Bug#1106398: plasma-nm: Problem tracked down to nftables
Package: plasma-nm
Version: 4:6.3.4-1
Followup-For: Bug #1106398
Dear Maintainer,
I was able to solve this for myself, but I suspect it will bite others,
so I'm keeping the bug open. It may well be that it belongs in another
package, though.
It took me some searching to find out that firewalld (which is
"the firewall" that now "comes with" plasma) actually uses nftables
behind the scenes. When I looked at the nftables rules, things still
looked ok. It was only after I added some tracing rules, and used
the nft tools to trace packets, that I found the culprit.
(see https://wiki.nftables.org/wiki-nftables/index.php/Ruleset_debug/tracing)
The nft table for the hotspot was fine:
table ip nm-shared-wlo1 {
chain nat_postrouting {
type nat hook postrouting priority srcnat; policy accept;
ip saddr 10.42.0.0/24 ip daddr != 10.42.0.0/24 masquerade
}
chain filter_forward {
type filter hook forward priority filter; policy accept;
ip daddr 10.42.0.0/24 oifname "wlo1" ct state { established, related } accept
ip saddr 10.42.0.0/24 iifname "wlo1" accept
iifname "wlo1" oifname "wlo1" accept
iifname "wlo1" reject
oifname "wlo1" reject
}
}
But tracing showed that, once packets were accepted by this chain, they
were passed to the "filter" table, specifically to its FORWARD chain. That
chain had been probably set up by docker:
chain FORWARD {
type filter hook forward priority filter; policy drop;
counter packets 951 bytes 86070 jump DOCKER-ISOLATION-STAGE-1
counter packets 951 bytes 86070 jump DOCKER-USER
oifname "docker0" ct state related,established counter packets 0 bytes 0 accept
oifname "docker0" counter packets 0 bytes 0 jump DOCKER
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept
iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
}
(I have no idea what these numbers actually mean)
After going through this chain, the packets (which, of course, had
"docker0" as neither input nor output interface) were dropped according
to the chain policy.
I added two rules:
$ sudo nft add rule ip filter FORWARD oifname "wlo1" ct state related,established counter packets 0 bytes 0 accept
$ sudo nft add rule ip filter FORWARD iifname "wlo1" oifname != "wl01" counter packets 0 bytes 0 accept
(modeled after the docker rules)
And now the hotspot provides a proper internet connection.
-- System Information:
Debian Release: 13.0
APT prefers testing-security
APT policy: (990, 'testing-security'), (990, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.12.27-amd64 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_IL.UTF-8, LC_CTYPE=en_IL.UTF-8 (charmap=UTF-8), LANGUAGE=en_US
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages plasma-nm depends on:
ii kio6 6.13.0-6
ii kwallet6 6.13.0-1
ii libc6 2.41-8
ii libglib2.0-0t64 2.84.2-1
ii libkf6colorscheme6 6.13.0-1
ii libkf6completion6 6.13.0-1
ii libkf6configcore6 6.13.0-2
ii libkf6coreaddons6 6.13.0-1
ii libkf6dbusaddons6 6.13.0-1
ii libkf6i18n6 6.13.0-1
ii libkf6kcmutils6 6.13.0-2
ii libkf6kcmutilscore6 6.13.0-2
ii libkf6kiogui6 6.13.0-6
ii libkf6kiowidgets6 6.13.0-6
ii libkf6modemmanagerqt6 6.13.0-1
ii libkf6networkmanagerqt6 6.13.0-1
ii libkf6notifications6 6.13.0-1
ii libkf6solid6 6.13.0-1
ii libkf6wallet6 6.13.0-1
ii libkf6widgetsaddons6 6.13.0-1
ii libkf6windowsystem6 6.13.0-2
ii libnm0 1.52.0-6
ii libopenconnect5 9.12-3
ii libqca-qt6-2 2.3.10-1
ii libqcoro6dbus0t64 0.12.0-1
ii libqt6core6t64 6.8.2+dfsg-6
ii libqt6dbus6 6.8.2+dfsg-6
ii libqt6gui6 6.8.2+dfsg-6
ii libqt6network6 6.8.2+dfsg-6
ii libqt6qml6 6.8.2+dfsg-7
ii libqt6quickwidgets6 6.8.2+dfsg-7
ii libqt6webenginecore6 6.8.2+dfsg-4
ii libqt6webenginecore6-bin 6.8.2+dfsg-4
ii libqt6webenginewidgets6 6.8.2+dfsg-4
ii libqt6widgets6 6.8.2+dfsg-6
ii libqt6xml6 6.8.2+dfsg-6
ii libstdc++6 14.2.0-19
ii mobile-broadband-provider-info 20240407-1
ii network-manager 1.52.0-6
ii plasma-desktoptheme 6.3.5-1
ii qml6-module-org-kde-config 6.13.0-2
ii qml6-module-org-kde-coreaddons 6.13.0-1
ii qml6-module-org-kde-kcmutils 6.13.0-2
ii qml6-module-org-kde-kirigami 6.13.0-2
ii qml6-module-org-kde-kquickcontrolsaddons 6.13.0-1
ii qml6-module-org-kde-ksvg 6.13.0-1
ii qml6-module-org-kde-networkmanager 6.13.0-1
ii qml6-module-org-kde-prison 6.13.0-1
ii qml6-module-org-kde-quickcharts 6.13.0-1
ii qml6-module-qtquick 6.8.2+dfsg-7
ii qml6-module-qtquick-controls 6.8.2+dfsg-7
ii qml6-module-qtquick-dialogs 6.8.2+dfsg-7
ii qml6-module-qtquick-layouts 6.8.2+dfsg-7
Versions of packages plasma-nm recommends:
ii systemsettings 4:6.3.4-2
Versions of packages plasma-nm suggests:
pn network-manager-fortisslvpn <none>
pn network-manager-iodine <none>
pn network-manager-l2tp <none>
pn network-manager-openconnect <none>
pn network-manager-openvpn <none>
pn network-manager-pptp <none>
pn network-manager-ssh <none>
pn network-manager-strongswan <none>
pn network-manager-vpnc <none>
-- no debconf information
Reply to: