Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

found nft command return 256 error #1

Closed
Paper-Dragon opened this issue Apr 21, 2024 · 3 comments
Closed

found nft command return 256 error #1

Paper-Dragon opened this issue Apr 21, 2024 · 3 comments

Comments

@Paper-Dragon
Copy link

run command

docker run -it --rm -e WARP_ORG_ID=xxx-e WARP_AUTH_CLIENT_ID=xxxxxxxxxx17b714de8903ff13.access -e WARP_AUTH_CLIENT_SECRET=7120f34bd52ce19xxxxxxx0ee0279fdc7bcd63d46 ghcr.io/deepwn/warpod:latest


2024-04-21T03:43:48.235Z DEBUG firewall: Firewall allow API ips api_ips=[162.159.138.105, 162.159.137.105, 2606:4700:7::a29f:8a69, 2606:4700:7::a29f:8969]
2024-04-21T03:43:48.235Z DEBUG firewall: Firewall allow managed network endpoints managed_network_endpoints=[]
2024-04-21T03:43:48.235Z  INFO firewall: Firewall starting
2024-04-21T03:43:48.238Z  WARN firewall::linux: Failed to set firewall rules via stdin. Retrying using temporary file exit_code=ExitStatus(unix_wait_status(256))
2024-04-21T03:43:48.243Z ERROR firewall::linux: Failed to start firewall with exit code: exit status: 1
2024-04-21T03:43:48.243Z  WARN firewall: fw.apply_rules failed e=ApplyError("nft command failed with return code: 256")
2024-04-21T03:43:48.243Z DEBUG firewall: Firewall allow API ips api_ips=[162.159.138.105, 162.159.137.105, 2606:4700:7::a29f:8a69, 2606:4700:7::a29f:8969]
2024-04-21T03:43:48.243Z DEBUG firewall: Firewall allow managed network endpoints managed_network_endpoints=[]
2024-04-21T03:43:48.243Z  INFO firewall: Firewall starting
2024-04-21T03:43:48.246Z  WARN firewall::linux: Failed to set firewall rules via stdin. Retrying using temporary file exit_code=ExitStatus(unix_wait_status(256))
2024-04-21T03:43:48.252Z ERROR firewall::linux: Failed to start firewall with exit code: exit status: 1
2024-04-21T03:43:48.252Z  WARN firewall: fw.apply_rules failed e=ApplyError("nft command failed with return code: 256")
2024-04-21T03:43:48.252Z  WARN main_loop: warp::warp_service: Unable to update firewall on disconnect e=ApplyError("nft command failed with return code: 256")
2024-04-21T03:43:48.252Z DEBUG main_loop: warp::warp_service: Determining disconnected reason from connectivity state net_info=IPv4: [eth0; 172.17.0.2; Ethernet]; DNS servers:;   8.8.8.8:53;
 power_state=None disconnect_reason=None

大佬知道这个是为啥吗?
@Paper-Dragon
Copy link
Author

fixed it ,must add cap NET_ADMIN and map /dev/net/tun to container

@evil7
Copy link
Contributor

evil7 commented Apr 21, 2024

@Paper-Dragon
从报错上看是firewall相关命令启动失败,我记得在普通warp模式下会有这个问题。
此项目测试运行时使用 rocky8.9 + podman环境,warp-svc使用的是proxy模式监听在41080端口运行。
如果你报错是出现在直接从容器使用warp+doh代理,那你需在容器内虚拟一个tun或映射宿主机的tun并且设置好ipv4转发。
但这个方式不符合项目最初目标:非root权限、非向上侵入。所以总体来说,我觉得有可能是你后台的模式设置保持了默认,未更改为proxy

建议如下:

  1. 如果只是研究魔法用途,只希望顺利跑起来,你可以采用你的解决方法,或看看其他项目中的解决方法 warp-docker-issue16
  2. 如果是搭建在权限受限的宿主机,或者像我一样有容器权限洁癖。你可以检查一下你容器内运行warp-cli settings | grep Mode确保cloudflare后台所使用的模式,检查是否切换到了proxy mode
  3. 建议从头参考readme的MDM设置一段,新建一个用于proxy模式的配置项,用以区分于其他官方mobile端或者pc端的policy link。同时注意需要在后台配置proxy模式才行,如第6点事项 why must set proxy mode in policy?

暂且只能分析出这些,希望对你有所帮助 😄

@Paper-Dragon
Copy link
Author

@evil7
感谢大佬的回复,在docker当中已经成功运行,需要在运行过程种映射tun设备和内核模块NET_AMDIN给容器,podman和docker确实有些不同。

有些疑问,我看到warp-svc里不仅仅要求了NET_ADMIN权限,还要求了NET_BIND_SERVICE权限,在docker当中如果没有后者竟然也能运行。😂🤣

大佬的项目太好了。我维护了下游分支 https://github.com/Paper-Dragon/warp-tproxy-for-docker 用于给容器联邦做透明代理。

再次致谢,感谢大佬的项目。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@evil7 @Paper-Dragon