New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Updating to mailcow 2024-01e with Docker 25.0.3 breaks iptables / UFW usage on Debian 10 #5735
Comments
Maybe thats helpful too: These updates have been installed today alongside with mailcow:
|
Had a similar problem... What i did:
|
Tried your approach step by step – unfortunately this did not change anything for me. The issue persists. 😥 |
Maybe your problem is ufw, i don't use it in my setup... |
I don't think so as UFW uses its own chains. But I could find some other hint while playing around with docker daemon and mailcow. After shutting down mailcow, reloading UFW and restarting the docker daemon the docker daemon was not coming up again. I found this on the log: I could "fix" it temporarily by setting |
I've had a similar case. My mailcow currently is on
After some research in the logs I found out the following:
After verifying the rule I think that moby/moby#47303 has something to do with it. That's the pull request regarding to the change log entry The error message from the logs come from here Upgrade of mailcow to |
If you encounter Problems, please try to set iptables: nftables: |
Thanks for clarifying this. So does this mean there will be no "fix" for this issue (is it an issue within mailcow then?) and the only solution to this problem is to disable the netfilter isolation rule? |
I'm experiencing the same/similar (?) issue, but don't have ufw installed, only nftables. netfilter container is also restarting every x seconds
I've not made changes to /etc/nftables.conf |
Can reproduce on Debian 10 and Ubuntu 22.04 using the steps described in original issue. The usage of ufw does not affect the end result. Suggested workaround of settings DISABLE_NETFILTER_ISOLATION_RULE to Y has an effect as long as no SNAT has been set. If SNAT has been set it appears that there is also a incompatability on the nat table.
Mailcow's Netfilter seems to be breaking compatibility with nftables to iptables translation layer both for filters and network address translation. |
I had the same issue #5798 but was able on one of my servers, to fix it, with reoving old rules from |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
Is this the official solution for this issue or is there something in the pipeline for an upcoming release? Can a maintainer please clarify this? |
Contribution guidelines
I've found a bug and checked that ...
Description
Updating my machine like usual to the newest mailcow 2024-01e (and I think there was also a docker update) broke my UFW / iptables setup on one of my servers which is using Debian 10.
If I shutdown the mailcow container and reboot the machine everything is fine and I get an output from
iptables -L
and also fromufw status
I have two other docker containers on the same machine and they are working fine. I tried several combinations like shutting down all containers, reboot, check ufw/iptables and starting only other containers and not mailcow, reboot, check ufw/iptables.
The result was clear:
As soon as I start the mailcow docker containers with
docker compose up
both outputs break and also the firewall functionality. I can only bring it back by shutting down mailcow, reenabling UFW withufw enable
, restarting the machine and reenabling UFW again withufw enable
.Maybe the issue has to do with the Netfilter Enhancements like stated here?
Logs:
docker compose logs -t -f
https://paste.armbian.com/izeqepuzim.yaml
(text was too long)
Steps to reproduce:
Shutdown mailcow with
docker compose down
Reboot machine
Check
ufw status
Output:
iptables -L
Output:
The usual IP tables entries
Now start mailcow with
docker compose up -d
Check
ufw status
Output:
Start
ufw enable
Output:
Check
ufw reload
Output:
Check
iptables -L
Output:
Shutdown mailcow with
docker compose down
Check commands again like above: Same result
Only way to bring everything up again is to either disable ufw with
ufw disable
and reboot the machine or to shutdown mailcow, reenabling UFW withufw enable
, restarting the machine and reenabling UFW again withufw enable
.But I would really like to use both like I did for years now 😅
Which branch are you using?
master
Which architecture are you using?
x86
Operating System:
Debian GNU/Linux 10 (buster)
Server/VM specifications:
32GB RAM, 6 Cores
Is Apparmor, SELinux or similar active?
no
Virtualization technology:
KVM
Docker version:
25.0.3
docker-compose version or docker compose version:
v2.24.5
mailcow version:
2024-01e
Reverse proxy:
nginx
Logs of git diff:
Logs of iptables -L -vn:
Logs of ip6tables -L -vn:
Logs of iptables -L -vn -t nat:
Logs of ip6tables -L -vn -t nat:
DNS check:
The text was updated successfully, but these errors were encountered: