nftables and firewall issues on Synology/QNAP NAS

[baroka]

Hello,

With latest image I get this error on a Synology NAS:

2024-03-04T10:36:29.807Z DEBUG firewall: Firewall allow managed network endpoints managed_network_endpoints=[]
2024-03-04T10:36:29.807Z INFO firewall: Firewall starting
2024-03-04T10:36:29.813Z WARN firewall::linux: Failed to set firewall rules via stdin. Retrying using temporary file exit_code=ExitStatus(unix_wait_status(256))
2024-03-04T10:36:29.824Z ERROR firewall::linux: Failed to start firewall with exit code: exit status: 1
2024-03-04T10:36:29.824Z WARN firewall: fw.apply_rules failed e=ApplyError("nft command failed with return code: 256")
2024-03-04T10:36:29.825Z WARN main_loop: warp::warp_service: Unable to update firewall on disconnect e=ApplyError("nft command failed with return code: 256")
2024-03-04T10:36:29.825Z DEBUG main_loop: warp::warp_service: Determining disconnected reason from connectivity state net_info=IPv4: [eth0; 172.18.0.15; Ethernet]; DNS servers:; 127.0.0.11:53;
power_state=None disconnect_reason=None
2024-03-04T10:36:29.825Z WARN main_loop: warp::warp_service: Disconnecting, but reason is unknown
2024-03-04T10:36:29.825Z WARN main_loop: warp::warp_service: Reconnect on settings change failed error=FirewallUpdateFailed(ApplyError("nft command failed with return code: 256"))

With previous caomingjun/warp:2023-07-18 everything is ok.

I search for error "nft command failed with return code: 256" but I can't figure out how to fix it.

Seems that with latest version now it's necessary to add this volume:
/run/dbus/system_bus_socket:/run/dbus/system_bus_socket

I tried to build my own Dockerfile based on latest Ubuntu or Debian, delete Gost proxy, but nft error is still here.

Can you help me ? Thanks.

[cmj2002]

I just updated the latest tag of image to the newest warp version. Could you please try it out and see if there are still any problems?

Seems that with latest version now it's necessary to add this volume:
/run/dbus/system_bus_socket:/run/dbus/system_bus_socket

It's better not to do this. Binding the dbus inside the container to the host's system socket gives the container excessive privileges. While running WARP, we may trust Cloudflare, but it could be dangerous when running other things. Just adding the following two lines in entrypoint.sh is sufficient:

mkdir -p /run/dbus
dbus-daemon --config-file=/usr/share/dbus-1/system.conf

If you still encounter a firewall or nft error, please let me know.

[baroka]

Same problem.
Just for checking, I tried with privileged: true

Another change you should do in entrypoint.sh:
warp-cli register is deprecated -> warp-cli registration new

[cmj2002]

Found a possibly related discussion: https://forum.openwrt.org/t/22-02-firewall-fw4-issue/149323/3

Try run nft -i in container and see what happen. The kernel of Synology NAS may not compiled with CONFIG_NF_TABLES_INET.

[baroka]

Seems to work nft -i.

nft -i

nft>

Any other idea ? Thanks.

[cmj2002]

I'm sorry, I cannot find any other information about this issue. Cloudflare does not even provide the release notes for warp-cli, so I do not know what happened between the two versions.

What is currently known is that the issue was caused by nft (nftables), which resulted in WARP being unable to change firewall settings. But I am still not clear on what caused nftables to malfunction. This may be due to the extremely old version of the Linux kernel of Synology, but I have no evidence.

If anyone can provide additional information, I would be grateful.

[baroka]

A workaround for having Cloudflare Warp on Synology devices:

1. Extract Wireguard Cloudflare Warp configuration with: https://github.com/ViRb3/wgcf
2. Follow steps on: https://www.reddit.com/r/synology/comments/xkxjfh/fya_how_to_connect_synology_to_a_wireguard_vpn/
3. No need to compile. Just use files on: https://tutoriales.bilito.eu/wireguard-en-dsm-7-2/

Maybe this's useful for somebody.

[zero-hero-he]

After I added net.ipv4.ip_forward=1, it can run normally. keep to monitor it.

sysctls:
      - net.ipv6.conf.all.disable_ipv6=0
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv4.ip_forward=1

[cmj2002]

After I added net.ipv4.ip_forward=1, it can run normally. keep to monitor it.

sysctls:
      - net.ipv6.conf.all.disable_ipv6=0
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv4.ip_forward=1

Thank you for the information you provided! I used to think that docker would provide default values for sysctl inside the container, but it seems that this is incorrect. The network namespace inside the container inherits from the init network namespace (not the host namespace, init namespace defaults is compiled into kernel).¹ WARP wants to change this setting, but programs inside the container do not have this permission.

Due to different kernel compilation settings, we may need to find all the settings required by Cloudflare and set them in the docker-compose file.

I will wait for a few days, and if your settings work properly, I will merge this change into the code.

Footnotes

1. https://lore.kernel.org/patchwork/patch/649250/ ↩

[zero-hero-he]

This kernel parameter does not take effect.

[cmj2002]

This kernel parameter does not take effect.

Do you mean that the net.ipv4.ip_forward=1 you mentioned earlier did not work?

[davide]

Switching the WARP mode to Local Proxy and updating the GOST params to route traffic via this local proxy does the trick. Running in that mode it seems that WARP doesn't try to mess with nft so the issue is sidestepped.

Necessary changes below:
entrypoint.sh

• before "warp-cli connect" call:
  warp-cli mode proxy
  warp-cli proxy port 40000

Dockerfile

• update GOST_ARGS="-L :1080 -F=127.0.0.1:40000"
• update health check
  HEALTHCHECK --interval=15s --timeout=5s --start-period=30s --retries=3
  CMD curl -fsS --socks5-hostname 127.0.0.1:1080 "https://cloudflare.com/cdn-cgi/trace" | grep -qE "warp=(plus|on)" || exit 1

I hope this helps (at least until we figure out the nft issue)!

[daseth]

@davide with the improvements you suggest, can you share how you configure your container with Synology? I am currently trying this, but the container still stops:
docker run -d --name=cf-warp
-v /volume1/docker/cf-warp:/var/lib/cloudflare-warp
--net=bridge
--restart always
--sysctl net.ipv6.conf.all.disable_ipv6=0
--sysctl net.ipv4.conf.all.src_valid_mark=1
--sysctl net.ipv4.ip_forward=1
--cap-add NET_ADMIN
--restart unless-stopped
daseth/warp:nas
I did update my entrypoint.sh and the dockerfile and rebuilt the container.

[inean]

Ok, reached here tying to get warp connector running, which it's only supported by official client at this moment. IMHO, problem seems to be that warp-svc uses nftables to override firewall config, so docker images running on both, Synology or QNAP will fail. Only solutions are:

• NAS providers moves to nftables as default firewall mode (GRRM will probably end GOT earlier...),
• Cloudflare adds support to legacy iptables (discuss)
• Run inside a full virtualized image (KVM)