qBittorrent doesn't work in jail but works on host

[dnb]

qBittorrent has the ability to work as a tracker (Advanced > Enable embedded tracker). The default port is 9000. When I run qbittorrent on the host, it works great and I see port 9000 in sockstat output and this message in qbittorrent log:

(I) 2022-09-21T20:59:23 - Embedded Tracker: Now listening on IP: 0.0.0.0, port: 9000

However, when I run qbittorrent inside the jail, I see the following message in the log:

(W) 2022-09-21T21:03:40 - Embedded Tracker: Unable to bind to IP: 0.0.0.0, port: 9000. Reason: Protocol type not supported

In the jail case, I don't see port 9000 in the sockstat output. In this regard, I concluded that the problem is probably not in the qbittorrent settings, but in the jail or sysctl settings on host machine.

jail.conf (host)

exec.clean;
exec.start="sh /etc/rc";
exec.stop="sh /etc/rc.shutdown";
ip4=inherit;
mount.devfs;

qbit {
        path="/qbit";
}

sysctl.conf (host) - here I experimentally set permissive options I knew

net.inet.ip.forwarding=1
security.jail.chflags_allowed=1
security.bsd.see_jail_proc=1
security.jail.allow_raw_sockets=1
security.jail.sysvipc_allowed=1

Please recommend the host settings (jail, sysctl) for the host so that qbittorrent can run on port 9000 as a tracker.

 

[Holger]

Does general network access work inside your jail?

Maybe you need to configure a packet filter like pf.

 

[mer]

It's telling you the Reason it fails in the jail. Of course it doesn't tell you what the bad protocol is, so your going to need a little digging to figure it out.
Those sysctl setttings on the host, yes?

 

[dnb]

Does general network access work inside your jail?

Maybe you need to configure a packet filter like pf.

The point is that I can connect to the qbittorrent web interface from outside (with working ipfw). Now ipfw is disabled to eliminate its factor.

And I can download some test torrents like FreeBSD iso. Thus, the web interface works great, but the tracker cannot be launched from the jail. But on absolutely the same non-jailed system tracker works perfectly.

 

[dnb]

It's telling you the Reason it fails in the jail. Of course it doesn't tell you what the bad protocol is, so your going to need a little digging to figure it out.
Those sysctl setttings on the host, yes?

Yes, these are configs from the host system. Configs from jail are of no interest, since they contain almost nothing.

 

[mer]

Yes, these are configs from the host system. Configs from jail are of no interest, since they contain almost nothing.

Figured as much, but I just wanted to double check. I don't have anything else to offer.

 

[Jake0162]

Does general network access work inside your jail?

Maybe you need to configure a packet filter like pf.

This was my thinking as well. Does pfctl say anything about it?

 

[dnb]

This was my thinking as well. Does pfctl say anything about it?

I'm using ipfw and have disabled ipfw as it should work without it (and it works on a non-jailed system).

 

[Holger]

I'm using ipfw and have disabled ipfw as it should work without it (and it works on a non-jailed system).

You probably need to configure some sort of port forwarding.

For example, I am running a web-server in one of my jails, for which I need to forward ports 80 and 443. In your case, the port probably is 9000.

The relevant section of my pf.conf looks as follows:

rdr on em0 proto tcp from any to em0 port 80 -> 10.10.0.4 port 80
rdr on em0 proto tcp from any to em0 port 443 -> 10.10.0.4 port 443

Here em0 is my physical network interface and 10.10.0.4 is the IP-address of my jail. Maybe this helps?

 

[dnb]

Here em0 is my physical network interface and 10.10.0.4 is the IP-address of my jail. Maybe this helps?

Thank you, but as I already pointed out, I don't see port 9000 in the sockstat output (when in jail).
Unfortunately, no filter in the world (not even pf) will help in this situation. The socket does not appear inside the jail (in jailed sockstat output). If I run qbittorrent on host, then port 9000 will be in hosts's sockstat output.

 

[rootbert]

no idea about qbittorrent, but maybe allowing either allow.raw_sockets, allow.socket_af or allow.sysvipc in jail.conf helps

 

[Mathieu]

This might be related to IPv6. Try making the jail inherit ip6 also (even if it'll only be the loopback address).

 

[Jake0162]

Can you tell us more about the jail itself? How did you make it? Manually or with something like Iocage, ezjail, bastille?
The networking of the jail itself is what I'm most curious about. If it's a thin jail it could be inheriting the resolve.conf.

 

[dnb]

This might be related to IPv6. Try making the jail inherit ip6 also (even if it'll only be the loopback address).

Brilliant! It turned out that even if the qbittorrent web interface is configured to work only using ipv4, the tracker will still want to work on both ipv4 and ipv6 at the same time. Most likely, this is due to the incompleteness of the web interface, which is being developed secondarily compared to the standard graphical interface.

 

[Mathieu]

Brilliant! It turned out that even if the qbittorrent web interface is configured to work only using ipv4, the tracker will still want to work on both ipv4 and ipv6 at the same time. Most likely, this is due to the incompleteness of the web interface, which is being developed secondarily compared to the standard graphical interface.

If I understand correctly what's going on, qt has some logic to skip IPv6, but it checks for EAFNOSUPPORT socket errors to do this, and the kernel returns EPROTONOSUPPORT when it's denied by jails.

It seems like it would be better if the kernel returned EAFNOSUPPORT for this but it might also break other things...