Firejail: Support iptables with nf_tables backend
Hello,
I run firejail on debian buster. After an upgrate I suddenly got this error :
Reading profile /etc/firejail/firefox-esr.profile
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 4727, child pid 4728
iptables-restore v1.8.1 (nf_tables):
line 1: CHAIN_ADD failed (No such file or directory): chain INPUT
line 1: CHAIN_ADD failed (No such file or directory): chain FORWARD
line 1: CHAIN_ADD failed (No such file or directory): chain OUTPUT
line 2: CHAIN_UPDATE failed (No such file or directory): chain INPUT
line 3: CHAIN_UPDATE failed (No such file or directory): chain FORWARD
line 4: CHAIN_UPDATE failed (No such file or directory): chain OUTPUT
line 5: RULE_APPEND failed (No such file or directory): rule in chain INPUT
line 6: RULE_APPEND failed (No such file or directory): rule in chain INPUT
line 9: RULE_APPEND failed (No such file or directory): rule in chain INPUT
line 10: RULE_APPEND failed (No such file or directory): rule in chain INPUT
line 11: RULE_APPEND failed (No such file or directory): rule in chain INPUT
line 13: RULE_APPEND failed (No such file or directory): rule in chain OUTPUT
line 14: RULE_APPEND failed (No such file or directory): rule in chain OUTPUT
line 16: RULE_APPEND failed (No such file or directory): rule in chain OUTPUT
Error: failed to run /sbin/iptables-restore
Error: proc 4727 cannot sync with peer: unexpected EOF
Peer 4728 unexpectedly exited with status 1
with the command firejail --private --net=wlp1s0 firefox-esr, wlp1s0 being my wifi card.
I do not have any error with just : firejail --private firefox-esr.
It seems to be an issue with iptables rules, but I am unable to understand, would
you have nay hints ?
Best regards
deb75
All 6 comments
Hi,
I am getting stuck with this issue, googling part of the error message does not lead to any hints.
It seems that there had been some changes in iptables packages which are not yet reflected in firejail, but it is little out of scope for me for now.
I am happy with any help, I am pretty sure other people face this issue
deb75
on 5 Nov 2018
Probably the new version of iptables is creating the problem.
netblue30
on 5 Nov 2018
Hi,
Thanks for coping with this issue, if you need me to test anything, please ask.
Regards
deb75
on 5 Nov 2018
iptables-restore v1.8.1 (nf_tables)
Are you by chance using Debian?
Since 1.8.1 by default the nf_tables backend is used instead of the xtables backend.
See NEWS.Debian: https://sources.debian.org/src/iptables/1.8.1-2/debian/NEWS/
You can try switching to the legacy mode with the following command (assuming Debian):
update-alternatives --set iptables /usr/sbin/iptables-legacy
reinerh
on 6 Nov 2018
Hi
You guessed right and your hack makes firejail work again.
Thanks :+1:
deb75
on 7 Nov 2018
Thanks for confirmation. I'll keep it open and change to an "enchancement" bug for nf_tables support.
reinerh
on 7 Nov 2018
Related issues
ghost
路
3Comments
francoism90
路
4Comments
crass
路
3Comments
ericschdt
路
3Comments
yourcelf
路
4Comments
Most helpful comment
Are you by chance using Debian?
Since 1.8.1 by default the nf_tables backend is used instead of the xtables backend.
See NEWS.Debian: https://sources.debian.org/src/iptables/1.8.1-2/debian/NEWS/
You can try switching to the legacy mode with the following command (assuming Debian):
update-alternatives --set iptables /usr/sbin/iptables-legacy