You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
... I understand that not following the below instructions will result in immediate closure and/or deletion of my issue.
... I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
... I have understood that answers are voluntary and community-driven, and not commercial support.
... I have verified that my issue has not been already answered in the past. I also checked previous issues.
Description
Hi,
I use iptables-nft for firewall rules on the mailcow system because libvirt, which I use for different VMs, doesn't support nftables (yet). However, netfilter-mailcow detects via data/Dockerfiles/netfilter/docker-entrypoint.sh both iptables and nftables and defaults to using nftables. The issue arises when nftables modifies the nat table, making it unreadable for iptables-nft (iptables v1.8.7 (nf_tables): table `nat' is incompatible, use 'nft' tool.) and causing libvirt to fail when creating new networks or restarting libvirtd.
The logs below indicate warnings about not altering firewall tables (with nft). My suggestion is for these warnings to trigger a fallback to iptables(-nft) backend. Alternatively, a config parameter could be added to override the netfilter backend.
Logs:
`docker compose logs|grep netfilter`
netfilter-mailcow-1 | # Warning: table ip filter is managed by iptables-nft, do not touch!
netfilter-mailcow-1 | # Warning: table ip nat is managed by iptables-nft, do not touch!
netfilter-mailcow-1 | # Warning: table ip6 filter is managed by iptables-nft, do not touch!
netfilter-mailcow-1 | # Warning: table ip6 nat is managed by iptables-nft, do not touch!
netfilter-mailcow-1 | Using NFTables backend
netfilter-mailcow-1 | Clearing all bans
netfilter-mailcow-1 | Clear completed: ip
netfilter-mailcow-1 | Clear completed: ip6
netfilter-mailcow-1 | Initializing mailcow netfilter chain
netfilter-mailcow-1 | MAILCOW ip chain created successfully.
netfilter-mailcow-1 | MAILCOW ip6 chain created successfully.
netfilter-mailcow-1 | Setting MAILCOW isolation
...
Steps to reproduce:
1. iptables -t nat -L
command shows full firewall nat table
2. Startup mailcow while nftables tool nft is installed
3. iptables -t nat -L
command only shows: `iptables v1.8.7 (nf_tables): table `nat' is incompatible, use 'nft' tool.`
Which branch are you using?
master
Which architecture are you using?
x86
Operating System:
Ubuntu 22.04.4 LTS
Server/VM specifications:
64GB Ram, 8 cores (Intel(R) Core(TM) i7-7700 CPU)
Is Apparmor, SELinux or similar active?
no
Virtualization technology:
mailcow with docker direct on host, other VMs using KVM
Contribution guidelines
I've found a bug and checked that ...
Description
Logs:
Steps to reproduce:
Which branch are you using?
master
Which architecture are you using?
x86
Operating System:
Ubuntu 22.04.4 LTS
Server/VM specifications:
64GB Ram, 8 cores (Intel(R) Core(TM) i7-7700 CPU)
Is Apparmor, SELinux or similar active?
no
Virtualization technology:
mailcow with docker direct on host, other VMs using KVM
Docker version:
26.0.1
docker-compose version or docker compose version:
v2.16.1
mailcow version:
2024-04
Reverse proxy:
Traefik
Logs of git diff:
Logs of ip6tables -L -vn:
Logs of iptables -L -vn -t nat:
Logs of ip6tables -L -vn -t nat:
DNS check:
The text was updated successfully, but these errors were encountered: