You are not logged in.

Pages: 1

#1 2025-01-14 13:01:05

cwo2
Member
Registered: 2024-09-02
Posts: 12

Newbie question: automatic nftable rule addition at startup

Hi to all.

I am using Arch for a while and I am quite pleased with it. Currently I try to understand how the automatic addition of nftable rules is working and where do I can see the config files for them?

My system adds nftables when booting (or restarting), that went beyond the content of /etc/nftables.conf:

When looking at /etc/nftables.conf I can see some basic tables with some basic chains.

But when doing a 

nft list ruleset

I do see tons of tables and chains, that wasn't mentioned within the /etc/nftables.conf.

In my case, I also see rules for the installed Docker. And the same for KVM/QEMU. I know, that the programs can add rules to nftables when starting their services. My problem is, that these rules does not always work for the network I am in. Sometimes services aren't useable because nftables blocking them.

So I like to modify them in a persistent way, that they work. But I don't want to do this on every system start.

Regards, cwo2

Offline

#2 2025-01-14 15:17:21

Head_on_a_Stick
Member
From: The Wirral
Registered: 2014-02-20
Posts: 9,003
Website

Re: Newbie question: automatic nftable rule addition at startup

Please post the content of /etc/nftables.conf and the full output of `nft list ruleset`. Thanks.

Jin, Jîyan, Azadî

Offline

#3 2025-01-15 10:31:59

cwo2
Member
Registered: 2024-09-02
Posts: 12

Re: Newbie question: automatic nftable rule addition at startup

Hi. Here are the two outputs. While reading the "nft" generated output again, I noticed that the difference was generated from iptables-nft. I know, that I installed this but I havent had the time to read into it. Maybe this answers my question.

Now, here the output:

nftables.conf

#!/usr/bin/nft -f
# vim:set ts=2 sw=2 et:

# 192.168.122.0/24
define qemu_bridge0 = "virbr0"

# 192.168.100.0/24
define qemu_bridge1 = "virbr1"

# 192.168.111.0/24
define qemu_bridge2 = "virbr2"

# 172.17.0.0/16
define docker_bridge0 = "docker0"

# 192.168.49.0/24
define docker_bridge1 = "br-9e536d727c00"

destroy table inet filter
destroy table ip nat

table inet filter {
chain input {
type filter hook input priority filter
# default policy
policy drop

ct state invalid drop comment "early drop of invalid connections"
ct state {established, related} accept comment "allow tracked connections"

# iif: match interface by ID
iif lo accept comment "allow from loopback"

# iifname: match interface by Name (match later available interfaces)
iifname $qemu_bridge0 accept comment "accept from QEMU VM"
iifname $qemu_bridge1 accept comment "accept from QEMU VM"
iifname $qemu_bridge2 accept comment "accept from QEMU VM"

# ip protocol icmp accept comment "allow icmp"
# meta l4proto ipv6-icmp accept comment "allow icmp v6"
# tcp dport ssh accept comment "allow sshd"
pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
counter
}

chain forward {
type filter hook forward priority filter
policy drop
iifname $qemu_bridge0 accept comment "accept VM interface as INPUT"
oifname $qemu_bridge0 accept comment "accept VM interface as OUTPUT"

iifname $qemu_bridge1 accept comment "accept VM interface as INPUT"
oifname $qemu_bridge1 accept comment "accept VM interface as OUTPUT"

iifname $qemu_bridge2 accept comment "accept VM interface as INPUT"
oifname $qemu_bridge2 accept comment "accept VM interface as OUTPUT"
}
}

table ip nat {
chain postrouting{
type nat hook postrouting priority 100
policy accept
ip saddr 192.168.122.0/24 masquerade
}
}

and the output of ntf list ruleset:

table inet filter {
chain input {
type filter hook input priority filter; policy drop;
ct state invalid drop comment "early drop of invalid connections"
ct state { established, related } accept comment "allow tracked connections"
iif "lo" accept comment "allow from loopback"
iifname "virbr0" accept comment "accept from QEMU VM"
iifname "virbr1" accept comment "accept from QEMU VM"
iifname "virbr2" accept comment "accept from QEMU VM"
meta pkttype host limit rate 5/second burst 5 packets counter packets 0 bytes 0 reject with icmpx admin-prohibited
counter packets 49 bytes 11956
}

chain forward {
type filter hook forward priority filter; policy drop;
iifname "virbr0" accept comment "accept VM interface as INPUT"
oifname "virbr0" accept comment "accept VM interface as OUTPUT"
iifname "virbr1" accept comment "accept VM interface as INPUT"
oifname "virbr1" accept comment "accept VM interface as OUTPUT"
iifname "virbr2" accept comment "accept VM interface as INPUT"
oifname "virbr2" accept comment "accept VM interface as OUTPUT"
}
}
# Warning: table ip nat is managed by iptables-nft, do not touch!
table ip nat {
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
ip saddr 192.168.122.0/24 masquerade
}

chain DOCKER {
iifname "docker0" counter packets 0 bytes 0 return
iifname "br-9e536d727c00" counter packets 0 bytes 0 return
}

chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
counter packets 6158 bytes 642011 jump ts-postrouting
ip saddr 172.17.0.0/16 oifname != "docker0" counter packets 0 bytes 0 xt target "MASQUERADE"
ip saddr 192.168.49.0/24 oifname != "br-9e536d727c00" counter packets 0 bytes 0 xt target "MASQUERADE"
}

chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
xt match "addrtype" counter packets 0 bytes 0 jump DOCKER
}

chain OUTPUT {
type nat hook output priority dstnat; policy accept;
ip daddr != 127.0.0.0/8 xt match "addrtype" counter packets 3 bytes 855 jump DOCKER
}

chain ts-postrouting {
meta mark & 0x00ff0000 == 0x00040000 counter packets 0 bytes 0 xt target "MASQUERADE"
}
}
# Warning: table ip filter is managed by iptables-nft, do not touch!
table ip filter {
chain DOCKER {
}

chain DOCKER-ISOLATION-STAGE-1 {
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
iifname "br-9e536d727c00" oifname != "br-9e536d727c00" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
counter packets 0 bytes 0 return
}

chain DOCKER-ISOLATION-STAGE-2 {
oifname "docker0" counter packets 0 bytes 0 drop
oifname "br-9e536d727c00" counter packets 0 bytes 0 drop
counter packets 0 bytes 0 return
}

chain FORWARD {
type filter hook forward priority filter; policy accept;
counter packets 0 bytes 0 jump ts-forward
counter packets 0 bytes 0 jump DOCKER-USER
counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-1
oifname "docker0" xt match "conntrack" counter packets 0 bytes 0 accept
oifname "docker0" counter packets 0 bytes 0 jump DOCKER
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept
iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
oifname "br-9e536d727c00" xt match "conntrack" counter packets 0 bytes 0 accept
oifname "br-9e536d727c00" counter packets 0 bytes 0 jump DOCKER
iifname "br-9e536d727c00" oifname != "br-9e536d727c00" counter packets 0 bytes 0 accept
iifname "br-9e536d727c00" oifname "br-9e536d727c00" counter packets 0 bytes 0 accept
}

chain DOCKER-USER {
counter packets 0 bytes 0 return
}

chain ts-input {
ip saddr 100.116.126.40 iifname "lo" counter packets 0 bytes 0 accept
ip saddr 100.115.92.0/23 iifname != "tailscale0" counter packets 0 bytes 0 return
ip saddr 100.64.0.0/10 iifname != "tailscale0" counter packets 0 bytes 0 drop
iifname "tailscale0" counter packets 14105 bytes 11198468 accept
udp dport 41641 counter packets 15090 bytes 12053548 accept
}

chain ts-forward {
iifname "tailscale0" counter packets 0 bytes 0 xt target "MARK"
meta mark & 0x00ff0000 == 0x00040000 counter packets 0 bytes 0 accept
ip saddr 100.64.0.0/10 oifname "tailscale0" counter packets 0 bytes 0 drop
oifname "tailscale0" counter packets 0 bytes 0 accept
}

chain INPUT {
type filter hook input priority filter; policy accept;
counter packets 743826 bytes 976289523 jump ts-input
}
}
table ip libvirt_network {
chain forward {
type filter hook forward priority filter; policy accept;
counter packets 0 bytes 0 jump guest_cross
counter packets 0 bytes 0 jump guest_input
counter packets 0 bytes 0 jump guest_output
}

chain guest_output {
iif "virbr1" counter packets 0 bytes 0 reject
ip saddr 192.168.111.0/24 iif "virbr2" counter packets 0 bytes 0 accept
iif "virbr2" counter packets 0 bytes 0 reject
ip saddr 192.168.122.0/24 iif "virbr0" counter packets 0 bytes 0 accept
iif "virbr0" counter packets 0 bytes 0 reject
}

chain guest_input {
oif "virbr1" counter packets 0 bytes 0 reject
ip daddr 192.168.111.0/24 oif "virbr2" counter packets 0 bytes 0 accept
oif "virbr2" counter packets 0 bytes 0 reject
oif "virbr0" ip daddr 192.168.122.0/24 ct state established,related counter packets 0 bytes 0 accept
oif "virbr0" counter packets 0 bytes 0 reject
}

chain guest_cross {
iif "virbr1" oif "virbr1" counter packets 0 bytes 0 accept
iif "virbr2" oif "virbr2" counter packets 0 bytes 0 accept
iif "virbr0" oif "virbr0" counter packets 0 bytes 0 accept
}

chain guest_nat {
type nat hook postrouting priority srcnat; policy accept;
ip saddr 192.168.122.0/24 ip daddr 224.0.0.0/24 counter packets 2 bytes 108 return
ip saddr 192.168.122.0/24 ip daddr 255.255.255.255 counter packets 0 bytes 0 return
meta l4proto tcp ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade to :1024-65535
meta l4proto udp ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade to :1024-65535
ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade
}
}
# Warning: table ip6 filter is managed by iptables-nft, do not touch!
table ip6 filter {
chain DOCKER {
}

chain DOCKER-ISOLATION-STAGE-1 {
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
iifname "br-9e536d727c00" oifname != "br-9e536d727c00" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
counter packets 0 bytes 0 return
}

chain DOCKER-ISOLATION-STAGE-2 {
oifname "docker0" counter packets 0 bytes 0 drop
oifname "br-9e536d727c00" counter packets 0 bytes 0 drop
counter packets 0 bytes 0 return
}

chain FORWARD {
type filter hook forward priority filter; policy drop;
counter packets 0 bytes 0 jump ts-forward
counter packets 0 bytes 0 jump DOCKER-USER
}

chain DOCKER-USER {
counter packets 0 bytes 0 return
}

chain ts-input {
ip6 saddr fd7a:115c:a1e0::bf01:7e2a iifname "lo" counter packets 0 bytes 0 accept
iifname "tailscale0" counter packets 0 bytes 0 accept
udp dport 41641 counter packets 0 bytes 0 accept
}

chain ts-forward {
iifname "tailscale0" counter packets 0 bytes 0 xt target "MARK"
meta mark & 0x00ff0000 == 0x00040000 counter packets 0 bytes 0 accept
oifname "tailscale0" counter packets 0 bytes 0 accept
}

chain INPUT {
type filter hook input priority filter; policy accept;
counter packets 33 bytes 7128 jump ts-input
}
}
# Warning: table ip6 nat is managed by iptables-nft, do not touch!
table ip6 nat {
chain DOCKER {
}

chain ts-postrouting {
meta mark & 0x00ff0000 == 0x00040000 counter packets 0 bytes 0 xt target "MASQUERADE"
}

chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
counter packets 0 bytes 0 jump ts-postrouting
}
}
table ip6 libvirt_network {
chain forward {
type filter hook forward priority filter; policy accept;
counter packets 0 bytes 0 jump guest_cross
counter packets 0 bytes 0 jump guest_input
counter packets 0 bytes 0 jump guest_output
}

chain guest_output {
}

chain guest_input {
}

chain guest_cross {
}

chain guest_nat {
type nat hook postrouting priority srcnat; policy accept;
}
}

regards, cwo2

Offline

#4 2025-01-15 11:13:44

seth
Member
From: Won't reply 2 private help req
Registered: 2012-09-03
Posts: 75,510

Re: Newbie question: automatic nftable rule addition at startup

Paraphrasing aside, have you read https://wiki.archlinux.org/title/Docker … d-networkd

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

Offline

#5 2025-01-15 11:48:52

cwo2
Member
Registered: 2024-09-02
Posts: 12

Re: Newbie question: automatic nftable rule addition at startup

seth wrote:

No I haven't.,Thank you, I will check this.

Regards, cwo2

Offline

#6 2025-01-16 08:38:13

cwo2
Member
Registered: 2024-09-02
Posts: 12

Re: Newbie question: automatic nftable rule addition at startup

seth wrote:

Hm, when seeing this correctly, I am using NetworkManager and not systemd-networkd. The article, you point me to, is about systemd-networkd and I currently don't know, if NetworkManager is the problem (see below).

When doing a sysctl -a | grep forwarding, I get

247:net.ipv4.conf.all.bc_forwarding = 0
254:net.ipv4.conf.all.forwarding = 1
259:net.ipv4.conf.all.mc_forwarding = 0
280:net.ipv4.conf.br-9e536d727c00.bc_forwarding = 0
287:net.ipv4.conf.br-9e536d727c00.forwarding = 1
292:net.ipv4.conf.br-9e536d727c00.mc_forwarding = 0
313:net.ipv4.conf.default.bc_forwarding = 0
320:net.ipv4.conf.default.forwarding = 1
325:net.ipv4.conf.default.mc_forwarding = 0
346:net.ipv4.conf.docker0.bc_forwarding = 0
353:net.ipv4.conf.docker0.forwarding = 1
358:net.ipv4.conf.docker0.mc_forwarding = 0
379:net.ipv4.conf.enp5s0f3u1u3c2.bc_forwarding = 0
386:net.ipv4.conf.enp5s0f3u1u3c2.forwarding = 1
391:net.ipv4.conf.enp5s0f3u1u3c2.mc_forwarding = 0
412:net.ipv4.conf.lo.bc_forwarding = 0
419:net.ipv4.conf.lo.forwarding = 1
424:net.ipv4.conf.lo.mc_forwarding = 0
478:net.ipv4.conf.virbr0.bc_forwarding = 0
485:net.ipv4.conf.virbr0.forwarding = 1
490:net.ipv4.conf.virbr0.mc_forwarding = 0
511:net.ipv4.conf.virbr1.bc_forwarding = 0
518:net.ipv4.conf.virbr1.forwarding = 1
523:net.ipv4.conf.virbr1.mc_forwarding = 0
544:net.ipv4.conf.virbr2.bc_forwarding = 0
551:net.ipv4.conf.virbr2.forwarding = 1
556:net.ipv4.conf.virbr2.mc_forwarding = 0
577:net.ipv4.conf.wlp2s0.bc_forwarding = 0
584:net.ipv4.conf.wlp2s0.forwarding = 1
589:net.ipv4.conf.wlp2s0.mc_forwarding = 0
628:net.ipv4.ip_forward = 1
629:net.ipv4.ip_forward_update_priority = 1
630:net.ipv4.ip_forward_use_pmtu = 0
936:net.ipv6.conf.all.forwarding = 0
945:net.ipv6.conf.all.mc_forwarding = 0
997:net.ipv6.conf.br-9e536d727c00.forwarding = 0
1006:net.ipv6.conf.br-9e536d727c00.mc_forwarding = 0
1058:net.ipv6.conf.default.forwarding = 0
1067:net.ipv6.conf.default.mc_forwarding = 0
1119:net.ipv6.conf.docker0.forwarding = 0
1128:net.ipv6.conf.docker0.mc_forwarding = 0
1180:net.ipv6.conf.enp5s0f3u1u3c2.forwarding = 0
1189:net.ipv6.conf.enp5s0f3u1u3c2.mc_forwarding = 0
1241:net.ipv6.conf.lo.forwarding = 0
1250:net.ipv6.conf.lo.mc_forwarding = 0
1364:net.ipv6.conf.virbr0.forwarding = 0
1373:net.ipv6.conf.virbr0.mc_forwarding = 0
1425:net.ipv6.conf.virbr1.forwarding = 0
1434:net.ipv6.conf.virbr1.mc_forwarding = 0
1486:net.ipv6.conf.virbr2.forwarding = 0
1495:net.ipv6.conf.virbr2.mc_forwarding = 0
1547:net.ipv6.conf.wlp2s0.forwarding = 0
1556:net.ipv6.conf.wlp2s0.mc_forwarding = 0

related to https://wiki.archlinux.org/title/Intern … forwarding

net.ipv4.ip_forward = 1
net.ipv4.conf.all.forwarding = 1
net.ipv6.conf.all.forwarding = 1

should be enabled - and the IPv4 options are enabled on my system. I am currently not using IPv6 within my network.

But, I think, the missing Internet connection from my docker containers was related to wrong nft rules: when flushing my rulesets, Docker was able to make DNS querys.

Regards, cwo2

Offline

#7 2025-01-16 09:05:02

seth
Member
From: Won't reply 2 private help req
Registered: 2012-09-03
Posts: 75,510

Re: Newbie question: automatic nftable rule addition at startup

We don't know what you're using because you didn't tell.
Please post the output of

find /etc/systemd -type l -exec test -f {} \; -print | awk -F'/' '{ printf ("%-40s | %s\n", $(NF-0), $(NF-1)) }' | sort -f

But I missed that you had already posted the rules (F5…)

these rules does not always work for the network I am in. Sometimes services aren't useable because nftables blocking them.

Are those the rules while the forwarding doesn't work and what is the output of "ip a; ip r" and "nft list ruleset" when
a) docker network works
b) doesn't

Also https://gitlab.archlinux.org/archlinux/ … type=heads - did you alter the file or was it automatically written by something™
Why?

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

Offline

#8 2025-01-16 10:00:21

cwo2
Member
Registered: 2024-09-02
Posts: 12

Re: Newbie question: automatic nftable rule addition at startup

seth wrote:

We don't know what you're using because you didn't tell.

You're right, sorry.

seth wrote:

Please post the output of

find /etc/systemd -type l -exec test -f {} \; -print | awk -F'/' '{ printf ("%-40s | %s\n", $(NF-0), $(NF-1)) }' | sort -f

Sure, here we go:

bluetooth.service                        | bluetooth.target.wants
cups.path                                | multi-user.target.wants
cups.service                             | multi-user.target.wants
cups.service                             | printer.target.wants
cups.socket                              | sockets.target.wants
dbus-org.bluez.service                   | system
dbus-org.freedesktop.nm-dispatcher.service | system
dbus-org.freedesktop.timesync1.service   | system
displaylink.service                      | graphical.target.wants
display-manager.service                  | system
docker.service                           | multi-user.target.wants
getty@tty1.service                       | getty.target.wants
gnome-keyring-daemon.socket              | sockets.target.wants
libvirtd-admin.socket                    | sockets.target.wants
libvirtd-ro.socket                       | sockets.target.wants
libvirtd.service                         | multi-user.target.wants
libvirtd.socket                          | sockets.target.wants
NetworkManager.service                   | multi-user.target.wants
NetworkManager-wait-online.service       | network-online.target.wants
nftables.service                         | multi-user.target.wants
p11-kit-server.socket                    | sockets.target.wants
pipewire-pulse.socket                    | sockets.target.wants
pipewire-session-manager.service         | user
pipewire.socket                          | sockets.target.wants
power-profiles-daemon.service            | graphical.target.wants
reflector.service                        | multi-user.target.wants
remote-fs.target                         | multi-user.target.wants
systemd-timesyncd.service                | sysinit.target.wants
systemd-userdbd.socket                   | sockets.target.wants
virtlockd-admin.socket                   | sockets.target.wants
virtlockd.socket                         | sockets.target.wants
virtlogd-admin.socket                    | sockets.target.wants
virtlogd.socket                          | sockets.target.wants
wireplumber.service                      | pipewire.service.wants
xdg-user-dirs-update.service             | default.target.wants
seth wrote:

Are those the rules while the forwarding doesn't work and what is the output of "ip a; ip r" and "nft list ruleset" when
a) docker network works
b) doesn't

When booting up the system, docker service runs fine. Then I start minikube and I get tons of entries my log (following with journalctl -f):

Jan 16 10:40:48 archiboldi dockerd[1241]: time="2025-01-16T10:40:48.731578718+01:00" level=error msg="[resolver] failed to query external DNS server" client-addr="udp:192.168.49.2:33489" dns-server="udp:192.168.179.1:53" error="read udp 192.168.49.2:33489->192.168.179.1:53: i/o timeout" question=";registry.k8s.io.\tIN\t A" spanID=9ab68dbc32dd35c9 traceID=90cd854162bbc0d90811efb3f819d039

then stopping minikube, doing a "nft flush ruleset" and restarting the docker service and start minikube. Journalctl shows the following:

Jan 16 10:46:37 archiboldi kernel: veth80a709fc: entered allmulticast mode
Jan 16 10:46:37 archiboldi kernel: veth80a709fc: entered promiscuous mode
Jan 16 10:46:37 archiboldi kernel: bridge: port 2(vethb3668df5) entered blocking state
Jan 16 10:46:37 archiboldi kernel: bridge: port 2(vethb3668df5) entered disabled state
Jan 16 10:46:37 archiboldi kernel: vethb3668df5: entered allmulticast mode
Jan 16 10:46:37 archiboldi kernel: vethb3668df5: entered promiscuous mode
Jan 16 10:46:37 archiboldi kernel: bridge: port 2(vethb3668df5) entered blocking state
Jan 16 10:46:37 archiboldi kernel: bridge: port 2(vethb3668df5) entered forwarding state
Jan 16 10:46:37 archiboldi kernel: bridge: port 1(veth80a709fc) entered blocking state
Jan 16 10:46:37 archiboldi kernel: bridge: port 1(veth80a709fc) entered forwarding state

When thinking about this all, it seams, that I messed up the /etc/nftables.conf After flushing my tables and restarting docker service, I only get the working docker rules that cames with iptables-nft. And they do work. Minikube does not complain about not being able to query registry.k8s.io. I will reset the /etc/nftables.conf back to its original and retry.

seth wrote:

Also https://gitlab.archlinux.org/archlinux/ … type=heads - did you alter the file or was it automatically written by something™
Why?

Yes you are right. I altered the nftables.conf for some reasons: trying to get a config for my environment that works (ok, you proved to me - it did not), making my config persistent and learning how the nf tables works compared to iptables. I thougt the best way of getting own nft rules to work is, putting them into /etc/nftables.conf.

Regards, cwo2

Offline

#9 2025-01-16 12:19:02

cwo2
Member
Registered: 2024-09-02
Posts: 12

Re: Newbie question: automatic nftable rule addition at startup

I replaced the modified nftables.conf with the original and did a reboot. After the system was up again, I started Minikube and got the same entries within journalctl:

Jan 16 13:11:38 archiboldi dockerd[1238]: time="2025-01-16T13:11:38.227572985+01:00" level=error msg="[resolver] failed to query external DNS server" client-addr="udp:192.168.49.2:43928" dns-server="udp:192.168.179.1:53"error="read udp 192.168.49.2:43928->192.168.179.1:53: i/o timeout" question=";.\tIN\t NS" spanID=554fb654db4e8d34 traceID=727748f49dcaeed992de7cd920d66013
Jan 16 13:11:39 archiboldi dockerd[1238]: time="2025-01-16T13:11:39.729364959+01:00" level=error msg="[resolver] failed to query external DNS server" client-addr="udp:192.168.49.2:51171" dns-server="udp:192.168.179.1:53"error="read udp 192.168.49.2:51171->192.168.179.1:53: i/o timeout" question=";.\tIN\t NS" spanID=2c2a945b9486dc47 traceID=563ace692408eb28d3b69d1184709e0f
Jan 16 13:11:41 archiboldi dockerd[1238]: time="2025-01-16T13:11:41.231111702+01:00" level=error msg="[resolver] failed to query external DNS server" client-addr="udp:192.168.49.2:57581" dns-server="udp:192.168.179.1:53"error="read udp 192.168.49.2:57581->192.168.179.1:53: i/o timeout" question=";.\tIN\t NS" spanID=bf21fbf6f4cf7b06 traceID=8be46a397380f2c5678cf34c7caa87fe
Jan 16 13:11:42 archiboldi dockerd[1238]: time="2025-01-16T13:11:42.732666021+01:00" level=error msg="[resolver] failed to query external DNS server" client-addr="udp:192.168.49.2:57122" dns-server="udp:192.168.179.1:53"error="read udp 192.168.49.2:57122->192.168.179.1:53: i/o timeout" question=";.\tIN\t NS" spanID=bf9bd86f9ddbf9ad traceID=7fcb8a7b7269c9e0417ce97101293c90
Jan 16 13:11:44 archiboldi dockerd[1238]: time="2025-01-16T13:11:44.234202981+01:00" level=error msg="[resolver] failed to query external DNS server" client-addr="udp:192.168.49.2:60303" dns-server="udp:192.168.179.1:53"error="read udp 192.168.49.2:60303->192.168.179.1:53: i/o timeout" question=";.\tIN\t NS" spanID=22899b1439fc6e6e traceID=4c2d2ad4fd9c4b022c82d19773253629
Jan 16 13:11:45 archiboldi dockerd[1238]: time="2025-01-16T13:11:45.736549496+01:00" level=error msg="[resolver] failed to query external DNS server" client-addr="udp:192.168.49.2:52137" dns-server="udp:192.168.179.1:53"error="read udp 192.168.49.2:52137->192.168.179.1:53: i/o timeout" question=";.\tIN\t NS" spanID=5f614936d08656ef traceID=4dc4ff0c95f0e890a6547780ce059d67

The 192.168.179.1 is my default Router into the internet. Its a AVM FritzBox that answers my DNS queries:

; <<>> DiG 9.20.4 <<>> @192.168.179.1 www.heise.de
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19854
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.heise.de.                  IN      A

;; ANSWER SECTION:
www.heise.de.           30973   IN      A       193.99.144.85

;; Query time: 6 msec
;; SERVER: 192.168.179.1#53(192.168.179.1) (UDP)
;; WHEN: Thu Jan 16 13:13:11 CET 2025
;; MSG SIZE  rcvd: 57

Here is my output of ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: enp5s0f3u1u3c2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1456 qdisc fq_codel state UNKNOWN group default qlen 1000
link/ether 80:6d:97:49:c1:c9 brd ff:ff:ff:ff:ff:ff
altname enx806d9749c1c9
inet 192.168.179.6/24 brd 192.168.179.255 scope global dynamic noprefixroute enp5s0f3u1u3c2
valid_lft 18561sec preferred_lft 18561sec
inet6 2003:c0:8f18:801:2b89:1e8b:b470:1fbd/64 scope global dynamic noprefixroute
valid_lft 7137sec preferred_lft 1183sec
inet6 fd4e:a713:12fb:1:ba62:50bb:684c:e6b/64 scope global dynamic noprefixroute
valid_lft 7137sec preferred_lft 3537sec
inet6 fe80::e33b:f4e2:ce5c:f00d/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: wlp2s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether d2:19:27:73:de:ee brd ff:ff:ff:ff:ff:ff permaddr 74:13:ea:7d:47:40
altname wlx7413ea7d4740
4: virbr2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb state DOWN group default qlen 1000
link/ether 52:54:00:3e:3a:d3 brd ff:ff:ff:ff:ff:ff
inet 192.168.111.1/24 brd 192.168.111.255 scope global virbr2
valid_lft forever preferred_lft forever
5: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb state DOWN group default qlen 1000
link/ether 52:54:00:99:1a:35 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
6: virbr1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb state DOWN group default qlen 1000
link/ether 52:54:00:dc:96:86 brd ff:ff:ff:ff:ff:ff
inet 192.168.100.1/24 brd 192.168.100.255 scope global virbr1
valid_lft forever preferred_lft forever
7: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:ca:5e:c0:b6 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
8: br-9e536d727c00: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:54:45:e6:fd brd ff:ff:ff:ff:ff:ff
inet 192.168.49.1/24 brd 192.168.49.255 scope global br-9e536d727c00
valid_lft forever preferred_lft forever
inet6 fe80::42:54ff:fe45:e6fd/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
11: vethe5f45bb@if10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-9e536d727c00 state UPgroup default
link/ether d6:44:f9:77:7b:e8 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::d444:f9ff:fe77:7be8/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever

and here are my routes:

default via 192.168.179.1 dev enp5s0f3u1u3c2 proto dhcp src 192.168.179.6 metric 100
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
192.168.49.0/24 dev br-9e536d727c00 proto kernel scope link src 192.168.49.1
192.168.100.0/24 dev virbr1 proto kernel scope link src 192.168.100.1 linkdown
192.168.111.0/24 dev virbr2 proto kernel scope link src 192.168.111.1 linkdown
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown
192.168.179.0/24 dev enp5s0f3u1u3c2 proto kernel scope link src 192.168.179.6 metric 100

As a sumary: I can solve this by stopping Minikube and Docker. Then flushing my nftables and first starting Docker and second Minikube.

Regards, cwo2

Offline

Pages: 1

Board footer

Powered by FluxBB