ENABLE_UFW does not work on Synology, even with UFW_DISABLE_IPTABLES_REJECT #2985
Description
Is there a pinned issue for this?
- I have read the pinned issues and could not find my issue
Is there an existing or similar issue/discussion for this?
- I have searched the existing issues
- I have searched the existing discussions
Is there any comment in the documentation for this?
- I have read the documentation, especially the FAQ and Troubleshooting parts
Is this related to a provider?
- I have checked the provider repo for issues
- My issue is NOT related to a provider
Are you using the latest release?
- I am using the latest release
Have you tried using the dev branch latest?
- I have tried using dev branch
Docker run config used
docker run -d \
--cap-add=NET_ADMIN \
-e OPENVPN_PROVIDER=PIA \
-e OPENVPN_CONFIG=france \
-e OPENVPN_USERNAME=xxxx \
-e OPENVPN_PASSWORD=xxxx \
-e ENABLE_UFW=true \
-e UFW_DISABLE_IPTABLES_REJECT=true \
--name transmission-test \
haugene/transmission-openvpn:dev
Current Behavior
The container exits with error: "ERROR: Could not load logging rules"
Expected Behavior
It should run transmission with UFW enabled.
How have you tried to solve the problem?
I've tried both with and without UFW_DISABLE_IPTABLES_REJECT=true.
Log output
[dumb-init] Unable to detach from controlling tty (errno=25 Inappropriate ioctl for device).
[dumb-init] Child spawned with PID 7.
[dumb-init] Unable to attach to controlling tty (errno=25 Inappropriate ioctl for device).
[dumb-init] setsid complete.
Starting container with revision: 07edc50256d2805e977a80e87c3369413f10b626
TRANSMISSION_HOME is currently set to: /config/transmission-home
Creating TUN device /dev/net/tun
Using OpenVPN provider: PIA
Running with VPN_CONFIG_SOURCE auto
Provider PIA has a bundled setup script. Defaulting to internal config
Executing setup script for PIA
Downloading OpenVPN config bundle openvpn into temporary file /tmp/tmp.TGiqDk8SzO
Extract OpenVPN config bundle into PIA directory /etc/openvpn/pia
Starting OpenVPN using config france.ovpn
Modifying /etc/openvpn/pia/france.ovpn for best behaviour in this container
Modification: Point auth-user-pass option to the username/password file
Modification: Change ca certificate path
Modification: Change ping options
Modification: Update/set resolv-retry to 15 seconds
Modification: Change tls-crypt keyfile path
Modification: Set output verbosity to 3
Modification: Remap SIGUSR1 signal to SIGTERM, avoid OpenVPN restart loop
Modification: Updating status for config failure detection
Setting OpenVPN credentials...
Disable and blank firewall
Firewall stopped and disabled on system startup
enabling firewall
ERROR: Could not load logging rules
[dumb-init] Received signal 17.
[dumb-init] A child with PID 7 exited with exit status 1.
[dumb-init] Forwarded signal 15 to children.
[dumb-init] Child exited with status 1. Goodbye.
HW/SW Environment
- OS: Synology DSM 7.2.2 (latest)
- Docker: Docker version 24.0.2Anything else?
This isn't a regression, it has never worked. I was hopeful back when UFW_DISABLE_IPTABLES_REJECT=true was implemented that it would solve the problem, but it unfortunately didn't. It does however change the error that the firewall reports so that's progress. The old error without UFW_DISABLE_IPTABLES_REJECT=true is:
[dumb-init] Unable to detach from controlling tty (errno=25 Inappropriate ioctl for device).
[dumb-init] Child spawned with PID 7.
[dumb-init] Unable to attach to controlling tty (errno=25 Inappropriate ioctl for device).
[dumb-init] setsid complete.
Starting container with revision: 07edc50256d2805e977a80e87c3369413f10b626
TRANSMISSION_HOME is currently set to: /config/transmission-home
Creating TUN device /dev/net/tun
Using OpenVPN provider: PIA
Running with VPN_CONFIG_SOURCE auto
Provider PIA has a bundled setup script. Defaulting to internal config
Executing setup script for PIA
Downloading OpenVPN config bundle openvpn into temporary file /tmp/tmp.008dezYo3x
Extract OpenVPN config bundle into PIA directory /etc/openvpn/pia
Starting OpenVPN using config france.ovpn
Modifying /etc/openvpn/pia/france.ovpn for best behaviour in this container
Modification: Point auth-user-pass option to the username/password file
Modification: Change ca certificate path
Modification: Change ping options
Modification: Update/set resolv-retry to 15 seconds
Modification: Change tls-crypt keyfile path
Modification: Set output verbosity to 3
Modification: Remap SIGUSR1 signal to SIGTERM, avoid OpenVPN restart loop
Modification: Updating status for config failure detection
Setting OpenVPN credentials...
enabling firewall
ERROR: problem running ufw-init
Warning: Extension REJECT revision 0 not supported, missing kernel module?
iptables-restore: line 11 failed
sysctl: setting key "net.ipv4.conf.all.accept_redirects", ignoring: Read-only file system
sysctl: setting key "net.ipv4.conf.default.accept_redirects", ignoring: Read-only file system
sysctl: setting key "net.ipv6.conf.all.accept_redirects", ignoring: Read-only file system
sysctl: setting key "net.ipv6.conf.default.accept_redirects", ignoring: Read-only file system
sysctl: setting key "net.ipv4.icmp_echo_ignore_broadcasts", ignoring: Read-only file system
sysctl: setting key "net.ipv4.icmp_ignore_bogus_error_responses", ignoring: Read-only file system
sysctl: setting key "net.ipv4.icmp_echo_ignore_all", ignoring: Read-only file system
sysctl: setting key "net.ipv4.conf.all.log_martians", ignoring: Read-only file system
sysctl: setting key "net.ipv4.conf.default.log_martians", ignoring: Read-only file system
Problem running '/etc/ufw/user.rules'
[dumb-init] Received signal 17.
[dumb-init] A child with PID 7 exited with exit status 1.
[dumb-init] Forwarded signal 15 to children.
[dumb-init] Child exited with status 1. Goodbye.