When upgrading from 2.6.15 to 2.6.16 I noticed iptables not working anymore.
I traced the problem down to a new 'CONFIG_NETFILTER_XTABLES' compile option
that must be set, but I still get some rules rejected as soon as
'--destination-port' option is used.
As an example, the following command:
iptables -A eth0in -p udp --destination-port 111 -j DROP
used to work with 2.6.15
but fails with 2.6.16 with the following error message:
iptables: No chain/target/match by that name
On Tue, Mar 28, 2006 at 04:00:33AM +0000, Hubert Tonneau wrote:
> When upgrading from 2.6.15 to 2.6.16 I noticed iptables not working anymore.
>
> I traced the problem down to a new 'CONFIG_NETFILTER_XTABLES' compile option
> that must be set, but I still get some rules rejected as soon as
> '--destination-port' option is used.
>
> As an example, the following command:
> iptables -A eth0in -p udp --destination-port 111 -j DROP
this sounds like you're missing support for the tcp/udp match.
This functionality is implemented in xt_tcpudp.{c,ko}, which is compiled
as soon as x_tables is compiled.
What does cat /proc/netip_tables_matches show before and after executing
your iptables command, and before/after manually executing modprobe
xt_tcpudp.
Also, what is your iptables program version?
Please follow-up-to [email protected], but keep me in Cc
--
- Harald Welte <[email protected]> http://netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
Harald Welte wrote:
>
> this sounds like you're missing support for the tcp/udp match.
> This functionality is implemented in xt_tcpudp.{c,ko}, which is compiled
> as soon as x_tables is compiled.
Loading 'xt_tcpudp' module solves the problem. Thanks for the answer.
So, the problem was just that the new 'x_tables' module is loaded automatically
according to modules dependencies, but 'xt_tcpudp' is not.
As a result, an upgrade of the FullPliant user land tools is required in order
to force the 'xt_tcpudp' module to load before calling 'iptables' with
'--destination-port' option.
On Tue, Mar 28, 2006 at 01:10:54PM +0000, Hubert Tonneau wrote:
> Harald Welte wrote:
> >
> > this sounds like you're missing support for the tcp/udp match.
> > This functionality is implemented in xt_tcpudp.{c,ko}, which is compiled
> > as soon as x_tables is compiled.
>
> Loading 'xt_tcpudp' module solves the problem. Thanks for the answer.
great.
> So, the problem was just that the new 'x_tables' module is loaded automatically
> according to modules dependencies, but 'xt_tcpudp' is not.
that is strange, since the iptables userspace program should explicitly
request loading that module.
unfortunately you didn't reply to my question on the version number of
the iptables program. Maybe we have some yet-unknown issues with old
iptables versions, and I want to get to the bottom of this.
--
- Harald Welte <[email protected]> http://netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie