Bug: cannot remove allowed input port from firewall

[mjsjml]

Is this urgent?

No

Host OS

Ubuntu 22.04

CPU arch

x86_64

VPN service provider

AirVPN

What are you using to run the container

docker-compose

What is the version of Gluetun

Running version latest built on 2024-06-17T22:37:52.988Z (commit 93ed87d)

What's the problem 🤔

When gluetun fails a healthcheck and gets a new vpn connection, it can't resume port forwarding. The desired ports will be closed on the new connection. Things used to work fine with an older version of gluetun (don't know which one).

ERROR [vpn] cannot remove allowed input port from firewall: removing allowed port 63799 on interface tun0: command failed: "ip6tables --delete INPUT -i tun0 -p tcp --dport 63799 -j ACCEPT": ip6tables: Bad rule (does a matching rule exist in that chain?).: exit status 1

Share your logs (at least 10 lines)

2024-06-24T00:21:55.555343458Z 2024-06-23T17:21:55-07:00 INFO [routing] default route found: interface eth0, gateway 172.18.0.1, assigned IP 172.18.0.10 and family v4
2024-06-24T00:21:55.555374628Z 2024-06-23T17:21:55-07:00 INFO [routing] adding route for 0.0.0.0/0
2024-06-24T00:21:55.555422948Z 2024-06-23T17:21:55-07:00 INFO [firewall] setting allowed subnets...
2024-06-24T00:21:55.558813825Z 2024-06-23T17:21:55-07:00 INFO [routing] default route found: interface eth0, gateway 172.18.0.1, assigned IP 172.18.0.10 and family v4
2024-06-24T00:21:55.558863994Z 2024-06-23T17:21:55-07:00 INFO [routing] adding route for 192.168.2.0/24
2024-06-24T00:21:55.558878991Z 2024-06-23T17:21:55-07:00 INFO [routing] adding route for 192.168.3.0/24
2024-06-24T00:21:55.559692529Z 2024-06-23T17:21:55-07:00 INFO [dns] using plaintext DNS at address 1.1.1.1
2024-06-24T00:21:55.560152708Z 2024-06-23T17:21:55-07:00 INFO [http server] http server listening on [::]:8010
2024-06-24T00:21:55.560488916Z 2024-06-23T17:21:55-07:00 INFO [healthcheck] listening on 127.0.0.1:9999
2024-06-24T00:21:55.562187406Z 2024-06-23T17:21:55-07:00 INFO [firewall] allowing VPN connection...
2024-06-24T00:21:55.580117711Z 2024-06-23T17:21:55-07:00 INFO [wireguard] Using userspace implementation since Kernel support does not exist
2024-06-24T00:21:55.741081357Z 2024-06-23T17:21:55-07:00 INFO [wireguard] Connecting to 146.70.76.34:1637
2024-06-24T00:21:55.741603225Z 2024-06-23T17:21:55-07:00 INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2024-06-24T00:21:55.741613525Z 2024-06-23T17:21:55-07:00 INFO [firewall] setting allowed input port 63799 through interface tun0...
2024-06-24T00:21:55.752390228Z 2024-06-23T17:21:55-07:00 INFO [firewall] setting allowed input port 15554 through interface tun0...
2024-06-24T00:21:55.755147894Z 2024-06-23T17:21:55-07:00 INFO [dns] downloading DNS over TLS cryptographic files
2024-06-24T00:22:05.757002689Z 2024-06-23T17:22:05-07:00 WARN [dns] cannot update files: Get "https://www.internic.net/domain/named.root": dial tcp: lookup www.internic.net on 1.1.1.1:53: read udp 10.128.195.141:45807->1.1.1.1:53: i/o timeout
2024-06-24T00:22:05.757016849Z 2024-06-23T17:22:05-07:00 INFO [dns] attempting restart in 10s
2024-06-24T00:22:10.743253391Z 2024-06-23T17:22:10-07:00 INFO [healthcheck] program has been unhealthy for 6s: restarting VPN
2024-06-24T00:22:10.743308381Z 2024-06-23T17:22:10-07:00 INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2024-06-24T00:22:10.743323672Z 2024-06-23T17:22:10-07:00 INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2024-06-24T00:22:10.743337244Z 2024-06-23T17:22:10-07:00 INFO [vpn] stopping
2024-06-24T00:22:10.743349214Z 2024-06-23T17:22:10-07:00 INFO [firewall] removing allowed port 63799...
2024-06-24T00:22:10.759074279Z 2024-06-23T17:22:10-07:00 ERROR [vpn] cannot remove allowed input port from firewall: removing allowed port 63799 on interface tun0: command failed: "ip6tables --delete INPUT -i tun0 -p tcp --dport 63799 -j ACCEPT": ip6tables: Bad rule (does a matching rule exist in that chain?).: exit status 1
2024-06-24T00:22:10.759122005Z 2024-06-23T17:22:10-07:00 INFO [firewall] removing allowed port 15554...
2024-06-24T00:22:10.765512870Z 2024-06-23T17:22:10-07:00 ERROR [vpn] cannot remove allowed input port from firewall: removing allowed port 15554 on interface tun0: command failed: "ip6tables --delete INPUT -i tun0 -p tcp --dport 15554 -j ACCEPT": ip6tables: Bad rule (does a matching rule exist in that chain?).: exit status 1

Share your configuration

gluetun:
    image: qmcgaw/gluetun:latest
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - 8888:8888/tcp
      - 8388:8388/tcp
      - 8388:8388/udp
      - 7474:7474
      - "9001:9000"
      - 6885:6881/udp
      - 58080:8080
      - 9005:9005
      - 8005:8005
      - 9091:9091
    volumes:
      - /home/ms/docker/gluetun:/gluetun
    environment:
      - HTTP_CONTROL_SERVER_ADDRESS=:8010 
      - FIREWALL_VPN_INPUT_PORTS=63799,15554
      - VPN_SERVICE_PROVIDER=airvpn
      - VPN_TYPE=wireguard
      - WIREGUARD_PUBLIC_KEY=
      - WIREGUARD_PRIVATE_KEY=
      - WIREGUARD_ADDRESSES=
      - WIREGUARD_PRESHARED_KEY=
      - SERVER_NAMES=
      - FIREWALL_OUTBOUND_SUBNETS=192.168.2.0/24,192.168.3.0/24
    restart: unless-stopped

[github-actions]

@qdm12 is more or less the only maintainer of this project and works on it in his free time.
Please:

• do not ask for updates, be patient
• 👍 the issue to show your support instead of commenting
  @qdm12 usually checks issues at least once a week, if this is a new urgent bug,
  revert to an older tagged container image

[qdm12]

Hi there, thanks for reporting this. It's likely due to a bug in Alpine 3.19's nf_tables usage - I created a bug report for the netfilter project. This should be fixed with 06c9bc5 which changes the preference from using the ip6tables-legacy instead of the ip6tables which now defaults to using nf_tables. This was done similarly for iptables in ce642a6 2 months ago, but I forgot to change it for the ipv6 version as well!

Can you please try pulling the latest image and see if it works?

I'm also planning on upgrading to Alpine 3.20 which appears to resolve this problem, so I will switch back the iptables preference to using nf_tables again.

[mjsjml]

I get the same error with the latest version: version latest built on 2024-07-09T14:47:46.048Z (commit 0501743).

2024-07-09T11:54:20-07:00 INFO [firewall] removing allowed port 15554...
2024-07-09T11:54:20-07:00 ERROR [vpn] cannot remove allowed input port from firewall: removing allowed port 15554 on interface tun0: command failed: "ip6tables --delete INPUT -i tun0 -p tcp --dport 15554 -j ACCEPT": ip6tables: Bad rule (does a matching rule exist in that chain?).: exit status 1
2024-07-09T11:54:20-07:00 ERROR [vpn] getting public IP address information: context canceled

Reverting to 3.37.0, c826707, works well for me though.

[qdm12]

Uh, that's problematic.. Is it not working on v3.38.0??? That would be strange given the changes not touching iptables/ipv6 😕

Assuming this problem arises only in the latest image, what do you get when running docker exec gluetun ip6tables -nvL and docker exec gluetun ip6tables-legacy -nvL against a running Gluetun container? It should contain a rule (i..e for port 15554) in the INPUT chain similar to:

    0     0 ACCEPT     6    --  tun0   *       ::/0                 ::/0                 tcp dpt:15554

If it does show the rule, what happens if you run:

docker exec gluetun ip6tables --delete INPUT -i tun0 -p tcp --dport 15554 -j ACCEPT

(And replace ip6tables by ip6tables-legacy if needed, as well as the port number 15554 according to your setup).

[mjsjml]

on :v3.37:

$ docker exec gluetun ip6tables -nvL
# and
$ docker exec gluetun ip6tables-legacy -nvL
# both give:
modprobe: can't change directory to '/lib/modules': No such file or directory
ip6tables v1.8.9 (legacy): can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.

on latest 3.38:

$ docker exec gluetun ip6tables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     0    --  lo     *       ::/0                 ::/0                
    0     0 ACCEPT     0    --  *      *       ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     6    --  tun0   *       ::/0                 ::/0                 tcp dpt:63799
    0     0 ACCEPT     17   --  tun0   *       ::/0                 ::/0                 udp dpt:63799
    0     0 ACCEPT     6    --  tun0   *       ::/0                 ::/0                 tcp dpt:15554
    0     0 ACCEPT     17   --  tun0   *       ::/0                 ::/0                 udp dpt:15554

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     0    --  *      lo      ::/0                 ::/0                
    0     0 ACCEPT     0    --  *      *       ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     0    --  *      eth0    ::/0                 ff02::/104          
    0     0 ACCEPT     0    --  *      tun0    ::/0                 ::/0

$ docker exec gluetun ip6tables-legacy -nvL
modprobe: can't change directory to '/lib/modules': No such file or directory
ip6tables v1.8.10 (legacy): can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.

$ docker exec gluetun ip6tables --delete INPUT -i tun0 -p tcp --dport 15554 -j ACCEPT
ip6tables: Bad rule (does a matching rule exist in that chain?).

[cspark-development]

Hiya, I'm experiencing a similar issue after updating gluetun to the latest 2024-07-09T14:47:46.048Z (commit 0501743) that may be related.

iptables-legacy --delete INPUT -i tun0 -p tcp --dport 3000 -j ACCEPT": iptables: Bad rule (does a matching rule exist in that chain?).: exit status 1

So I executed a shell within the container and ran iptables-legacy -S, this is the corresponding rule;
-A INPUT -i tun0 -p tcp -m tcp --dport 3000 -j ACCEPT

Running iptables-legacy --delete INPUT -i tun0 -p tcp --dport 3000 -j ACCEPT I face the previous error:
iptables: Bad rule (does a matching rule exist in that chain?).

I ran iptables-legacy --delete INPUT -i tun0 -p tcp -m tcp --dport 3000 -j ACCEPT instead which removed the rule.

I'm not sure where the -m match comes from but it appears necessary to remove the rule, this may be the issue that has been reported here. I'd recommend you run ip6tables -S for yourself to confirm if this is the case.

I hope this info helps, if this appears to be a different issue I'll raise it as appropriate. If this is the same issue, gluetun I assume will either need to ensure that -m match rule is not added or it is accounted for in deletion.

Thanks,

[mjsjml]

On version b3ceece (one that doesn't work right for me), when I run "iptables-legacy --delete INPUT -i tun0 -p tcp --dport 15554 -j ACCEPT", the rule gets deleted fine. So your issue is probably different from mine.

[qdm12]

@cspark-development I pushed 73832d8 to add -m tcp/udp for accepting/removing the input port, let me know if it helps.

@mjsjml But does it work at all on a previous released images :v3.37 or :v3.38?

Also when you say

on latest 3.38:

Note latest and v3.38 are NOT the same. qmcgaw/gluetun:latest points to the master branch in the repository (with Alpine 3.19), whereas qmcgaw/gluetun:v3.38 points to the release tag v3.38.0 (with Alpine 3.18). Please confirm this is on the latest image and NOT v3.38.

On version b3ceece (one that doesn't work right for me), when I run "iptables-legacy --delete INPUT -i tun0 -p tcp --dport 15554 -j ACCEPT", the rule gets deleted fine.

So the problematic version seems to be v3.38 right??? Also you mention iptables-legacy which is not related to ipv6, not too sure why?

Please clarify the versions which work and the versions which don't, since I'm kind of majorly confused on that 😄 Thanks!

[cspark-development]

@qdm12 Thanks for getting back to me, I'll let you know whether the hotfix change fixes my issue or not. Issue only arises on healthcheck failures so may take a while to confirm.

[cspark-development]

On version b3ceece (one that doesn't work right for me), when I run "iptables-legacy --delete INPUT -i tun0 -p tcp --dport 15554 -j ACCEPT", the rule gets deleted fine. So your issue is probably different from mine.

@mjsjml You may be experiencing the same issue as me just on IPv6, i'd disregard the remarks about iptables-legacy and run ip6tables -S to double check the exact rules that were added yourself. If you have a similar issue you should see that the -m match field is present in the rules.

[mjsjml]

The image that works for me is c826707 (version 3.37). Ones that don't work are b3ceece, 0501743, and 73832d8.

I might have found the problem. The latest container (73832d8) fails running "ip6tables --delete INPUT -i tun0 -p tcp -m tcp --dport 63799 -j ACCEPT" giving the error about a matching rule.

If I first delete the udp rule with "ip6tables --delete INPUT -i tun0 -p udp -m udp --dport 63799 -j ACCEPT" then the tcp rule can be deleted without an error.

[qdm12]

If I first delete the udp rule with "ip6tables --delete INPUT -i tun0 -p udp -m udp --dport 63799 -j ACCEPT" then the tcp rule can be deleted without an error.

Well this doesn't make any sense 😄 As in, ip6tables doesn't make sense, you do make sense 👍
Anyway, due to some various other errors with iptables, I decided to go ahead and upgrade Alpine from 3.19 to 3.20 in 9807d5f and to drop support for iptables-legacy in ddbfdc9 so that now it's only the 'fixed' iptables-nft that will be used. Can you try these new 'latest' image and see if it helps?? It might be just alpine 3.19 iptables being quite buggy.

[billsbdb3]

Still happening

Running version latest built on 2024-07-28T14:31:52.048Z (commit ddbfdc9)

2024-07-29T05:24:49Z INFO [vpn] stopping
2024-07-29T05:24:49Z INFO [firewall] removing allowed port 58632...
2024-07-29T05:24:49Z ERROR [vpn] cannot remove allowed input port from firewall: removing allowed port 58632 on interface tun0: command failed: "iptables --delete INPUT -i tun0 -p udp -m udp --dport 58632 -j ACCEPT": iptables: Bad rule (does a matching rule exist in that chain?).: exit status 1
2024-07-29T05:24:49Z INFO [vpn] starting

[mjsjml]

Same error for me on "latest", 7bc2972. I would try ddbfdc9 but I don't know how to choose specific commit in docker compose. My error is different from @billsbdb3 . Mine complains about removing the tcp port in ip6tables and his is about the udp port in iptables. When I do the "ip6tables -S" command I can see that both the udp and tcp ports are still there. I can then remove the udp port followed by the tcp port successfully in the terminal.

Running version latest built on 2024-07-30T20:03:23.398Z (commit 7bc2972)

2024-07-31T00:16:30-07:00 ERROR [vpn] cannot remove allowed input port from firewall: removing allowed port 63799 on interface tun0: command failed: "ip6tables --delete INPUT -i tun0 -p tcp -m tcp --dport 63799 -j ACCEPT": ip6tables: Bad rule (does a matching rule exist in that chain?).: exit status 1

[qdm12]

For all of you ideally: do you have the same bug on :v3.38.0?

Two cases:

1. Yes: we'll delete rules by line number. I always wanted NOT to do this, but if it's that buggy I guess it I must do it. I'll fix it post v3.39.0 which I'm trying to get out ASAP (long overdued release since March).
2. No: more investigation need, and we can try deleting rules by line number. I'll have to do it before the v3.39.0 release (pushing back the release date to later)

PS: I hope it's 1., and marked this as urgent so I'll definitely do it first thing after the release.

[mjsjml]

yes, same bug on 3.38.0.

[jagaimoworks]

I ran into seemingly the same issue not being able to remove udp ports while working on #2392. Both iptables and ip6tables refuse to delete udp rules. Even stranger is that it seems to only affects up to two rules, one of which sometimes can be deleted manually. Also since #2392 lets you add ports to the firewall via the control server it might be useful for testing.

[gh57gh]

How can we revert back to the last working release in docker compose? the ":3.37" after the image doesn't work for me.

Gluetun's giving me trouble as soon as soon as gluetun hasn't been healthy for six seconds. I get the following issues similar to others:

2024-08-07T07:50:24+02:00 INFO [healthcheck] program has been unhealthy for 6s: restarting VPN
2024-08-07T07:50:24+02:00 INFO [vpn] stopping
2024-08-07T07:50:24+02:00 INFO [firewall] removing allowed port 55405...
2024-08-07T07:50:24+02:00 ERROR [vpn] cannot remove allowed input port from firewall: removing allowed port 56405 on interface tun0: command failed: "iptables --delete INPUT -i tun0 -p tcp -m tcp --dport 55405 -j ACCEPT": iptables: Bad rule (does a matching rule exist in that chain?).: exit status 1
2024-08-07T07:50:24+02:00 INFO [vpn] starting
2024-08-07T07:50:24+02:00 INFO [firewall] allowing VPN connection...
2024-08-07T07:50:24+02:00 ERROR [firewall] cannot remove outdated VPN connection rule: command failed: "iptables --delete OUTPUT -d 141.98.102.432 -o eth0 -p udp -m udp --dport 1637 -j ACCEPT": iptables: Bad rule (does a matching rule exist in that chain?).: exit status 1
2024-08-07T07:50:24+02:00 ERROR [firewall] cannot remove outdated VPN interface rule: command failed: "iptables --delete OUTPUT -o tun0 -j ACCEPT": iptables: Bad rule (does a matching rule exist in that chain?).: exit status 1

[qdm12]

I'm working on a fix (latest image) and will do a v3.37.2 + v3.38.2 + v3.39.1 release sometime later with that fix.

[mjsjml]

@gh57gh , try image: qmcgaw/gluetun:v3.37.0

@qdm12 , thank you

[qdm12]

Please see and try #2411 (image :pr-2411) 🙏 Thanks!
Also, FYI, this is a rather thick PR of ~1000 lines of code because it involves:

1. parsing a delete iptables instruction (i.e. iptables -D INPUT -s 1.2.3.4 -i tun0 -j REJECT)
2. parsing the output of a chain listing (output of i.e. iptables -t filter -n -v --line-numbers -L INPUT)
3. finding the line number of the iptables chain rule to delete
4. deleting the chain rule using the line number found

In particular steps 1 to 3 are tedious and prone to error. It looks like it's working, but some testing from you would be appreciated to make sure it doesn't break something! 😉

[DaBlincx]

sadly not fixed :/

its giving the same error and then restarting the entire container

...
2024-08-14 19:48:51 2024-08-14T17:48:51Z INFO [vpn] stopping
2024-08-14 19:48:51 2024-08-14T17:48:51Z INFO [port forwarding] stopping
2024-08-14 19:48:51 2024-08-14T17:48:51Z INFO [firewall] removing allowed port 41709...
2024-08-14 19:48:51 2024-08-14T17:48:51Z ERROR port forwarding loop crashed: stopping previous service: blocking previous port in firewall: removing allowed port 41709 on interface tun0: finding iptables chain rule line number: parsing chain list: parsing chain general data line: iptables chain list output is malformed: expected 8 fields in "# Warning: iptables-legacy tables present use iptables-legacy to see them"
...
2024-08-14 19:48:53 2024-08-14T17:48:53Z INFO Shutdown successful

[qdm12]

sadly not fixed :/

This is likely still fixed for many setups, so to others, please still try it 😉 Now regarding your case, let's see!

its giving the same error

Not exactly the same error iptables chain list output is malformed: expected 8 fields in "# Warning: iptables-legacy tables present use iptables-legacy to see them", although, yes, it has the same end effect.
This is fixed by 2ea501b where comment lines (starting with #) are discarded.

Now this error is a bit interesting too, showing listing iptables gives the warning iptables-legacy tables present use iptables-legacy to see them. I did not get that error on my machine, since it's not using iptables-legacy at all.

Can you report what output you get from the following commands on a running Gluetun container:

1. docker exec gluetun iptables-legacy -t filter -vL
2. docker exec gluetun iptables-nft -t filter -vL
3. docker exec gluetun iptables -t filter -vL
4. docker exec gluetun iptables-legacy -t nat -vL
5. docker exec gluetun iptables-nft -t nat -vL
6. docker exec gluetun iptables -t nat -vL

[qdm12]

Anyone else can confirm this works fine now with image qmcgaw/gluetun:pr-2411? 🙏

[mjsjml]

Have been testing this but took a few days to finally fail a healthcheck. I get an error but it does successfully start a new connection and allow required ports...

Running version pr-2411 built on 2024-08-14T18:45:31.229Z (commit 6c8fe37)

2024-08-15T23:20:13-07:00 INFO [vpn] stopping
2024-08-15T23:20:13-07:00 INFO [firewall] removing allowed port 63799...
2024-08-15T23:20:13-07:00 INFO [firewall] removing allowed port 15554...
2024-08-15T23:20:14-07:00 INFO [vpn] starting
2024-08-15T23:20:14-07:00 INFO [firewall] allowing VPN connection...
2024-08-15T23:20:14-07:00 ERROR [firewall] cannot remove outdated VPN connection rule: parsing iptables command: parsing "--delete OUTPUT -d 184.75.214.162 -o eth0 -p udp -m udp --dport 1637 -j ACCEPT": parsing destination IP CIDR: netip.ParsePrefix("184.75.214.162"): no '/'
2024-08-15T23:20:14-07:00 ERROR [firewall] cannot remove outdated VPN interface rule: finding iptables chain rule line number: parsing chain list: parsing chain rule "3       27  1590 ACCEPT     0    --  *      eth0    172.18.0.6           172.18.0.0/16       ": parsing chain rule field: parsing source IP CIDR: netip.ParsePrefix("172.18.0.6"): no '/'
2024-08-15T23:20:14-07:00 INFO [wireguard] Using available kernelspace implementation
2024-08-15T23:20:14-07:00 INFO [wireguard] Connecting to 193.37.254.34:1637
2024-08-15T23:20:14-07:00 INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2024-08-15T23:20:14-07:00 INFO [firewall] setting allowed input port 63799 through interface tun0...
2024-08-15T23:20:14-07:00 INFO [firewall] setting allowed input port 15554 through interface tun0...
2024-08-15T23:20:14-07:00 INFO [healthcheck] healthy!

[qdm12]

Thanks @mjsjml !

The following errors are fixed in 3d41cc1 where it now handles source/destination networks without the /32 suffix for single IP addresses.

2024-08-15T23:20:14-07:00 ERROR [firewall] cannot remove outdated VPN connection rule: parsing iptables command: parsing "--delete OUTPUT -d 184.75.214.162 -o eth0 -p udp -m udp --dport 1637 -j ACCEPT": parsing destination IP CIDR: netip.ParsePrefix("184.75.214.162"): no '/'
2024-08-15T23:20:14-07:00 ERROR [firewall] cannot remove outdated VPN interface rule: finding iptables chain rule line number: parsing chain list: parsing chain rule "3 27 1590 ACCEPT 0 -- * eth0 172.18.0.6 172.18.0.0/16 ": parsing chain rule field: parsing source IP CIDR: netip.ParsePrefix("172.18.0.6"): no '/'

Let me know if you get any other firewall errors, even if it's not critical/doesn't crash the container.

[Lokilicious]

Can confirm that up until now all healthchecks are recovering properly.

[github-actions]

Closed issues are NOT monitored, so commenting here is likely to be not seen.
If you think this is still unresolved and have more information to bring, please create another issue.

This is an automated comment setup because @qdm12 is the sole maintainer of this project
which became too popular to monitor issues closed.

[LordMike]

I just tried to set gluetun up with an asian VPN endpoint and I'm seeing stuff like the below. I think the endpoint is broken, so the container can't connect - that's fine, but I noticed the error below. :)

2024-08-18T11:54:32.769580445Z 2024-08-18T11:54:32Z ERROR [firewall] cannot remove outdated VPN interface rule: finding iptables chain rule line number: parsing chain list: parsing chain rule "3 0 0 ACCEPT 0 -- * eth0 ::/0 ff02::/104 ": parsing chain rule field: parsing destination IP CIDR: netip.ParsePrefix("ff02::/104/32"): ParseAddr("ff02::/104"): each colon-separated field must have at least one digit (at "/104")

I'm running a gluetun docker image with the source revision bc55c25 which is quite recent. So I found this issue.

Might the fix have missed something related to IPv6 addresses.. ff02::/104/32 seems like a mangled CIDR :)?

I've added in my current iptables rules for this container.

Logs

``` 2024-08-18T11:54:16.552618213Z 2024-08-18T11:54:16Z INFO [vpn] starting 2024-08-18T11:54:16.552833482Z 2024-08-18T11:54:16Z INFO [firewall] allowing VPN connection... 2024-08-18T11:54:16.560562617Z 2024-08-18T11:54:16Z INFO [openvpn] OpenVPN 2.6.11 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] 2024-08-18T11:54:16.560858469Z 2024-08-18T11:54:16Z INFO [openvpn] library versions: OpenSSL 3.3.1 4 Jun 2024, LZO 2.10 2024-08-18T11:54:16.563152752Z 2024-08-18T11:54:16Z INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]194.5.49.72:1195 2024-08-18T11:54:16.563494544Z 2024-08-18T11:54:16Z INFO [openvpn] UDPv4 link local: (not bound) 2024-08-18T11:54:16.563735643Z 2024-08-18T11:54:16Z INFO [openvpn] UDPv4 link remote: [AF_INET]194.5.49.72:1195 2024-08-18T11:54:32.672382248Z 2024-08-18T11:54:32Z INFO [healthcheck] program has been unhealthy for 16s: restarting VPN 2024-08-18T11:54:32.672686728Z 2024-08-18T11:54:32Z INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md 2024-08-18T11:54:32.672978298Z 2024-08-18T11:54:32Z INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION 2024-08-18T11:54:32.673257380Z 2024-08-18T11:54:32Z INFO [vpn] stopping 2024-08-18T11:54:32.673526608Z 2024-08-18T11:54:32Z INFO [vpn] starting 2024-08-18T11:54:32.673786978Z 2024-08-18T11:54:32Z INFO [firewall] allowing VPN connection... 2024-08-18T11:54:32.769580445Z 2024-08-18T11:54:32Z ERROR [firewall] cannot remove outdated VPN interface rule: finding iptables chain rule line number: parsing chain list: parsing chain rule "3 0 0 ACCEPT 0 -- * eth0 ::/0 ff02::/104 ": parsing chain rule field: parsing destination IP CIDR: netip.ParsePrefix("ff02::/104/32"): ParseAddr("ff02::/104"): each colon-separated field must have at least one digit (at "/104") 2024-08-18T11:54:32.778128293Z 2024-08-18T11:54:32Z INFO [openvpn] OpenVPN 2.6.11 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] 2024-08-18T11:54:32.778457360Z 2024-08-18T11:54:32Z INFO [openvpn] library versions: OpenSSL 3.3.1 4 Jun 2024, LZO 2.10 2024-08-18T11:54:32.780701815Z 2024-08-18T11:54:32Z INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]64.64.121.6:1195 2024-08-18T11:54:32.781595808Z 2024-08-18T11:54:32Z INFO [openvpn] UDPv4 link local: (not bound) 2024-08-18T11:54:32.782402554Z 2024-08-18T11:54:32Z INFO [openvpn] UDPv4 link remote: [AF_INET]64.64.121.6:1195 2024-08-18T11:54:36.132406137Z 2024-08-18T11:54:36Z INFO [openvpn] read UDPv4 [EHOSTUNREACH|EHOSTUNREACH]: Host is unreachable (fd=4,code=113) 2024-08-18T11:54:41.600795228Z 2024-08-18T11:54:41Z INFO [openvpn] read UDPv4 [EHOSTUNREACH]: Host is unreachable (fd=4,code=113) 2024-08-18T11:54:49.524211313Z 2024-08-18T11:54:49Z INFO [openvpn] read UDPv4 [EHOSTUNREACH]: Host is unreachable (fd=4,code=113) 2024-08-18T11:54:53.888152508Z 2024-08-18T11:54:53Z INFO [healthcheck] program has been unhealthy for 21s: restarting VPN 2024-08-18T11:54:53.888651013Z 2024-08-18T11:54:53Z INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md 2024-08-18T11:54:53.888997691Z 2024-08-18T11:54:53Z INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION 2024-08-18T11:54:53.889292900Z 2024-08-18T11:54:53Z INFO [vpn] stopping 2024-08-18T11:54:53.892470317Z 2024-08-18T11:54:53Z INFO [vpn] starting 2024-08-18T11:54:53.892778659Z 2024-08-18T11:54:53Z INFO [firewall] allowing VPN connection... 2024-08-18T11:54:53.899979025Z 2024-08-18T11:54:53Z INFO [openvpn] OpenVPN 2.6.11 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] 2024-08-18T11:54:53.900268212Z 2024-08-18T11:54:53Z INFO [openvpn] library versions: OpenSSL 3.3.1 4 Jun 2024, LZO 2.10 2024-08-18T11:54:53.902606140Z 2024-08-18T11:54:53Z INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]64.64.121.6:1195 2024-08-18T11:54:53.902973823Z 2024-08-18T11:54:53Z INFO [openvpn] UDPv4 link local: (not bound) 2024-08-18T11:54:53.903271649Z 2024-08-18T11:54:53Z INFO [openvpn] UDPv4 link remote: [AF_INET]64.64.121.6:1195 2024-08-18T11:54:57.251463111Z 2024-08-18T11:54:57Z INFO [openvpn] read UDPv4 [EHOSTUNREACH|EHOSTUNREACH]: Host is unreachable (fd=4,code=113) 2024-08-18T11:55:03.106005016Z 2024-08-18T11:55:03Z INFO [openvpn] read UDPv4 [EHOSTUNREACH]: Host is unreachable (fd=4,code=113) 2024-08-18T11:55:10.880037905Z 2024-08-18T11:55:10Z INFO [openvpn] read UDPv4 [EHOSTUNREACH]: Host is unreachable (fd=4,code=113) 2024-08-18T11:55:20.005848274Z 2024-08-18T11:55:20Z INFO [healthcheck] program has been unhealthy for 26s: restarting VPN 2024-08-18T11:55:20.006165037Z 2024-08-18T11:55:20Z INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md 2024-08-18T11:55:20.015805668Z 2024-08-18T11:55:20Z INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION 2024-08-18T11:55:20.016631684Z 2024-08-18T11:55:20Z INFO [vpn] stopping 2024-08-18T11:55:20.051784092Z 2024-08-18T11:55:20Z INFO [vpn] starting 2024-08-18T11:55:20.052110439Z 2024-08-18T11:55:20Z INFO [firewall] allowing VPN connection... 2024-08-18T11:55:20.145963512Z 2024-08-18T11:55:20Z ERROR [firewall] cannot remove outdated VPN interface rule: finding iptables chain rule line number: parsing chain list: parsing chain rule "3 0 0 ACCEPT 0 -- * eth0 ::/0 ff02::/104 ": parsing chain rule field: parsing destination IP CIDR: netip.ParsePrefix("ff02::/104/32"): ParseAddr("ff02::/104"): each colon-separated field must have at least one digit (at "/104") 2024-08-18T11:55:20.153713001Z 2024-08-18T11:55:20Z INFO [openvpn] OpenVPN 2.6.11 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] 2024-08-18T11:55:20.153951688Z 2024-08-18T11:55:20Z INFO [openvpn] library versions: OpenSSL 3.3.1 4 Jun 2024, LZO 2.10 2024-08-18T11:55:20.155903159Z 2024-08-18T11:55:20Z INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]194.5.49.72:1195 2024-08-18T11:55:20.156221143Z 2024-08-18T11:55:20Z INFO [openvpn] UDPv4 link local: (not bound) 2024-08-18T11:55:20.156541557Z 2024-08-18T11:55:20Z INFO [openvpn] UDPv4 link remote: [AF_INET]194.5.49.72:1195 2024-08-18T11:55:51.253889795Z 2024-08-18T11:55:51Z INFO [healthcheck] program has been unhealthy for 31s: restarting VPN 2024-08-18T11:55:51.254175887Z 2024-08-18T11:55:51Z INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md 2024-08-18T11:55:51.254465528Z 2024-08-18T11:55:51Z INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION 2024-08-18T11:55:51.254758101Z 2024-08-18T11:55:51Z INFO [vpn] stopping 2024-08-18T11:55:51.255144869Z 2024-08-18T11:55:51Z INFO [vpn] starting 2024-08-18T11:55:51.255457654Z 2024-08-18T11:55:51Z INFO [firewall] allowing VPN connection... 2024-08-18T11:55:51.260488074Z 2024-08-18T11:55:51Z INFO [openvpn] OpenVPN 2.6.11 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] 2024-08-18T11:55:51.260734346Z 2024-08-18T11:55:51Z INFO [openvpn] library versions: OpenSSL 3.3.1 4 Jun 2024, LZO 2.10 2024-08-18T11:55:51.262408053Z 2024-08-18T11:55:51Z INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]194.5.49.72:1195 2024-08-18T11:55:51.262713905Z 2024-08-18T11:55:51Z INFO [openvpn] UDPv4 link local: (not bound) 2024-08-18T11:55:51.262998385Z 2024-08-18T11:55:51Z INFO [openvpn] UDPv4 link remote: [AF_INET]194.5.49.72:1195 2024-08-18T11:56:27.355685510Z 2024-08-18T11:56:27Z INFO [healthcheck] program has been unhealthy for 36s: restarting VPN 2024-08-18T11:56:27.355998151Z 2024-08-18T11:56:27Z INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md 2024-08-18T11:56:27.356651547Z 2024-08-18T11:56:27Z INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION 2024-08-18T11:56:27.357459658Z 2024-08-18T11:56:27Z INFO [vpn] stopping 2024-08-18T11:56:27.365080851Z 2024-08-18T11:56:27Z INFO [vpn] starting 2024-08-18T11:56:27.365335657Z 2024-08-18T11:56:27Z INFO [firewall] allowing VPN connection... 2024-08-18T11:56:27.365600444Z 2024-08-18T11:56:27Z INFO [openvpn] OpenVPN 2.6.11 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] 2024-08-18T11:56:27.365856835Z 2024-08-18T11:56:27Z INFO [openvpn] library versions: OpenSSL 3.3.1 4 Jun 2024, LZO 2.10 2024-08-18T11:56:27.367155384Z 2024-08-18T11:56:27Z INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]194.5.49.72:1195 2024-08-18T11:56:27.393158400Z 2024-08-18T11:56:27Z INFO [openvpn] UDPv4 link local: (not bound) 2024-08-18T11:56:27.393845123Z 2024-08-18T11:56:27Z INFO [openvpn] UDPv4 link remote: [AF_INET]194.5.49.72:1195 2024-08-18T11:57:08.483371552Z 2024-08-18T11:57:08Z INFO [healthcheck] program has been unhealthy for 41s: restarting VPN 2024-08-18T11:57:08.483763827Z 2024-08-18T11:57:08Z INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md 2024-08-18T11:57:08.484055365Z 2024-08-18T11:57:08Z INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION 2024-08-18T11:57:08.484351326Z 2024-08-18T11:57:08Z INFO [vpn] stopping 2024-08-18T11:57:08.484604629Z 2024-08-18T11:57:08Z INFO [vpn] starting 2024-08-18T11:57:08.484876118Z 2024-08-18T11:57:08Z INFO [firewall] allowing VPN connection... 2024-08-18T11:57:08.541431550Z 2024-08-18T11:57:08Z ERROR [firewall] cannot remove outdated VPN interface rule: finding iptables chain rule line number: parsing chain list: parsing chain rule "3 0 0 ACCEPT 0 -- * eth0 ::/0 ff02::/104 ": parsing chain rule field: parsing destination IP CIDR: netip.ParsePrefix("ff02::/104/32"): ParseAddr("ff02::/104"): each colon-separated field must have at least one digit (at "/104") 2024-08-18T11:57:08.625288050Z 2024-08-18T11:57:08Z INFO [openvpn] OpenVPN 2.6.11 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] 2024-08-18T11:57:08.626131515Z 2024-08-18T11:57:08Z INFO [openvpn] library versions: OpenSSL 3.3.1 4 Jun 2024, LZO 2.10 2024-08-18T11:57:08.626988493Z 2024-08-18T11:57:08Z INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]64.64.121.6:1195 2024-08-18T11:57:08.627936951Z 2024-08-18T11:57:08Z INFO [openvpn] UDPv4 link local: (not bound) 2024-08-18T11:57:08.628519875Z 2024-08-18T11:57:08Z INFO [openvpn] UDPv4 link remote: [AF_INET]64.64.121.6:1195 2024-08-18T11:57:11.952435902Z 2024-08-18T11:57:11Z INFO [openvpn] read UDPv4 [EHOSTUNREACH|EHOSTUNREACH]: Host is unreachable (fd=4,code=113) 2024-08-18T11:57:19.040289372Z 2024-08-18T11:57:19Z INFO [openvpn] read UDPv4 [EHOSTUNREACH]: Host is unreachable (fd=4,code=113) 2024-08-18T11:57:26.439409210Z 2024-08-18T11:57:26Z INFO [openvpn] read UDPv4 [EHOSTUNREACH]: Host is unreachable (fd=4,code=113) 2024-08-18T11:57:41.555397430Z 2024-08-18T11:57:41Z INFO [openvpn] read UDPv4 [EHOSTUNREACH]: Host is unreachable (fd=4,code=113) 2024-08-18T11:57:54.664828635Z 2024-08-18T11:57:54Z INFO [healthcheck] program has been unhealthy for 46s: restarting VPN 2024-08-18T11:57:54.665204421Z 2024-08-18T11:57:54Z INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md 2024-08-18T11:57:54.665510904Z 2024-08-18T11:57:54Z INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION 2024-08-18T11:57:54.665787923Z 2024-08-18T11:57:54Z INFO [vpn] stopping 2024-08-18T11:57:54.708616703Z 2024-08-18T11:57:54Z INFO [vpn] starting 2024-08-18T11:57:54.708899563Z 2024-08-18T11:57:54Z INFO [firewall] allowing VPN connection... 2024-08-18T11:57:54.714884274Z 2024-08-18T11:57:54Z INFO [openvpn] OpenVPN 2.6.11 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] 2024-08-18T11:57:54.715148176Z 2024-08-18T11:57:54Z INFO [openvpn] library versions: OpenSSL 3.3.1 4 Jun 2024, LZO 2.10 2024-08-18T11:57:54.717776451Z 2024-08-18T11:57:54Z INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]64.64.121.6:1195 2024-08-18T11:57:54.717995959Z 2024-08-18T11:57:54Z INFO [openvpn] UDPv4 link local: (not bound) 2024-08-18T11:57:54.718613781Z 2024-08-18T11:57:54Z INFO [openvpn] UDPv4 link remote: [AF_INET]64.64.121.6:1195 2024-08-18T11:57:55.143268967Z 2024-08-18T11:57:55Z INFO [openvpn] read UDPv4 [EHOSTUNREACH]: Host is unreachable (fd=4,code=113) 2024-08-18T11:57:59.657062259Z 2024-08-18T11:57:59Z INFO [openvpn] read UDPv4 [EHOSTUNREACH]: Host is unreachable (fd=4,code=113) 2024-08-18T11:58:04.167443088Z 2024-08-18T11:58:04Z INFO [openvpn] read UDPv4 [EHOSTUNREACH]: Host is unreachable (fd=4,code=113)

</p>
</details> 


<details><summary>IPTables rules</summary>
<p>

/ # iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -d 172.80.20.0/24 -i eth0 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s 172.80.20.6/32 -d 172.80.20.0/24 -o eth0 -j ACCEPT
-A OUTPUT -s 172.80.20.6/32 -d 192.168.0.0/22 -o eth0 -j ACCEPT
-A OUTPUT -d 64.64.121.6/32 -o eth0 -p udp -m udp --dport 1195 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
/ # ip6tables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -d ff02::/104 -o eth0 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT

</p>
</details> 

[ggogel]

I encountered this issue when moving to AirVPN using port forwarding. I can confirm that it is indeed fixed with pr-2411.