CHAIN_ADD failed (No such file or directory): chain PREROUTING

[xehonk]

In the new release (3.1.4) there is an error, which prevents the container from starting. Only happened on a windows host, not on a linux host.
iptables v1.8.10 (nf_tables): CHAIN_ADD failed (No such file or directory): chain PREROUTING

[qoomon]

Hmm, do you have any idea why this happens?(I don't have a windows machine)

[qoomon]

@xehonk do you use docker with wsl2 enabled? https://learn.microsoft.com/en-us/windows/wsl/tutorials/wsl-containers

[xehonk]

@qoomon Sorry, I don't have access to the affected machine until next week. I'll find out then.

[xehonk]

So, here's the update:
The machine has wsl2 enabled. docker-desktop and docker-desktop-data images are installed.

$ docker run --cap-add=NET_ADMIN --cap-add=NET_RAW qoomon/docker-host:3.1.5
Docker Host: 192.168.65.2 (host.docker.internal)
Forwarding ports: 1-65535
Warning: Extension tcp revision 0 not supported, missing kernel module?
Warning: Extension DNAT revision 0 not supported, missing kernel module?
iptables v1.8.10 (nf_tables):  CHAIN_ADD failed (No such file or directory): chain PREROUTING

$ docker run --cap-add=NET_ADMIN --cap-add=NET_RAW qoomon/docker-host:3.1.4
Docker Host: 192.168.65.2 (host.docker.internal)
Forwarding ports: 1-65535
Warning: Extension tcp revision 0 not supported, missing kernel module?
Warning: Extension DNAT revision 0 not supported, missing kernel module?
iptables v1.8.10 (nf_tables):  CHAIN_ADD failed (No such file or directory): chain PREROUTING

$ docker run --cap-add=NET_ADMIN --cap-add=NET_RAW qoomon/docker-host:3.1.3
Docker Host: 192.168.65.2 (host.docker.internal)
Forwarding ports: 1-65535

I also verified this on another computer running windows. Same result.

[qoomon]

probably it's due to iptables-nft change in alpine version 3.19.0 https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.19.0

[qoomon]

Maybe adding following lines to entrypoint.sh before iptable commands could help

modprobe ip_tables && echo $_ >> /etc/modules
modprobe iptable_nat && echo $_ >> /etc/modules
modprobe iptable_filter && echo $_ >> /etc/modules

[xehonk]

I have not tried this on windows, but even on linux there's this error with your suggested change. I do not think the alpine base image includes these loadable modules.

modprobe: can't change directory to '/lib/modules': No such file or directory

[qoomon]

I'll will try to migrate to nftables maybe this will work

[qoomon]

feel free to try this branch https://github.com/qoomon/docker-host/tree/feature/migrate-to-nftables

#63

[xehonk]

Works on my linux machine, but same error on windows unfortunately:

[qoomon]

hmm i have no clue what's the reason, or why the iptables legacy solution works

[qoomon]

seems to be related to

• Adding nftables sets doesn't work on WSL 2 microsoft/WSL#6044
• Investigate if we can switch back to iptables-legacy on WSL with older kernels rancher-sandbox/rancher-desktop#6624

[qoomon]

@xehonk I switched to iptables-legacy. Feel free to try version 3.3.0

[xehonk]

I can confirm that it works with 3.3 on windows and linux. here the run from the previously broken windows pc: