Skip to content

[BUG] wrong iptables directory with alpine:3.21 #375

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
1 task done
arkandias opened this issue Jan 20, 2025 · 1 comment · Fixed by #377
Closed
1 task done

[BUG] wrong iptables directory with alpine:3.21 #375

arkandias opened this issue Jan 20, 2025 · 1 comment · Fixed by #377

Comments

@arkandias
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

In Alpine 3.21, all the iptables binaries are located in /usr/sbin (rather than /sbin in 3.20). So this part of the Dockerfile creates "dangling symlinks":

cd /sbin && \
for i in ! !-save !-restore; do \
  rm -rf iptables$(echo "${i}" | cut -c2-) && \
  rm -rf ip6tables$(echo "${i}" | cut -c2-) && \
  ln -s iptables-legacy$(echo "${i}" | cut -c2-) iptables$(echo "${i}" | cut -c2-) && \
  ln -s ip6tables-legacy$(echo "${i}" | cut -c2-) ip6tables$(echo "${i}" | cut -c2-); \
done

Moreover, since

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

running iptables actually runs /usr/sbin/iptables, which is not what is intended.

This issue could be fixed with a simple:

cd /usr/sbin

N.B.
Depending on the host system, iptables may work out of the box (for example on macOS 15.2), whereas on a Synology NAS (Linux 4.4), iptables -L yields

# Warning: iptables-legacy tables present, use iptables-legacy to see them
iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument

Expected Behavior

iptables should work correctly on any platform by using the legacy implementation, which is more widely supported across different kernels. The Dockerfile's symlink setup is specifically intended to ensure this by forcing the use of iptables-legacy. When running iptables -L, it should display the chains and rules without errors, regardless of whether the host system fully supports nftables or not.

Steps To Reproduce

Start the container and get a shell:

docker run -it --cap-add=NET_ADMIN \
  -e PUID=1000 \
  -e PGID=1000 \
  -e TZ=Etc/UTC \
  -p 51820:51820/udp \
  --sysctl="net.ipv4.conf.all.src_valid_mark=1" \
  lscr.io/linuxserver/wireguard:latest bash

Verify that the symlinks in /sbin are broken (they point to non-existent files):

root@711ecb274314:/# ls -L /sbin/iptables*
ls: cannot access '/sbin/iptables': No such file or directory
ls: cannot access '/sbin/iptables-restore': No such file or directory
ls: cannot access '/sbin/iptables-save': No such file or directory

Locate where the iptables binaries actually reside:

root@711ecb274314:/# ls -la /sbin/iptables*
lrwxrwxrwx 1 root root 15 Jan 16 11:25 /sbin/iptables -> iptables-legacy
lrwxrwxrwx 1 root root 23 Jan 16 11:25 /sbin/iptables-restore -> iptables-legacy-restore
lrwxrwxrwx 1 root root 20 Jan 16 11:25 /sbin/iptables-save -> iptables-legacy-save
root@711ecb274314:/# ls -la /usr/sbin/iptables*
lrwxrwxrwx 1 root root   17 Jan 16 11:25 /usr/sbin/iptables -> xtables-nft-multi
-rwxr-xr-x 1 root root 7035 Nov  5 09:33 /usr/sbin/iptables-apply
lrwxrwxrwx 1 root root   20 Jan 16 11:25 /usr/sbin/iptables-legacy -> xtables-legacy-multi
lrwxrwxrwx 1 root root   20 Jan 16 11:25 /usr/sbin/iptables-legacy-restore -> xtables-legacy-multi
lrwxrwxrwx 1 root root   20 Jan 16 11:25 /usr/sbin/iptables-legacy-save -> xtables-legacy-multi
lrwxrwxrwx 1 root root   17 Jan 16 11:25 /usr/sbin/iptables-nft -> xtables-nft-multi
lrwxrwxrwx 1 root root   17 Jan 16 11:25 /usr/sbin/iptables-nft-restore -> xtables-nft-multi
lrwxrwxrwx 1 root root   17 Jan 16 11:25 /usr/sbin/iptables-nft-save -> xtables-nft-multi
lrwxrwxrwx 1 root root   17 Jan 16 11:25 /usr/sbin/iptables-restore -> xtables-nft-multi
lrwxrwxrwx 1 root root   17 Jan 16 11:25 /usr/sbin/iptables-restore-translate -> xtables-nft-multi
lrwxrwxrwx 1 root root   17 Jan 16 11:25 /usr/sbin/iptables-save -> xtables-nft-multi
lrwxrwxrwx 1 root root   17 Jan 16 11:25 /usr/sbin/iptables-translate -> xtables-nft-multi

N.B. Depending on your host, you might encounter an error using iptables -L, e.g.

# Warning: iptables-legacy tables present, use iptables-legacy to see them
iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument

Environment

Environment 1:
- OS: macOS 15.2
- How docker service was installed: Docker Desktop v4.37.2 (179585)

Environment 2:
- OS: DSM 7.2.2 (Linux DiskStation 4.4.302+)
- How docker service was installed: Container Manager v24.0.2-1525

CPU architecture

x86-64

Docker creation

docker run -it --cap-add=NET_ADMIN \
  -e PUID=1000 \
  -e PGID=1000 \
  -e TZ=Etc/UTC \
  -p 51820:51820/udp \
  --sysctl="net.ipv4.conf.all.src_valid_mark=1" \
  lscr.io/linuxserver/wireguard:latest bash

Container logs

[migrations] started
[migrations] no migrations found
───────────────────────────────────────

      ██╗     ███████╗██╗ ██████╗
      ██║     ██╔════╝██║██╔═══██╗
      ██║     ███████╗██║██║   ██║
      ██║     ╚════██║██║██║   ██║
      ███████╗███████║██║╚██████╔╝
      ╚══════╝╚══════╝╚═╝ ╚═════╝

   Brought to you by linuxserver.io
───────────────────────────────────────

To support the app dev(s) visit:
WireGuard: https://www.wireguard.com/donations/

To support LSIO projects visit:
https://www.linuxserver.io/donate/

───────────────────────────────────────
GID/UID
───────────────────────────────────────

User UID:    1000
User GID:    1000
───────────────────────────────────────
Linuxserver.io version: 1.0.20210914-r4-ls64
Build-date: 2025-01-16T11:23:44+00:00
───────────────────────────────────────
    
Uname info: Linux e4aaadcf3da2 6.10.14-linuxkit #1 SMP PREEMPT_DYNAMIC Fri Nov 29 17:24:06 UTC 2024 x86_64 GNU/Linux
**** It seems the wireguard module is already active. Skipping kernel header install and module compilation. ****
**** Client mode selected. ****
[custom-init] No custom files found, skipping...
crond[161]: crond (busybox 1.37.0) started, log level 5
crond[161]: user:root entry:*/15        *       *       *       *       run-parts /etc/periodic/15min
crond[161]: user:root entry:0   *       *       *       *       run-parts /etc/periodic/hourly
crond[161]: user:root entry:0   2       *       *       *       run-parts /etc/periodic/daily
crond[161]: user:root entry:0   3       *       *       6       run-parts /etc/periodic/weekly
crond[161]: user:root entry:0   5       1       *       *       run-parts /etc/periodic/monthly
**** Disabling CoreDNS ****
ls: cannot access '/config/wg_confs/*.conf': No such file or directory
**** No valid tunnel config found. Please create a valid config and restart the container ****
[ls.io-init] done.
@github-actions GitHub Actions
Copy link

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

@arkandias arkandias mentioned this issue Jan 20, 2025
Closed
1 task
@thespad thespad mentioned this issue Jan 20, 2025
Merged
1 task
@LinuxServer-CI LinuxServer-CI moved this from Issues to Done in Issue & PR Tracker Jan 20, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Issue & PR Tracker
Status: Done
Milestone
No milestone
1 participant
@arkandias