Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue with iptables in gVisor - Failed to initialize nft and iptables-legacy errors #9917

Open
yarona1993 opened this issue Jan 24, 2024 · 2 comments
Open

Issue with iptables in gVisor - Failed to initialize nft and iptables-legacy errors #9917

yarona1993 opened this issue Jan 24, 2024 · 2 comments
Labels
type: bug Something isn't working

Comments

@yarona1993
Copy link

yarona1993 commented Jan 24, 2024
edited

Description

I am encountering an issue with the gVisor project when trying to use iptables. The issue arises with both the regular iptables and iptables-legacy. The errors are as follows:

  1. Failed to initialize nft: Protocol not supported:

    iptables/1.8.7 Failed to initialize nft: Protocol not supported

  2. iptables-legacy error: can't initialize iptables table `filter': Table does not exist (do you need to insmod?):

    iptables v1.8.7 (legacy): can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

Steps to reproduce

  1. Install gVisor on the system.
  2. Attempt to use iptables with the following command: 
    iptables -A INPUT -p tcp --dport 80 -j ACCEPT
    Or try using iptables-legacy: 
    iptables-legacy -A INPUT -p tcp --dport 80 -j ACCEPT

runsc version

runsc version release-20240115.0
spec: 1.1.0-rc.1

docker version (if using docker)

Client:
 Version:           24.0.5
 API version:       1.43
 Go version:        go1.20.3
 Git commit:        24.0.5-0ubuntu1~22.04.1
 Built:             Mon Aug 21 19:50:14 2023
 OS/Arch:           linux/amd64
 Context:           default

Server:
 Engine:
  Version:          24.0.5
  API version:      1.43 (minimum version 1.12)
  Go version:       go1.20.3
  Git commit:       24.0.5-0ubuntu1~22.04.1
  Built:            Mon Aug 21 19:50:14 2023
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          v1.6.27
  GitCommit:        a1496014c916f9e62104b33d1bb5bd03b0858e59
 runc:
  Version:          1.1.7-0ubuntu1~22.04.1
  GitCommit:
 docker-init:
  Version:          0.19.0
  GitCommit:

uname

Linux engine 5.15.0-78-generic #85-Ubuntu SMP Fri Jul 7 15:25:09 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
@yarona1993 yarona1993 added the type: bug Something isn't working label Jan 24, 2024
@EtiennePerot
Copy link
Contributor

EtiennePerot commented Jan 25, 2024
edited

nftables is indeed not supported within gVisor at this time. iptables is only partially supported AFAIK. cc @nybidari @kevinGC

@kevinGC
Copy link
Collaborator

kevinGC commented Jan 26, 2024

Does the runtime config in /etc/docker/daemon.json pass the --net-raw flag, e.g:

"runsc": {
    "path": "/usr/bin/runsc",
    "runtimeArgs": [
        "--net-raw"
    ]
},

Raw sockets, which are needed by iptables-legacy, are disabled by default for security reasons.

kevinGC added a commit to kevinGC/gvisor that referenced this issue Jan 30, 2024
@kevinGC
netstack: log upon attempted raw socket creation when --net-raw is mi…
c351246 
…ssing

Helpful when debugging issues like google#9917.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@EtiennePerot @kevinGC @yarona1993