gluetun: Bug: Firewall fails to start on IPv6 rule
Is this urgent?
None
Host OS
Debian Buster
CPU arch
x86_64
VPN service provider
Private Internet Access
What are you using to run the container
docker run
What is the version of Gluetun
qmcgaw/gluetun:v3.34.0
What’s the problem 🤔
I’m running gluetun in a kubernetes cluster. The container fails to start with the firewall enabled when creating an ipv6 output rule. It’s attempting to configure the rule with an IPv4 source address, which fails.
Share your logs
========================================
========================================
=============== gluetun ================
========================================
=========== Made with ❤️ by ============
======= https://github.com/qdm12 =======
========================================
========================================
Running version v3.34.0 built on 2023-05-21T13:07:49.386Z (commit 63303bc)
🔧 Need help? https://github.com/qdm12/gluetun/discussions/new
🐛 Bug? https://github.com/qdm12/gluetun/issues/new
✨ New feature? https://github.com/qdm12/gluetun/issues/new
☕ Discussion? https://github.com/qdm12/gluetun/discussions/new
💻 Email? quentin.mcgaw@gmail.com
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2023-05-21T11:36:58-04:00 INFO [routing] default route found: interface eth0, gateway 10.42.0.1, assigned IP 10.42.0.198 and family v4
2023-05-21T11:36:58-04:00 INFO [routing] local ethernet link found: eth0
2023-05-21T11:36:58-04:00 INFO [routing] local ipnet found: 10.42.0.0/24
2023-05-21T11:36:58-04:00 INFO [routing] local ipnet found: fe80::/64
2023-05-21T11:36:58-04:00 INFO [firewall] enabling...
2023-05-21T11:36:58-04:00 DEBUG [firewall] iptables --policy INPUT DROP
2023-05-21T11:36:58-04:00 DEBUG [firewall] iptables --policy OUTPUT DROP
2023-05-21T11:36:58-04:00 DEBUG [firewall] iptables --policy FORWARD DROP
2023-05-21T11:36:58-04:00 DEBUG [firewall] ip6tables-nft --policy INPUT DROP
2023-05-21T11:36:58-04:00 DEBUG [firewall] ip6tables-nft --policy OUTPUT DROP
2023-05-21T11:36:58-04:00 DEBUG [firewall] ip6tables-nft --policy FORWARD DROP
2023-05-21T11:36:58-04:00 DEBUG [firewall] iptables --append INPUT -i lo -j ACCEPT
2023-05-21T11:36:58-04:00 DEBUG [firewall] ip6tables-nft --append INPUT -i lo -j ACCEPT
2023-05-21T11:36:58-04:00 DEBUG [firewall] iptables --append OUTPUT -o lo -j ACCEPT
2023-05-21T11:36:58-04:00 DEBUG [firewall] ip6tables-nft --append OUTPUT -o lo -j ACCEPT
2023-05-21T11:36:58-04:00 DEBUG [firewall] iptables --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2023-05-21T11:36:58-04:00 DEBUG [firewall] ip6tables-nft --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2023-05-21T11:36:58-04:00 DEBUG [firewall] iptables --append INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2023-05-21T11:36:58-04:00 DEBUG [firewall] ip6tables-nft --append INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2023-05-21T11:36:58-04:00 DEBUG [firewall] iptables --append OUTPUT -o eth0 -s 10.42.0.198 -d 10.42.0.0/24 -j ACCEPT
2023-05-21T11:36:58-04:00 DEBUG [firewall] ip6tables-nft --append OUTPUT -o eth0 -d ff02::1:ff/104 -j ACCEPT
2023-05-21T11:36:58-04:00 DEBUG [firewall] ip6tables-nft --append OUTPUT -o eth0 -s 10.42.0.198 -d fe80::/64 -j ACCEPT
2023-05-21T11:36:58-04:00 DEBUG [firewall] iptables --flush
2023-05-21T11:36:58-04:00 DEBUG [firewall] ip6tables-nft --flush
2023-05-21T11:36:58-04:00 DEBUG [firewall] iptables --delete-chain
2023-05-21T11:36:58-04:00 DEBUG [firewall] ip6tables-nft --delete-chain
2023-05-21T11:36:58-04:00 DEBUG [firewall] iptables --policy INPUT ACCEPT
2023-05-21T11:36:58-04:00 DEBUG [firewall] iptables --policy OUTPUT ACCEPT
2023-05-21T11:36:58-04:00 DEBUG [firewall] iptables --policy FORWARD ACCEPT
2023-05-21T11:36:58-04:00 DEBUG [firewall] ip6tables-nft --policy INPUT ACCEPT
2023-05-21T11:36:58-04:00 DEBUG [firewall] ip6tables-nft --policy OUTPUT ACCEPT
2023-05-21T11:36:58-04:00 DEBUG [firewall] ip6tables-nft --policy FORWARD ACCEPT
2023-05-21T11:36:58-04:00 ERROR enabling firewall: command failed: "ip6tables-nft --append OUTPUT -o eth0 -s 10.42.0.198 -d fe80::/64 -j ACCEPT": ip6tables v1.8.8 (nf_tables): host/network `10.42.0.198' not found
Try `ip6tables -h' or 'ip6tables --help' for more information.: exit status 2
2023-05-21T11:36:58-04:00 INFO Shutdown successful
Share your configuration
apiVersion: apps/v1
kind: Deployment
metadata:
name: gluetun
namespace: gluetun
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: gluetun
template:
metadata:
labels:
app.kubernetes.io/name: gluetun
spec:
containers:
- name: gluetun
image: qmcgaw/gluetun:v3.34.0
securityContext:
capabilities:
add:
- NET_ADMIN
env:
- name: VPC_SERVICE_PROVIDER
value: private internet access
- name: SERVER_REGIONS
value: US Chicago
- name: FIREWALL_DEBUG
value: on # Remove in prod
- name: TZ
value: "America/New_York"
- name: OPENVPN_USER
valueFrom:
secretKeyRef:
name: pia-credentials
key: pia-user
- name: OPENVPN_PASSWORD
valueFrom:
secretKeyRef:
name: pia-credentials
key: pia-pass
ports:
- name: httpproxy
containerPort: 8888
protocol: TCP
- name: shadowsocks-tcp
containerPort: 8388
protocol: TCP
- name: shadowsocks-udp
containerPort: 8388
protocol: UDP
livenessProbe:
httpGet:
path: /
port: 9999
initialDelaySeconds: 10
timeoutSeconds: 10
readinessProbe:
httpGet:
path: /
port: 9999
initialDelaySeconds: 10
timeoutSeconds: 5
About this issue
- Original URL
- State: closed
- Created a year ago
- Reactions: 1
- Comments: 16 (5 by maintainers)
Probably due to 0a29337c3b661d6713be56c39a8eab023ce96b0e I’ll investigate
@qdm12 I do not see this message in my container.
Thanks for this fantastic project! Have been using it daily for a few years.