:14 2023
 OS/Arch:           linux/amd64
 Context:           default

Server:
 Engine:
  Version:          24.0.5
  API version:      1.43 (minimum version 1.12)
  Go version:       go1.20.3
  Git commit:       24.0.5-0ubuntu1~22.04.1
  Built:            Mon Aug 21 19:50:14 2023
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          v1.6.27
  GitCommit:        a1496014c916f9e62104b33d1bb5bd03b0858e59
 runc:
  Version:          1.1.7-0ubuntu1~22.04.1
  GitCommit:
 docker-init:
  Version:          0.19.0
  GitCommit:

uname

Linux engine 5.15.0-78-generic #85-Ubuntu SMP Fri Jul 7 15:25:09 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

yarona1993 avatar Jan 24 '24 08:01 yarona1993

nftables is indeed not supported within gVisor at this time. iptables is only partially supported AFAIK. cc @nybidari @kevinGC

EtiennePerot avatar Jan 25 '24 23:01 EtiennePerot

Does the runtime config in /etc/docker/daemon.json pass the --net-raw flag, e.g:

"runsc": {
    "path": "/usr/bin/runsc",
    "runtimeArgs": [
        "--net-raw"
    ]
},

Raw sockets, which are needed by iptables-legacy, are disabled by default for security reasons.

kevinGC avatar Jan 26 '24 00:01 kevinGC

A friendly reminder that this issue had no activity for 120 days.

github-actions[bot] avatar May 26 '24 00:05 github-actions[bot]