qdm12
Bug: enabling firewall fails, Couldn't load match `conntrack'
Is this urgent?
No
Host OS
Postmarket OS (Alpine Linux)
CPU arch
aarch64
VPN service provider
TorGuard
What are you using to run the container
Portainer
What is the version of Gluetun
Running version latest built on 2023-06-30T18:14:43.045Z (commit 8ad16cd)
What's the problem 🤔
So, I bought torguard now and tried it with gluetun, tried openvpn provider, custom openvpn and wireguard, I also tried several ways to add ipv6 to docker, they all worked and gave the container a valid ipv6 but I always encounter the error with conntrack. Could it be something about my architecture (aarch64) or host os (Alpine Linux) that may be incompatible with the docker image?
Share your logs
2023-07-03T17:03:28+02:00 INFO [routing] default route found: interface eth0, gateway 172.16.5.1, assigned IP 172.16.5.2 and family v4
2023-07-03T17:03:28+02:00 INFO [routing] default route found: interface eth0, gateway fd5f:c26e:7746:f664::1, assigned IP fd5f:c26e:7746:f664::2 and family v6
2023-07-03T17:03:28+02:00 INFO [routing] local ethernet link found: eth0
2023-07-03T17:03:28+02:00 INFO [routing] local ipnet found: 172.16.5.0/24
2023-07-03T17:03:28+02:00 INFO [routing] local ipnet found: fd5f:c26e:7746:f664::/64
2023-07-03T17:03:28+02:00 INFO [routing] local ipnet found: fe80::/64
2023-07-03T17:03:28+02:00 INFO [firewall] enabling...
2023-07-03T17:03:28+02:00 DEBUG [firewall] iptables --policy INPUT DROP
2023-07-03T17:03:28+02:00 DEBUG [firewall] iptables --policy OUTPUT DROP
2023-07-03T17:03:28+02:00 DEBUG [firewall] iptables --policy FORWARD DROP
2023-07-03T17:03:28+02:00 DEBUG [firewall] ip6tables-nft --policy INPUT DROP
2023-07-03T17:03:28+02:00 DEBUG [firewall] ip6tables-nft --policy OUTPUT DROP
2023-07-03T17:03:28+02:00 DEBUG [firewall] ip6tables-nft --policy FORWARD DROP
2023-07-03T17:03:28+02:00 DEBUG [firewall] iptables --append INPUT -i lo -j ACCEPT
2023-07-03T17:03:28+02:00 DEBUG [firewall] ip6tables-nft --append INPUT -i lo -j ACCEPT
2023-07-03T17:03:28+02:00 DEBUG [firewall] iptables --append OUTPUT -o lo -j ACCEPT
2023-07-03T17:03:28+02:00 DEBUG [firewall] ip6tables-nft --append OUTPUT -o lo -j ACCEPT
2023-07-03T17:03:28+02:00 DEBUG [firewall] iptables --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2023-07-03T17:03:28+02:00 DEBUG [firewall] ip6tables-nft --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2023-07-03T17:03:28+02:00 DEBUG [firewall] iptables --flush
2023-07-03T17:03:28+02:00 DEBUG [firewall] ip6tables-nft --flush
2023-07-03T17:03:28+02:00 DEBUG [firewall] iptables --delete-chain
2023-07-03T17:03:28+02:00 DEBUG [firewall] ip6tables-nft --delete-chain
2023-07-03T17:03:28+02:00 DEBUG [firewall] iptables --policy INPUT ACCEPT
2023-07-03T17:03:28+02:00 DEBUG [firewall] iptables --policy OUTPUT ACCEPT
2023-07-03T17:03:28+02:00 DEBUG [firewall] iptables --policy FORWARD ACCEPT
2023-07-03T17:03:28+02:00 DEBUG [firewall] ip6tables-nft --policy INPUT ACCEPT
2023-07-03T17:03:28+02:00 DEBUG [firewall] ip6tables-nft --policy OUTPUT ACCEPT
2023-07-03T17:03:28+02:00 DEBUG [firewall] ip6tables-nft --policy FORWARD ACCEPT
2023-07-03T17:03:28+02:00 ERROR enabling firewall: command failed: "ip6tables-nft --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT": Warning: Extension conntrack is not supported, missing kernel module?
ip6tables v1.8.9 (nf_tables): Couldn't load match `conntrack':No such file or directory
Try `ip6tables -h' or 'ip6tables --help' for more information.: exit status 2
2023-07-03T17:03:28+02:00 INFO Shutdown successful
Share your configuration
version: "3"
services:
gluetun:
image: qmcgaw/gluetun
container_name: gluetun
cap_add:
- NET_ADMIN
ports:
- 8888:8888/tcp # HTTP proxy
- 8388:8388/tcp # Shadowsocks
- 8388:8388/udp # Shadowsocks
- 8800:8000/tcp # Built-in HTTP control server
environment:
- TZ=Europe/Berlin
- LOG_LEVEL=debug
- VPN_SERVICE_PROVIDER=custom
- VPN_TYPE=openvpn
- OPENVPN_CUSTOM_CONFIG=/gluetun/custom.conf
volumes:
- /volume1/docker/gluetun/torguard-server.conf:/gluetun/custom.conf:ro
networks:
default:
driver: bridge
enable_ipv6: true
driver_opts:
com.docker.network.bridge.enable_icc: "true"
com.docker.network.bridge.enable_ip_masquerade: "true"
com.docker.network.bridge.host_binding_ipv4: "0.0.0.0"
com.docker.network.driver.mtu: "1390"
ipam:
driver: default
config:
- subnet: 172.16.5.0/24
gateway: 172.16.5.1
- subnet: fd5f:c26e:7746:f664::/64
gateway: fd5f:c26e:7746:f664::1
Hi there, thanks for reporting the issue 💯
Warning: Extension conntrack is not supported, missing kernel module? is the issue here, the only problem is googling that exact message only points to this issue! 🤣
You probably have to enable that module nft conntrack module in your kernel, which hopefully is already in there but just not loaded. If that's the case, insmod nft_ct may fix it by miracle. If this fails, you might not have it in your kernel and would need to build the kernel with it.
It's not due to aarch64, it's really just Alpine's kernel. If you need to build the kernel yourself and are ok with changing host, I would recommend you to use Arch (after having used an Alpine host myself 😉). It is a bit more complicated, but has better documentation, more recent packages (can be very useful from time to time), glibc instead of musl (i.e. to access with vscode over ssh) and yay (to get even more packages from the AUR).
Hello there!
Having the same issue. However, the nft_ct module seems to be loaded:
Output modinfo nft_ct
❯ modinfo nft_ct
filename: /lib/modules/6.6.3-411.asahi.fc39.aarch64+16k/kernel/net/netfilter/nft_ct.ko.xz
description: Netfilter nf_tables conntrack module
alias: nft-obj-9
alias: nft-obj-7
alias: nft-obj-3
alias: nft-expr-notrack
alias: nft-expr-ct
author: Patrick McHardy <[email protected]>
license: GPL
rhelversion: 9.99
depends: nf_tables,nf_conntrack
intree: Y
name: nft_ct
vermagic: 6.6.3-411.asahi.fc39.aarch64+16k SMP preempt mod_unload aarch64
sig_id: PKCS#7
signer: Fedora kernel signing key
Host OS
Fedora Linux Asahi Remix 39 aarch64
CPU arch
aarch64
VPN service provider
Mullvad
What are you using to run the container
Docker (docker-compose)
What is the version of Gluetun
Running version latest built on 2024-01-01T18:24:19.221Z (commit c826707)
Logs (removed deluge logs):
gluetun | ========================================
gluetun | ========================================
gluetun | =============== gluetun ================
gluetun | ========================================
gluetun | =========== Made with ❤️ by ============
gluetun | ======= https://github.com/qdm12 =======
gluetun | ========================================
gluetun | ========================================
gluetun |
gluetun | Running version latest built on 2024-01-01T18:24:19.221Z (commit c826707)
gluetun |
gluetun | 🔧 Need help? https://github.com/qdm12/gluetun/discussions/new
gluetun | 🐛 Bug? https://github.com/qdm12/gluetun/issues/new
gluetun | ✨ New feature? https://github.com/qdm12/gluetun/issues/new
gluetun | ☕ Discussion? https://github.com/qdm12/gluetun/discussions/new
gluetun | 💻 Email? [email protected]
gluetun | 💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
gluetun | 2024-01-11T13:18:50Z INFO [routing] default route found: interface eth0, gateway 172.19.0.1, assigned IP 172.19.0.2 and family v4
gluetun | 2024-01-11T13:18:50Z INFO [routing] local ethernet link found: eth0
gluetun | 2024-01-11T13:18:50Z INFO [routing] local ipnet found: 172.19.0.0/16
gluetun | 2024-01-11T13:18:50Z INFO [firewall] enabling...
gluetun | 2024-01-11T13:18:51Z ERROR enabling firewall: command failed: "iptables-nft --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT": Warning: Extension conntrack revision 0 not supported, missing kernel module?
gluetun | iptables v1.8.9 (nf_tables): RULE_APPEND failed (No such file or directory): rule in chain OUTPUT: exit status 4
gluetun | 2024-01-11T13:18:51Z INFO Shutdown successful
gluetun exited with code 1
Config
version: "2"
services:
deluge:
container_name: deluge
image: linuxserver/deluge
restart: unless-stopped
network_mode: "service:gluetun"
depends_on:
- gluetun
volumes:
- ./config:/config:Z
- /mnt/data/downloads:/downloads:Z
environment:
- PUID=1000
- PGID=1000
gluetun:
image: qmcgaw/gluetun:latest
container_name: gluetun
# line above must be uncommented to allow external containers to connect. See https://github.com/qdm12/gluetun/wiki/Connect-a-container-to-gluetun#external-container-to-gluetun
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun:/dev/net/tun
ports:
- 8888:8888/tcp # HTTP proxy
- 8388:8388/tcp # Shadowsocks
- 8388:8388/udp # Shadowsocks
# qbittorrent ports
- 8112:8112
- 6881:6881
- 6881:6881/udp
restart: unless-stopped
volumes:
- ./tmp:/gluetun
environment:
# REDACTED
UPDATE:
Figured it out, seems to be an issue when using SELinux.
After adding
privileged: true
in the docker-compose.yml it works :partying_face:
Did some research, however I am still not quite sure on the security implications of adding this, could anyone elaborate a bit more on this?
Cheers!
I updated recently and am running on Arch, seeing a similar issue I think.
Running version latest built on 2024-05-04T16:22:29.394Z (commit ef6874f)
🔧 Need help? https://github.com/qdm12/gluetun/discussions/new
🐛 Bug? https://github.com/qdm12/gluetun/issues/new
✨ New feature? https://github.com/qdm12/gluetun/issues/new
☕ Discussion? https://github.com/qdm12/gluetun/discussions/new
💻 Email? [email protected]
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2024-05-07T02:28:38Z INFO [routing] default route found: interface eth0, gateway 172.26.0.1, assigned IP 172.26.0.3 and family v4
2024-05-07T02:28:38Z INFO [routing] local ethernet link found: eth0
2024-05-07T02:28:38Z INFO [routing] local ipnet found: 172.26.0.0/16
2024-05-07T02:28:38Z INFO [firewall] enabling...
2024-05-07T02:28:38Z ERROR enabling firewall: command failed: "iptables --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT": Warning: Extension conntrack revision 0 not supported, missing kernel module?
iptables v1.8.10 (nf_tables): RULE_APPEND failed (No such file or directory): rule in chain OUTPUT: exit status 4
2024-05-07T02:28:38Z INFO Shutdown successful
I notice rolling back my gluetun compose from latest to v3.37 fixes the issue, so it seems like something from 3.38 that introduced the bug for my case.
I updated recently and am running on Arch, seeing a similar issue I think.
Running version latest built on 2024-05-04T16:22:29.394Z (commit ef6874f) 🔧 Need help? https://github.com/qdm12/gluetun/discussions/new 🐛 Bug? https://github.com/qdm12/gluetun/issues/new ✨ New feature? https://github.com/qdm12/gluetun/issues/new ☕ Discussion? https://github.com/qdm12/gluetun/discussions/new 💻 Email? [email protected] 💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12 2024-05-07T02:28:38Z INFO [routing] default route found: interface eth0, gateway 172.26.0.1, assigned IP 172.26.0.3 and family v4 2024-05-07T02:28:38Z INFO [routing] local ethernet link found: eth0 2024-05-07T02:28:38Z INFO [routing] local ipnet found: 172.26.0.0/16 2024-05-07T02:28:38Z INFO [firewall] enabling... 2024-05-07T02:28:38Z ERROR enabling firewall: command failed: "iptables --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT": Warning: Extension conntrack revision 0 not supported, missing kernel module? iptables v1.8.10 (nf_tables): RULE_APPEND failed (No such file or directory): rule in chain OUTPUT: exit status 4 2024-05-07T02:28:38Z INFO Shutdown successfulI notice rolling back my gluetun compose from latest to v3.37 fixes the issue, so it seems like something from 3.38 that introduced the bug for my case.
same here
Running version latest built on 2024-05-04T16:22:29.394Z (commit ef6874f) 🔧 Need help? https://github.com/qdm12/gluetun/discussions/new 🐛 Bug? https://github.com/qdm12/gluetun/issues/new ✨ New feature? https://github.com/qdm12/gluetun/issues/new ☕ Discussion? https://github.com/qdm12/gluetun/discussions/new 💻 Email? [email protected] 💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12 2024-05-07T02:28:38Z INFO [routing] default route found: interface eth0, gateway 172.26.0.1, assigned IP 172.26.0.3 and family v4
I also just wanted to echo same here, I am on arch linux and trying to connect to private internet access and I had to rollback to v3.37.0
For those who might not know how to choose docker image version (at least for the compose file), you just add to the end of the image line ":v3.37.0" i.e. image: qmcgaw/gluetun:v3.37.0
Can you try pulling the latest image and see if it works now? It's now upgraded to Alpine 3.20 (last release) and uses iptables-legacy or iptables-nft depending on the system, maybe this can help? 🤔
Now regarding the downgrade from v3.38 to v3.37 fixing your problem...
Code differences between v3.37.0 and v3.38.0 are https://github.com/qdm12/gluetun/compare/v3.37.0...v3.38.0 doesn't show really any difference in terms of firewall (firewall Go code or alpine version). Checking both iptables versions gives the same:
docker run -it --rm --entrypoint /bin/sh qmcgaw/gluetun:v3.38.0 -c "apk info iptables"
docker run -it --rm --entrypoint /bin/sh qmcgaw/gluetun:v3.37.0 -c "apk info iptables"
So all in all, it's kind of very strange reverting to v3.37 from v3.38 fixes your issues 😕
Warning: Extension conntrack revision 0 not supported, missing kernel module
You are missing the conntrack kernel module (maybe this can help: https://forums.gentoo.org/viewtopic-p-8762909.html?sid=d318849889fea33fc6d9b1ab8d715c17).
RULE_APPEND failed (No such file or directory)
Not sure what that is.