Bug: enabling firewall fails, Couldn't load match `conntrack'

[Bush-cat]

Is this urgent?

No

Host OS

Postmarket OS (Alpine Linux)

CPU arch

aarch64

VPN service provider

TorGuard

What are you using to run the container

Portainer

What is the version of Gluetun

Running version latest built on 2023-06-30T18:14:43.045Z (commit 8ad16cd)

What's the problem 🤔

So, I bought torguard now and tried it with gluetun, tried openvpn provider, custom openvpn and wireguard, I also tried several ways to add ipv6 to docker, they all worked and gave the container a valid ipv6 but I always encounter the error with conntrack. Could it be something about my architecture (aarch64) or host os (Alpine Linux) that may be incompatible with the docker image?

Share your logs

2023-07-03T17:03:28+02:00 INFO [routing] default route found: interface eth0, gateway 172.16.5.1, assigned IP 172.16.5.2 and family v4
2023-07-03T17:03:28+02:00 INFO [routing] default route found: interface eth0, gateway fd5f:c26e:7746:f664::1, assigned IP fd5f:c26e:7746:f664::2 and family v6
2023-07-03T17:03:28+02:00 INFO [routing] local ethernet link found: eth0
2023-07-03T17:03:28+02:00 INFO [routing] local ipnet found: 172.16.5.0/24
2023-07-03T17:03:28+02:00 INFO [routing] local ipnet found: fd5f:c26e:7746:f664::/64
2023-07-03T17:03:28+02:00 INFO [routing] local ipnet found: fe80::/64
2023-07-03T17:03:28+02:00 INFO [firewall] enabling...
2023-07-03T17:03:28+02:00 DEBUG [firewall] iptables --policy INPUT DROP
2023-07-03T17:03:28+02:00 DEBUG [firewall] iptables --policy OUTPUT DROP
2023-07-03T17:03:28+02:00 DEBUG [firewall] iptables --policy FORWARD DROP
2023-07-03T17:03:28+02:00 DEBUG [firewall] ip6tables-nft --policy INPUT DROP
2023-07-03T17:03:28+02:00 DEBUG [firewall] ip6tables-nft --policy OUTPUT DROP
2023-07-03T17:03:28+02:00 DEBUG [firewall] ip6tables-nft --policy FORWARD DROP
2023-07-03T17:03:28+02:00 DEBUG [firewall] iptables --append INPUT -i lo -j ACCEPT
2023-07-03T17:03:28+02:00 DEBUG [firewall] ip6tables-nft --append INPUT -i lo -j ACCEPT
2023-07-03T17:03:28+02:00 DEBUG [firewall] iptables --append OUTPUT -o lo -j ACCEPT
2023-07-03T17:03:28+02:00 DEBUG [firewall] ip6tables-nft --append OUTPUT -o lo -j ACCEPT
2023-07-03T17:03:28+02:00 DEBUG [firewall] iptables --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2023-07-03T17:03:28+02:00 DEBUG [firewall] ip6tables-nft --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2023-07-03T17:03:28+02:00 DEBUG [firewall] iptables --flush
2023-07-03T17:03:28+02:00 DEBUG [firewall] ip6tables-nft --flush
2023-07-03T17:03:28+02:00 DEBUG [firewall] iptables --delete-chain
2023-07-03T17:03:28+02:00 DEBUG [firewall] ip6tables-nft --delete-chain
2023-07-03T17:03:28+02:00 DEBUG [firewall] iptables --policy INPUT ACCEPT
2023-07-03T17:03:28+02:00 DEBUG [firewall] iptables --policy OUTPUT ACCEPT
2023-07-03T17:03:28+02:00 DEBUG [firewall] iptables --policy FORWARD ACCEPT
2023-07-03T17:03:28+02:00 DEBUG [firewall] ip6tables-nft --policy INPUT ACCEPT
2023-07-03T17:03:28+02:00 DEBUG [firewall] ip6tables-nft --policy OUTPUT ACCEPT
2023-07-03T17:03:28+02:00 DEBUG [firewall] ip6tables-nft --policy FORWARD ACCEPT
2023-07-03T17:03:28+02:00 ERROR enabling firewall: command failed: "ip6tables-nft --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT": Warning: Extension conntrack is not supported, missing kernel module?
ip6tables v1.8.9 (nf_tables): Couldn't load match `conntrack':No such file or directory
Try `ip6tables -h' or 'ip6tables --help' for more information.: exit status 2
2023-07-03T17:03:28+02:00 INFO Shutdown successful

Share your configuration

version: "3"
services:
  gluetun:
    image: qmcgaw/gluetun
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    ports:
      - 8888:8888/tcp # HTTP proxy
      - 8388:8388/tcp # Shadowsocks
      - 8388:8388/udp # Shadowsocks
      - 8800:8000/tcp # Built-in HTTP control server
    environment:
      - TZ=Europe/Berlin
      - LOG_LEVEL=debug
      - VPN_SERVICE_PROVIDER=custom
      - VPN_TYPE=openvpn
      - OPENVPN_CUSTOM_CONFIG=/gluetun/custom.conf
    volumes:
      - /volume1/docker/gluetun/torguard-server.conf:/gluetun/custom.conf:ro

networks:
    default:
        driver: bridge
        enable_ipv6: true
        driver_opts:
            com.docker.network.bridge.enable_icc: "true"
            com.docker.network.bridge.enable_ip_masquerade: "true"
            com.docker.network.bridge.host_binding_ipv4: "0.0.0.0"
            com.docker.network.driver.mtu: "1390"
        ipam:
            driver: default
            config:
                - subnet: 172.16.5.0/24
                  gateway: 172.16.5.1
                - subnet: fd5f:c26e:7746:f664::/64
                  gateway: fd5f:c26e:7746:f664::1

[qdm12]

Hi there, thanks for reporting the issue 💯

Warning: Extension conntrack is not supported, missing kernel module? is the issue here, the only problem is googling that exact message only points to this issue! 🤣

You probably have to enable that module nft conntrack module in your kernel, which hopefully is already in there but just not loaded. If that's the case, insmod nft_ct may fix it by miracle. If this fails, you might not have it in your kernel and would need to build the kernel with it.

It's not due to aarch64, it's really just Alpine's kernel. If you need to build the kernel yourself and are ok with changing host, I would recommend you to use Arch (after having used an Alpine host myself 😉). It is a bit more complicated, but has better documentation, more recent packages (can be very useful from time to time), glibc instead of musl (i.e. to access with vscode over ssh) and yay (to get even more packages from the AUR).

[burghoffdavid]

Hello there!

Having the same issue. However, the nft_ct module seems to be loaded:

Output modinfo nft_ct

❯ modinfo nft_ct
filename:       /lib/modules/6.6.3-411.asahi.fc39.aarch64+16k/kernel/net/netfilter/nft_ct.ko.xz
description:    Netfilter nf_tables conntrack module
alias:          nft-obj-9
alias:          nft-obj-7
alias:          nft-obj-3
alias:          nft-expr-notrack
alias:          nft-expr-ct
author:         Patrick McHardy <kaber@trash.net>
license:        GPL
rhelversion:    9.99
depends:        nf_tables,nf_conntrack
intree:         Y
name:           nft_ct
vermagic:       6.6.3-411.asahi.fc39.aarch64+16k SMP preempt mod_unload aarch64
sig_id:         PKCS#7
signer:         Fedora kernel signing key

Host OS

Fedora Linux Asahi Remix 39 aarch64

CPU arch

aarch64

VPN service provider

Mullvad

What are you using to run the container

Docker (docker-compose)

What is the version of Gluetun

Running version latest built on 2024-01-01T18:24:19.221Z (commit c826707)

Logs (removed deluge logs):

gluetun    | ========================================
gluetun    | ========================================
gluetun    | =============== gluetun ================
gluetun    | ========================================
gluetun    | =========== Made with ❤️ by ============
gluetun    | ======= https://github.com/qdm12 =======
gluetun    | ========================================
gluetun    | ========================================
gluetun    | 
gluetun    | Running version latest built on 2024-01-01T18:24:19.221Z (commit c826707)
gluetun    | 
gluetun    | 🔧 Need help? https://github.com/qdm12/gluetun/discussions/new
gluetun    | 🐛 Bug? https://github.com/qdm12/gluetun/issues/new
gluetun    | ✨ New feature? https://github.com/qdm12/gluetun/issues/new
gluetun    | ☕ Discussion? https://github.com/qdm12/gluetun/discussions/new
gluetun    | 💻 Email? quentin.mcgaw@gmail.com
gluetun    | 💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
gluetun    | 2024-01-11T13:18:50Z INFO [routing] default route found: interface eth0, gateway 172.19.0.1, assigned IP 172.19.0.2 and family v4
gluetun    | 2024-01-11T13:18:50Z INFO [routing] local ethernet link found: eth0
gluetun    | 2024-01-11T13:18:50Z INFO [routing] local ipnet found: 172.19.0.0/16
gluetun    | 2024-01-11T13:18:50Z INFO [firewall] enabling...
gluetun    | 2024-01-11T13:18:51Z ERROR enabling firewall: command failed: "iptables-nft --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT": Warning: Extension conntrack revision 0 not supported, missing kernel module?
gluetun    | iptables v1.8.9 (nf_tables):  RULE_APPEND failed (No such file or directory): rule in chain OUTPUT: exit status 4
gluetun    | 2024-01-11T13:18:51Z INFO Shutdown successful
gluetun exited with code 1

Config

version: "2"
services:
  deluge:
    container_name: deluge
    image: linuxserver/deluge
    restart: unless-stopped
    network_mode: "service:gluetun"
    depends_on:
      - gluetun
    volumes:
      - ./config:/config:Z
      - /mnt/data/downloads:/downloads:Z
    environment:
      - PUID=1000
      - PGID=1000
  gluetun:
    image: qmcgaw/gluetun:latest
    container_name: gluetun
    # line above must be uncommented to allow external containers to connect. See https://github.com/qdm12/gluetun/wiki/Connect-a-container-to-gluetun#external-container-to-gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - 8888:8888/tcp # HTTP proxy
      - 8388:8388/tcp # Shadowsocks
      - 8388:8388/udp # Shadowsocks
      # qbittorrent ports
      - 8112:8112
      - 6881:6881
      - 6881:6881/udp
    restart: unless-stopped
    volumes:
      - ./tmp:/gluetun
    environment:
      # REDACTED

[burghoffdavid]

UPDATE:

Figured it out, seems to be an issue when using SELinux.

After adding

privileged: true

in the docker-compose.yml it works 🥳

Did some research, however I am still not quite sure on the security implications of adding this, could anyone elaborate a bit more on this?

Cheers!

[leetNightshade]

I updated recently and am running on Arch, seeing a similar issue I think.

Running version latest built on 2024-05-04T16:22:29.394Z (commit ef6874f)
🔧 Need help? https://github.com/qdm12/gluetun/discussions/new
🐛 Bug? https://github.com/qdm12/gluetun/issues/new
✨ New feature? https://github.com/qdm12/gluetun/issues/new
☕ Discussion? https://github.com/qdm12/gluetun/discussions/new
💻 Email? quentin.mcgaw@gmail.com
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2024-05-07T02:28:38Z INFO [routing] default route found: interface eth0, gateway 172.26.0.1, assigned IP 172.26.0.3 and family v4
2024-05-07T02:28:38Z INFO [routing] local ethernet link found: eth0
2024-05-07T02:28:38Z INFO [routing] local ipnet found: 172.26.0.0/16
2024-05-07T02:28:38Z INFO [firewall] enabling...
2024-05-07T02:28:38Z ERROR enabling firewall: command failed: "iptables --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT": Warning: Extension conntrack revision 0 not supported, missing kernel module?
iptables v1.8.10 (nf_tables):  RULE_APPEND failed (No such file or directory): rule in chain OUTPUT: exit status 4
2024-05-07T02:28:38Z INFO Shutdown successful

I notice rolling back my gluetun compose from latest to v3.37 fixes the issue, so it seems like something from 3.38 that introduced the bug for my case.

[ruizlenato]

I updated recently and am running on Arch, seeing a similar issue I think.

Running version latest built on 2024-05-04T16:22:29.394Z (commit ef6874f)
🔧 Need help? https://github.com/qdm12/gluetun/discussions/new
🐛 Bug? https://github.com/qdm12/gluetun/issues/new
✨ New feature? https://github.com/qdm12/gluetun/issues/new
☕ Discussion? https://github.com/qdm12/gluetun/discussions/new
💻 Email? quentin.mcgaw@gmail.com
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2024-05-07T02:28:38Z INFO [routing] default route found: interface eth0, gateway 172.26.0.1, assigned IP 172.26.0.3 and family v4
2024-05-07T02:28:38Z INFO [routing] local ethernet link found: eth0
2024-05-07T02:28:38Z INFO [routing] local ipnet found: 172.26.0.0/16
2024-05-07T02:28:38Z INFO [firewall] enabling...
2024-05-07T02:28:38Z ERROR enabling firewall: command failed: "iptables --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT": Warning: Extension conntrack revision 0 not supported, missing kernel module?
iptables v1.8.10 (nf_tables):  RULE_APPEND failed (No such file or directory): rule in chain OUTPUT: exit status 4
2024-05-07T02:28:38Z INFO Shutdown successful

I notice rolling back my gluetun compose from latest to v3.37 fixes the issue, so it seems like something from 3.38 that introduced the bug for my case.

same here

[znoble360]

Running version latest built on 2024-05-04T16:22:29.394Z (commit ef6874f)
🔧 Need help? https://github.com/qdm12/gluetun/discussions/new
🐛 Bug? https://github.com/qdm12/gluetun/issues/new
✨ New feature? https://github.com/qdm12/gluetun/issues/new
☕ Discussion? https://github.com/qdm12/gluetun/discussions/new
💻 Email? quentin.mcgaw@gmail.com
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2024-05-07T02:28:38Z INFO [routing] default route found: interface eth0, gateway 172.26.0.1, assigned IP 172.26.0.3 and family v4

I also just wanted to echo same here, I am on arch linux and trying to connect to private internet access and I had to rollback to v3.37.0

For those who might not know how to choose docker image version (at least for the compose file), you just add to the end of the image line ":v3.37.0" i.e. image: qmcgaw/gluetun:v3.37.0

[qdm12]

Can you try pulling the latest image and see if it works now? It's now upgraded to Alpine 3.20 (last release) and uses iptables-legacy or iptables-nft depending on the system, maybe this can help? 🤔

Now regarding the downgrade from v3.38 to v3.37 fixing your problem...

Code differences between v3.37.0 and v3.38.0 are v3.37.0...v3.38.0 doesn't show really any difference in terms of firewall (firewall Go code or alpine version). Checking both iptables versions gives the same:

docker run -it --rm --entrypoint /bin/sh qmcgaw/gluetun:v3.38.0 -c "apk info iptables"
docker run -it --rm --entrypoint /bin/sh qmcgaw/gluetun:v3.37.0 -c "apk info iptables"

So all in all, it's kind of very strange reverting to v3.37 from v3.38 fixes your issues 😕

Warning: Extension conntrack revision 0 not supported, missing kernel module

You are missing the conntrack kernel module (maybe this can help: https://forums.gentoo.org/viewtopic-p-8762909.html?sid=d318849889fea33fc6d9b1ab8d715c17).

RULE_APPEND failed (No such file or directory)

Not sure what that is.

[darrynlowe]

I'm getting the same thing in that neither 3.38 nor 3.39 does not work but rolling back to 3.37 does.

Configuration of the host is:

• Arch 6.10.5-arch1-1
• Docker 27.1.2
• iptables 1:1.8.10-2

docker-compose.yaml is:

gluetun:
    image: qmcgaw/gluetun:latest
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    ports:
      - "8006:8000"   
    restart: unless-stopped
    privileged: true
    devices:
      - /dev/net/tun:/dev/net/tun
    environment:
      - VPN_SERVICE_PROVIDER=private internet access
      - OPENVPN_USER=_____
      - OPENVPN_PASSWORD=______
      - HTTPPROXY=off
      - PUBLICIP_API=ip2location
      - TZ=America/Toronto
      - DNS_KEEP_NAMESEVER=on
      - DOT=off

and the error is:

2024-08-21T09:12:16-04:00 INFO [routing] default route found: interface eth0, gateway 172.18.0.1, assigned IP 172.18.0.2 and family v4
2024-08-21T09:12:16-04:00 INFO [routing] local ethernet link found: eth0
2024-08-21T09:12:16-04:00 INFO [routing] local ipnet found: 172.18.0.0/16
2024-08-21T09:12:16-04:00 INFO [firewall] enabling...
2024-08-21T09:12:17-04:00 ERROR enabling firewall: command failed: "iptables --append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT": Warning: Extension conntrack revision 0 not supported, missing kernel module?
iptables v1.8.10 (nf_tables):  RULE_APPEND failed (No such file or directory): rule in chain OUTPUT: exit status 4
2024-08-21T09:12:17-04:00 INFO Shutdown successful

[darrynlowe]

Changing ALPINE_LINUX back to 3.19 in the Dockerfile resolves this problem for now.

[JustinTArthur]

Folks are seeing this message because iptables-nft still uses legacy xtables extensions (like conntrack) for matching, even inside the modern nftables rules it creates.

Recent gluetun with iptables-nft requires the following kernel config for the firewall rules even if you don't plan to use legacy iptables/xtables tools and driver:

• CONFIG_NF_TABLES
• CONFIG_NFT_COMPAT so the kernel can interpret nftables rules that contain old xtables extensions
• CONFIG_NETFILTER_XT_MATCH_CONNTRACK for old conntrack xtables match support
• CONFIG_NETFILTER_XT_NAT and CONFIG_NETFILTER_XT_TARGET_REDIRECT might be needed for prior rules deletion attempts. I don't know for sure.

These can be enabled as modules or built in to the kernel. As modules, netfilter will load them as required.

The longer-term fix is to have gluetun add nftables rules using a tool that uses native nftables expressions in rules. For example, nft can use the nftables ct extension instead of the old xtables conntrack matching. Until then, the nft_ct feature added by CONFIG_NFT_CT is unlikely to be used.