Netlock doesn't work on Qubes

[Matthew P. 0]

I cannot have eddie's netlock feature working in a qube in Qubes OS 4.
When trying to enable it within eddie-ui, I get a pop-up "Exception: Unable to initialize iptable_filter module".

The same with the cli:
$ eddie-ui -cli -netlock
(...)
Activation of Network Lock - Linux iptables
Exception: Unable to initialize iptable_filter module
(...)

This behavior was observed both in a Debian 10 qube and in a Fedora 32 qube. I don't get this error in a Debian 10 installed over bare metal. 

eddie ver. 2.18.9

Edited 08/15/2020 by Matthew P.
added eddie's version

[OpenSourcerer 1467]

Did you try reading the documentation?

[Matthew P. 0]

Thank you for your answer.

Yes I did. However it concerns the use of the ordinary openvpn client, with fail-close filter rules to be applied manually.

For the sake of knowledge: I also tried with the Hummingbird client. It apparently succeeded to set the network lock in a Debian qube, though warning that "Kernel module iptable_filter not found" (maybe it's what Eddie didn't like?) and stating that "Network filter and lock is using iptables-legacy" despite Debian 10 using nftables. The result is a mixing of the qube's nftables rules and of the vpn client's iptables-legacy rules.
It goes better with ./hummingbird xxx.ovpn --network-lock nftables : the vpn client stops complaining about iptable_filter and sets a nftables network lock.
In both cases, however, hummingbirds' network lock puts a DROP in the forward chain including the tunnel interface, so the setting of a vpn gateway as per the documentation linked by @giganerd doesn't work.

Coming back to Eddie, perhaps the reported problem comes from its trying to use iptbles-legacy netlock mode too.

It's a pity, because the vpn client of another known vpn provider worked effortlessly in Debian qubes, included network lock compatibility with a vpn gateway. Perhaps I was just lucky?
 

Edited 08/16/2020 by Matthew P.