# qBittorrent doesn't work in jail but works on host



## dnb (Sep 21, 2022)

qBittorrent has the ability to work as a tracker (Advanced > Enable embedded tracker). The default port is 9000. When I run qbittorrent *on the host, it works great and I see port 9000* in sockstat output and this message in qbittorrent log:

```
(I) 2022-09-21T20:59:23 - Embedded Tracker: Now listening on IP: 0.0.0.0, port: 9000
```
However, when I run qbittorrent inside the jail, I see the following message in the log:

```
(W) 2022-09-21T21:03:40 - Embedded Tracker: Unable to bind to IP: 0.0.0.0, port: 9000. Reason: Protocol type not supported
```
*In the jail case, I don't see port 9000 in the sockstat output.* In this regard, I concluded that the problem is probably not in the qbittorrent settings, but in the jail or sysctl settings on host machine.

*jail.conf (host)*

```
exec.clean;
exec.start="sh /etc/rc";
exec.stop="sh /etc/rc.shutdown";
ip4=inherit;
mount.devfs;

qbit {
        path="/qbit";
}
```

*sysctl.conf (host) - here I experimentally set permissive options I knew*

```
net.inet.ip.forwarding=1
security.jail.chflags_allowed=1
security.bsd.see_jail_proc=1
security.jail.allow_raw_sockets=1
security.jail.sysvipc_allowed=1
```

Please recommend the host settings (jail, sysctl) for the host so that qbittorrent can run on port 9000 as a tracker.


----------



## Holger (Sep 21, 2022)

Does general network access work inside your jail?

Maybe you need to configure a packet filter like `pf`.


----------



## mer (Sep 21, 2022)

It's telling you the Reason it fails in the jail.  Of course it doesn't tell you what the bad protocol is, so your going to need a little digging to figure it out.
Those sysctl setttings on the host, yes?


----------



## dnb (Sep 21, 2022)

Holger said:


> Does general network access work inside your jail?
> 
> Maybe you need to configure a packet filter like `pf`.


The point is that I can connect to the qbittorrent web interface from outside (with working ipfw). Now ipfw is disabled to eliminate its factor.

And I can download some test torrents like FreeBSD iso. Thus, the web interface works great, but the tracker cannot be launched from the jail. But on absolutely the same non-jailed system tracker works perfectly.


----------



## dnb (Sep 21, 2022)

mer said:


> It's telling you the Reason it fails in the jail.  Of course it doesn't tell you what the bad protocol is, so your going to need a little digging to figure it out.
> Those sysctl setttings on the host, yes?


Yes, these are configs from the host system. Configs from jail are of no interest, since they contain almost nothing.


----------



## mer (Sep 21, 2022)

dnb said:


> Yes, these are configs from the host system. Configs from jail are of no interest, since they contain almost nothing.


Figured as much, but I just wanted to double check.  I don't have anything else to offer.


----------



## Jake0162 (Sep 21, 2022)

Holger said:


> Does general network access work inside your jail?
> 
> Maybe you need to configure a packet filter like `pf`.


This was my thinking as well. Does pfctl say anything about it?


----------



## dnb (Sep 21, 2022)

Jake0162 said:


> This was my thinking as well. Does pfctl say anything about it?


I'm using ipfw and have disabled ipfw as it should work without it (and it works on a non-jailed system).


----------



## Holger (Sep 21, 2022)

dnb said:


> I'm using ipfw and have disabled ipfw as it should work without it (and it works on a non-jailed system).


You probably need to configure some sort of port forwarding.

For example, I am running a web-server in one of my jails, for which I need to forward ports 80 and 443. In your case, the port probably is 9000.

The relevant section of my `pf.conf` looks as follows:

```
rdr on em0 proto tcp from any to em0 port 80 -> 10.10.0.4 port 80
rdr on em0 proto tcp from any to em0 port 443 -> 10.10.0.4 port 443
```

Here `em0` is my physical network interface and 10.10.0.4 is the IP-address of my jail. Maybe this helps?


----------



## dnb (Sep 21, 2022)

Holger said:


> Here `em0` is my physical network interface and 10.10.0.4 is the IP-address of my jail. Maybe this helps?



Thank you, but as I already pointed out,* I don't see port 9000 in the sockstat output (when in jail)*.
Unfortunately, no filter in the world (not even pf) will help in this situation. The socket does not appear inside the jail (in jailed sockstat output). If I run qbittorrent on host, then port 9000 will be in hosts's sockstat output.


----------



## rootbert (Sep 21, 2022)

no idea about qbittorrent, but maybe allowing either allow.raw_sockets, allow.socket_af or allow.sysvipc in jail.conf helps


----------



## Mathieu (Sep 21, 2022)

This might be related to IPv6. Try making the jail inherit ip6 also (even if it'll only be the loopback address).


----------



## Jake0162 (Sep 22, 2022)

Can you tell us more about the jail itself? How did you make it? Manually or with something like Iocage, ezjail, bastille?
The networking of the jail itself is what I'm most curious about. If it's a thin jail it could be inheriting the resolve.conf.


----------



## dnb (Sep 23, 2022)

Mathieu said:


> This might be related to IPv6. Try making the jail inherit ip6 also (even if it'll only be the loopback address).


Brilliant! It turned out that even if the qbittorrent web interface is configured to work only using ipv4, the tracker will still want to work on both ipv4 and ipv6 at the same time. Most likely, this is due to the incompleteness of the web interface, which is being developed secondarily compared to the standard graphical interface.


----------



## Mathieu (Sep 23, 2022)

dnb said:


> Brilliant! It turned out that even if the qbittorrent web interface is configured to work only using ipv4, the tracker will still want to work on both ipv4 and ipv6 at the same time. Most likely, this is due to the incompleteness of the web interface, which is being developed secondarily compared to the standard graphical interface.



If I understand correctly what's going on, qt has some logic to skip IPv6, but it checks for EAFNOSUPPORT socket errors to do this, and the kernel returns EPROTONOSUPPORT when it's denied by jails.

It seems like it would be better if the kernel returned EAFNOSUPPORT for this but it might also break other things...


----------

