Skip to content

Firewall breaks networking in Anbox

Describe your issue

What's the expected behaviour?

Using signal in anbox on the librem 5 should work.

What's the current behaviour?

With the nftables service enabled, signal in anbox cannot send or receive messages.

How to reproduce your issue?

Use signal in postmarketos-anbox, enable nftables with sudo rc-service nftables start, see that nothing gets sent.

What device are you using?

Librem 5 Evergreen

On what postmarketOS version did you encounter the issue?

  • edge (master branch)
  • v21.03
  • v20.05

On what environment did you encounter the issue?

Phone environments

  • Phosh
  • Plasma Mobile
  • Sxmo

Other

  • No environment
  • GNOME
  • KDE Plasma
  • Kodi
  • MATE
  • Shelli
  • Sway
  • Weston
  • Xfce4
  • fbkeyboard
  • i3wm

How did you get postmarketOS image?

What's the build date of the image? (in yyyy-mm-dd format)

Additional information

nftables ruleset:

samuel@192 ~ (master) $ sudo nft list ruleset
table inet filter {
        chain input {
                type filter hook input priority filter; policy drop;
                iifname "lo" accept comment "Accept any localhost traffic"
                ct state { established, related } accept comment "Accept traffic originated from us"
                ct state invalid drop comment "Drop invalid connections"
                tcp dport 113 reject comment "Reject AUTH to make it fail fast"
                ip protocol icmp icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } accept comment "Accept ICMP"
                ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, echo-reply } accept comment "Accept basic IPv6 functionality"
                ip6 nexthdr ipv6-icmp ip6 hoplimit 255 icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept comment "Allow IPv6 SLAAC"
                ip6 nexthdr ipv6-icmp icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-done, mld2-listener-report } ip6 saddr fe80::/10 accept comment "Allow IPv6 multicast listener discovery on link-local"
                iifname "wwan*" drop comment "drop all connections on wwan"
                iifname "usb*" udp dport 67 accept comment "accept incoming DHCP on usb*"
                iifname "wwan*" tcp dport 22 drop comment "drop SSH from wwan"
                tcp dport 22 accept comment "accept SSH"
        }

        chain forward {
                type filter hook forward priority filter; policy drop;
        }

        chain output {
                type filter hook output priority filter; policy accept;
        }
}
Edited by Administrator
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information