Skip to content

[BUG] Fedora 41 Migration from iptables to nftables #380

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
1 task done
Zanathoz opened this issue Feb 24, 2025 · 4 comments · May be fixed by #385
Open
1 task done

[BUG] Fedora 41 Migration from iptables to nftables #380

Zanathoz opened this issue Feb 24, 2025 · 4 comments · May be fixed by #385
Labels
no-issue-activity

Comments

@Zanathoz
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

After upgrading my podman host from Fedora 40 to 41, my wireguard pods will no longer start. It appears Fedora 41 has deprecated iptables for nftables:
https://docs.fedoraproject.org/en-US/fedora/latest/release-notes/sysadmin/

These containers worked without issue prior to my upgrade to Fedora 41 and are broken on both hosts I utilize for WG VPN services.

It looks like there are some workarounds/changes available. I will need time to investigate and test on my end:
https://fedoraproject.org/wiki/Changes/LibvirtVirtualNetworkNFTables#Reverting_to_iptables_for_compatibility

Expected Behavior

Container to start

Steps To Reproduce

Utilizing systemd services to automatically start the pods:

[Unit]
Description=Podman container-wireguard.service
Documentation=man:podman-generate-systemd(1)
Wants=network-online.target
After=network-online.target
RequiresMountsFor=%t/containers

[Service]
Environment=PODMAN_SYSTEMD_UNIT=%n
Restart=on-failure
TimeoutStopSec=70
ExecStartPre=/bin/rm -f %t/%n.ctr-id
ExecStart=/usr/bin/podman run --cidfile=%t/%n.ctr-id --cgroups=no-conmon --rm --sdnotify=conmon --replace -d --privileged --name wireguard -e PUID=1000 -e PGID=1000 -e "TZ=America/New York" --cap-add=NET_RAW --cap-add=NET_ADMIN -e SERVERURL=vpn.mydomain.com -e SERVERPORT=51821 -e PEERS=WireGuard1 -e PEERDNS=192.168.1.1 -e INTERNAL_SUBNET=10.21.21.0 -e ALLOWEDIPS=0.0.0.0/0 -p 51820:51820/udp --sysctl=net.ipv4.conf.all.src_valid_mark=1 -v /var/wireguard/wireguard-vpn:/config:Z -v /var/wireguard/wireguard-modules:/lib/modules:Z --pull=always --label io.containers.autoupdate=registry lscr.io/linuxserver/wireguard:latest
ExecStop=/usr/bin/podman stop --ignore --cidfile=%t/%n.ctr-id
ExecStopPost=/usr/bin/podman rm -f --ignore --cidfile=%t/%n.ctr-id
Type=notify
NotifyAccess=all

[Install]
WantedBy=default.target

Environment

- OS: Fedora 41
- How docker service was installed: Native Podman

CPU architecture

x86-64

Docker creation

podman --replace -d --privileged --name wireguard -e PUID=1000 -e PGID=1000 -e "TZ=America/New York" --cap-add=NET_RAW --cap-add=NET_ADMIN -e SERVERURL=vpn.mydomain.com -e SERVERPORT=51821 -e PEERS=WireGuard1 -e PEERDNS=192.168.1.1 -e INTERNAL_SUBNET=10.21.21.0 -e ALLOWEDIPS=0.0.0.0/0 -p 51820:51820/udp --sysctl=net.ipv4.conf.all.src_valid_mark=1 -v /var/wireguard/wireguard-vpn:/config:Z -v /var/wireguard/wireguard-modules:/lib/modules:Z --pull=always --label io.containers.autoupdate=registry lscr.io/linuxserver/wireguard:latest

Container logs

'''
February 24, 2025
[#] ip link delete dev wg0
wireguard
Perhaps iptables or your kernel needs to be upgraded.
wireguard
iptables v1.8.11 (legacy): can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
wireguard
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
wireguard
[#] ip -4 route add 10.21.21.2/32 dev wg0
wireguard
[#] ip link set mtu 1420 up dev wg0
wireguard
[#] ip -4 address add 10.21.21.1 dev wg0
wireguard
[#] wg setconf wg0 /dev/fd/63
wireguard
[#] ip link add wg0 type wireguard
wireguard
Warning: `/config/wg_confs/wg0.conf' is world accessible
wireguard
Connection to localhost (::1) 53 port [udp/domain] succeeded!
wireguard
@github-actions GitHub Actions
Copy link

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

@Zanathoz
Copy link
Author

Zanathoz commented Feb 24, 2025
edited
Loading

I found I didn't have virtnetworkd installed.

I installed it and put in the proposed workaround in the config file to fall back to iptables and the container still fails with the same error message.

It appears this can also cause breaking changes with docker containers due to the change.

EDIT: It appears this has fixed my issue, although not sure why I needed to perform this step unless due to part of the OS post-upgrade cleanup process I performed.

This could also be due to the changes Fedora has made to iptables/nfftables. The container still works without putting the nftables config item in place to use iptables, but the container will remain broken until the following is performed and the container is restarted.

sudo modprobe ip_tables
sudo echo 'ip_tables' >> /etc/modules

These commands also don't persist through a reboot, so I've made a shell script to re-instate them and runs via crontab at reboot for my tunnels to come up properly.

@paschun
Copy link

paschun commented Mar 8, 2025
edited
Loading

On fedora, /etc/alternatives/iptables -> /usr/sbin/iptables-nft.

In the alpine container, /usr/sbin/iptables-nft is also present and seems to work OK.

Could probably just alias iptables -> iptables-nft in the meantime

@LinuxServer-CI
Copy link
Contributor

This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions.

@AlexStorm1313 AlexStorm1313 linked a pull request Apr 24, 2025 that will close this issue
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
no-issue-activity
Projects
Issue & PR Tracker
Status: Issues
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

use compatibility command AlexStorm1313/docker-wireguard
3 participants
@LinuxServer-CI @Zanathoz @paschun