Netfilter persistent problem after upgrade to Buster

Martus0 · 19 October 2020 06:23

Hi, after upgrading to Buster I got a msg: "Error: netfilter persistent "
My device is Raspberry PI 3B+.

Here are details:

 ~  systemctl status netfilter-persistent.service
    ● netfilter-persistent.service - netfilter persistent configuration
       Loaded: loaded (/lib/systemd/system/netfilter-persistent.service; enabled; vendor preset: enabled)
       Active: failed (Result: exit-code) since Mon 2020-10-19 07:45:03 CEST; 12min ago
      Process: 273 ExecStart=/usr/sbin/netfilter-persistent start (code=exited, status=1/FAILURE)
     Main PID: 273 (code=exited, status=1/FAILURE)

    Oct 19 07:45:02 osmc netfilter-persistent[273]: iptables-restore v1.8.2 (nf_tables): unknown option "--restore-mark"
    Oct 19 07:45:02 osmc netfilter-persistent[273]: Error occurred at line: 12
    Oct 19 07:45:02 osmc netfilter-persistent[273]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
    Oct 19 07:45:02 osmc netfilter-persistent[273]: run-parts: /usr/share/netfilter-persistent/plugins.d/15-ip4tables exited with return code 2
    Oct 19 07:45:02 osmc netfilter-persistent[273]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables start
    Oct 19 07:45:02 osmc netfilter-persistent[273]: ip6tables-restore: line 6 failed
    Oct 19 07:45:02 osmc netfilter-persistent[273]: run-parts: /usr/share/netfilter-persistent/plugins.d/25-ip6tables exited with return code 1
    Oct 19 07:45:03 osmc systemd[1]: netfilter-persistent.service: Main process exited, code=exited, status=1/FAILURE
    Oct 19 07:45:03 osmc systemd[1]: netfilter-persistent.service: Failed with result 'exit-code'.
    Oct 19 07:45:03 osmc systemd[1]: Failed to start netfilter persistent configuration.


cat -n /etc/iptables/rules.v4
|1|# Generated by iptables-save v1.6.0 on Sun Oct 18 23:03:16 2020|
|---|---|
|     2|*mangle|
|     3|:PREROUTING ACCEPT [4800:7100288]|
|     4|:INPUT ACCEPT [4800:7100288]|
|     5|:FORWARD ACCEPT [0:0]|
|     6|:OUTPUT ACCEPT [1524:86296]|
|     7|:POSTROUTING ACCEPT [1524:86296]|
|     8|:connman-INPUT - [0:0]|
|     9|:connman-POSTROUTING - [0:0]|
|    10|-A INPUT -j connman-INPUT|
|    11|-A POSTROUTING -j connman-POSTROUTING|
|    12|-A connman-INPUT -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff|
|    13|-A connman-POSTROUTING -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff|
|    14|COMMIT|
|    15|# Completed on Sun Oct 18 23:03:16 2020|
|    16|# Generated by iptables-save v1.6.0 on Sun Oct 18 23:03:16 2020|
|    17|*filter|
|    18|:INPUT ACCEPT [4741:7090376]|
|    19|:FORWARD ACCEPT [0:0]|
|    20|:OUTPUT ACCEPT [1487:78680]|
|    21|:DOCKER - [0:0]|
|    22|:DOCKER-ISOLATION-STAGE-1 - [0:0]|
|    23|:DOCKER-ISOLATION-STAGE-2 - [0:0]|
|    24|:DOCKER-USER - [0:0]|
|    25|-A FORWARD -j DOCKER-USER|
|    26|-A FORWARD -j DOCKER-ISOLATION-STAGE-1|
|    27|-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT|
|    28|-A FORWARD -o docker0 -j DOCKER|
|    29|-A FORWARD -i docker0 ! -o docker0 -j ACCEPT|
|    30|-A FORWARD -i docker0 -o docker0 -j ACCEPT|
|    31|-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2|
|    32|-A DOCKER-ISOLATION-STAGE-1 -j RETURN|
|    33|-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP|
|    34|-A DOCKER-ISOLATION-STAGE-2 -j RETURN|
|    35|-A DOCKER-USER -j RETURN|
|    36|COMMIT|
|    37|# Completed on Sun Oct 18 23:03:16 2020|
|    38|# Generated by iptables-save v1.6.0 on Sun Oct 18 23:03:16 2020|
|    39|*nat|
|    40|:PREROUTING ACCEPT [0:0]|
|    41|:INPUT ACCEPT [0:0]|
|    42|:OUTPUT ACCEPT [0:0]|
|    43|:POSTROUTING ACCEPT [0:0]|
|    44|:DOCKER - [0:0]|
|    45|-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER|
|    46|-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER|
|    47|-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE|
|    48|-A POSTROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -o eth0 -j MASQUERADE|
|    49|-A POSTROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -o eth0 -j MASQUERADE|
|    50|-A DOCKER -i docker0 -j RETURN|
|    51|COMMIT|
|    52|# Completed on Sun Oct 18 23:03:16 2020|

bmillham · 19 October 2020 06:50

Martus0:

    Oct 19 07:45:02 osmc netfilter-persistent[273]: iptables-restore v1.8.2 (nf_tables): unknown option "--restore-mark"
    Oct 19 07:45:02 osmc netfilter-persistent[273]: Error occurred at line: 12
    Oct 19 07:45:02 osmc netfilter-persistent[273]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.

Looks like something may have changed in the newer version of iptables and that the --restore-mark option is no longer valid.

Martus0 · 19 October 2020 06:59

Indeed, this is how it looks like. I am not strong at networking though. Not sure how it should be handled properly. Should the records that are using --restore-mark be deleted?

bmillham · 19 October 2020 07:01

I’d try that and see if it works. It can’t hurt.

I’m not very familiar with iptables, so hopefully someone else can chime in here.

fzinken · 19 October 2020 07:07

Seems that it is part of iptables-extentions

https://manpages.debian.org/buster/iptables/iptables-extensions.8.en.html

dillthedog · 19 October 2020 07:17

Try sudo modprobe xt_connmark and see if that helps.

Martus0 · 19 October 2020 07:18

It didn’t

~  sudo modprobe xt_connmark
 ~  sudo iptables-restore < /etc/iptables/rules.v4
iptables-restore v1.8.2 (nf_tables): unknown option "--restore-mark"
Error occurred at line: 12
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

sam_nazarko · 19 October 2020 07:42

I think that parameter is deprecated in iptables now.

Sam

Martus0 · 19 October 2020 08:00

Thanks Sam. Can someone please post here how the *mangle section should look like? I tried to comment out those lines that are using the -mark parameters but it failed on the COMMIT command.

Martus0 · 19 October 2020 15:11

I used:
sudo update-alternatives --config iptables

to switch to iptables legacy. Everything works like a charm.

bbigk · 19 October 2020 19:26

Hi,
I did change to iptables legacy but netfilter-persistent stil has error:

root@osmc:/etc/modprobe.d# systemctl status netfilter-persistent.service

netfilter-persistent.service - netfilter persistent configuration
Loaded: loaded (/lib/systemd/system/netfilter-persistent.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Mon 2020-10-19 21:16:42 CEST; 9min ago
Process: 20074 ExecStart=/usr/sbin/netfilter-persistent start (code=exited, status=1/FAILURE)
Main PID: 20074 (code=exited, status=1/FAILURE)

Oct 19 21:16:42 osmc systemd[1]: Starting netfilter persistent configuration…
Oct 19 21:16:42 osmc netfilter-persistent[20074]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables start
Oct 19 21:16:42 osmc netfilter-persistent[20074]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables start
Oct 19 21:16:42 osmc netfilter-persistent[20074]: ip6tables-restore: line 6 failed
Oct 19 21:16:42 osmc netfilter-persistent[20074]: run-parts: /usr/share/netfilter-persistent/plugins.d/25-ip6tables exited with return code 1
Oct 19 21:16:42 osmc systemd[1]: netfilter-persistent.service: Main process exited, code=exited, status=1/FAILURE
Oct 19 21:16:42 osmc systemd[1]: netfilter-persistent.service: Failed with result ‘exit-code’.
Oct 19 21:16:42 osmc systemd[1]: Failed to start netfilter persistent configuration.

Tom_Doyle · 19 October 2020 20:21

Hi,

Seems to have issue with ip6tables rules, whats the output of:

sudo cat -n /etc/iptables/rules.v6

Thanks Tom.

bbigk · 19 October 2020 20:35

Sorry, I just figured out that I have to switch to iptables legacy for IPv4 and IPv6 separately. I run command:

sudo update-alternatives --config ip6tables

and now it works.

Thank you.