netbird try (and can't) set /proc/sys/net/ipv4/conf/all/src_valid_mark

[lfarkas]

with the latest netbird and on home assistant with netbird addon i've got this error:

2024-07-19T14:57:37+02:00 ERRO client/internal/routemanager/systemops/systemops_linux.go:100: Error setting up sysctl: 1 errors occurred:
	* write sysctl net.ipv4.conf.all.src_valid_mark: open /proc/sys/net/ipv4/conf/all/src_valid_mark: read-only file system
2024-07-19T14:57:37+02:00 INFO client/internal/routemanager/manager.go:135: Routing setup complete

after i google it there are same problems with wireguard:
https://forums.docker.com/t/sysctl-error-setting-key-net-ipv4-conf-all-src-valid-mark-read-only-file-system/92567/8
but even though this container has NET_ADMIN and NET_RAW privileges it's still got this error, although the above
many solution eg this one:
https://community.home-assistant.io/t/wireguard-stopped-working/352348
suggest:
Turns out I can create this error at will with this in the config for a peer:
allowed_ips:
- 0.0.0.0/0
but this does not fail:
allowed_ips: []

[lfarkas]

any news on this?

[lixmal]

Have you tried setting the option, e.g. with docker

docker run --sysctl net.ipv4.conf.all.src_valid_mark=1 [...]

?

[lfarkas]

it's a home assistant addon where the container run by the supervisor...
but has a lot's of privileges:

ost_network: true
host_dbus: true
privileged:
  - SYS_ADMIN
  - SYS_RESOURCE
  - NET_ADMIN
  - NET_RAW
  - BPF

[corrreia]

The container itself doesn't seem to have the perms required, right?

[nazarewk]

Hello @lfarkas,

We're currently reviewing our open issues and would like to verify if this problem still exists in the latest NetBird version.

Could you please confirm if the issue is still there?

We may close this issue temporarily if we don't hear back from you within 2 weeks, but feel free to reopen it with updated information.

Thanks for your contribution to improving the project!

[lfarkas]

still exists v0.43.0:

2025-04-28T20:09:05+02:00 ERRO client/internal/routemanager/systemops/systemops_linux.go:102: Error setting up sysctl: 1 error occurred:
	* write sysctl net.ipv4.conf.all.src_valid_mark: open /proc/sys/net/ipv4/conf/all/src_valid_mark: read-only file system
2025-04-28T20:09:05+02:00 WARN client/firewall/nftables/router_linux.go:956: Will use nftables to manipulate the filter table because iptables is not available: exec: "iptables": executable file not found in $PATH
2025-04-28T20:09:05+02:00 WARN client/firewall/nftables/router_linux.go:863: Will use nftables to manipulate the filter table because iptables is not available: exec: "iptables": executable file not found in $PATH
2025-04-28T20:09:05+02:00 ERRO client/firewall/nftables/router_linux.go:108: failed to set up data plane mark: flush: conn.Receive: netlink receive: operation not supported
netlink receive: operation not supported

[HaleTom]

2025-06-30T07:08:02Z ERRO client/internal/routemanager/systemops/systemops_linux.go:102: Error setting up sysctl: 3 errors occurred:
        * write sysctl net.ipv4.conf.all.src_valid_mark: open /proc/sys/net/ipv4/conf/all/src_valid_mark: read-only file system
        * write sysctl net.ipv4.conf.all.rp_filter: open /proc/sys/net/ipv4/conf/all/rp_filter: read-only file system
        * write sysctl net.ipv4.conf.eth0.rp_filter: open /proc/sys/net/ipv4/conf/eth0/rp_filter: read-only file system

And later:

2025-06-30T07:08:04Z WARN client/internal/routemanager/systemops/systemops_linux.go:161: Default route is configured but sysctl operations failed, VPN traffic may not be routed correctly, consider using NB_USE_LEGACY_ROUTING=true or setting net.ipv4.conf.*.rp_filter to 2 (loose) or 0 (off)

Perhaps the docker setup doco needs to be updated here?

Workaround:

peer_name=HOSTNAME
setup_key=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
docker run --restart unless-stopped --name netbird --hostname "$peer_name" --cap-add=NET_ADMIN --cap-add=SYS_ADMIN --cap-add=SYS_RESOURCE --env NB_SETUP_KEY="$setup_key" --volume netbird-client:/etc/netbird --sysctl net.ipv4.conf.all.src_valid_mark=1 --sysctl net.ipv4.conf.all.rp_filter=2 --sysctl net.ipv4.conf.eth0.rp_filter=2 --detach netbirdio/netbird:latest

Could the "triage needed" be removed based on this and the previous?

[nazarewk]

@HaleTom does it work fully with those additional container arguments?

I have never dug much into details, but the general recommendation for those errors was always to configure sysctls on the host system before running the container.