No chain/target/match by that name

No chain/target/match by that name

[Steve Turnbull]

Hi

Our web server is configured;
Debian (Woody) (No X installed)
Kernel 2.4.23 - configured with iptables in mind
iptables v1.2.6a

When we start the firewall script, we get this message;
'No chain/target/match by that name'

The firewall works however, but is constantly logging;
'Sep  5 16:00:52 www kernel: Input: IN=eth0 OUT= 
MAC=00:e0:81:29:01:75:00:07:85:06:c2:e1:08:00 SRC=195.92.195.93 
DST=195.92.38.54 LEN=302 TOS=0x00 PREC=0x00 TTL=61 ID=0 DF PROTO=UDP 
SPT=53 DPT=32833 LEN=282'

Something is ammis here, and we can't ping out from the server with the 
firewall running, also, we can't use Lynx to browse. Turn the firewall 
off and all is well for both of these.

Has anybody got any ideas what is wrong? Our firewall rule is below.

Regards
Steve



#!/bin/sh


#
# This is the firewall up script.
#

#
# Lets start by dropping all incoming traffic and allowing all
# outbound traffic
#

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT



# Flush any existing rules...
iptables -F


# Allow any established connections to come on through...
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


# This is a web server. We only require access to http ports
# 80,21,53 and 443. New ports to allow will be added here...
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

#ssh
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

#ftp
iptables -A INPUT -p tcp --dport 21 -j ACCEPT

#DNS
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT


# Allow the loopback connection...
iptables -A INPUT -i lo -j ACCEPT


# Log stuff that doesn't match above rules...
iptables -A INPUT -j LOG --log-prefix="Input: "

-- 
Steve Turnbull
Digital Content Developer
YHGfL Foundation

t 01724 275030
e steve.turnbull@yhgfl.net

Re: No chain/target/match by that name

[Jason Opperisano]

On Sun, 2004-09-05 at 10:31, Steve Turnbull wrote:
> Hi
> 
> Our web server is configured;
> Debian (Woody) (No X installed)
> Kernel 2.4.23 - configured with iptables in mind
> iptables v1.2.6a
> 
> When we start the firewall script, we get this message;
> 'No chain/target/match by that name'

start your fw script with the following:

        bash -x <script>
        
and it will show you the parsing of every line and you will be able to
see which line causes the error.

if i had to take a stab in the dark--i'd guess it's "-m state" rule;
which would mean you built your kernel without connection tracking
support--which would explain the other behavior as well...

the connection tracking option is "CONFIG_IP_NF_CONNTRACK" in your
kernel config.  i *highly* recommend including it unless you have a very
compelling reason not to.

-j

-- 
Jason Opperisano <opie@817west.com>

Re: No chain/target/match by that name

[Steve Turnbull]

Jason Opperisano wrote:
> On Sun, 2004-09-05 at 10:31, Steve Turnbull wrote:
> 
>>Hi
>>
>>Our web server is configured;
>>Debian (Woody) (No X installed)
>>Kernel 2.4.23 - configured with iptables in mind
>>iptables v1.2.6a
>>
>>When we start the firewall script, we get this message;
>>'No chain/target/match by that name'
> 
> 
> start your fw script with the following:
> 
>         bash -x <script>
>         
> and it will show you the parsing of every line and you will be able to
> see which line causes the error.
> 
> if i had to take a stab in the dark--i'd guess it's "-m state" rule;
> which would mean you built your kernel without connection tracking
> support--which would explain the other behavior as well...
> 
> the connection tracking option is "CONFIG_IP_NF_CONNTRACK" in your
> kernel config.  i *highly* recommend including it unless you have a very
> compelling reason not to.
> 
> -j
> 
Thanks for the reply

Our Kernel .config file (iptables extract) shows this (see below), which 
suggests CONNTRACK is on. Does any of the other setting need compiling in??

Regards
Steve

#
#   IP: Netfilter Configuration
#
CONFIG_IP_NF_CONNTRACK=y
CONFIG_IP_NF_FTP=y
# CONFIG_IP_NF_AMANDA is not set
# CONFIG_IP_NF_TFTP is not set
# CONFIG_IP_NF_IRC is not set
# CONFIG_IP_NF_QUEUE is not set
CONFIG_IP_NF_IPTABLES=y
# CONFIG_IP_NF_MATCH_LIMIT is not set
# CONFIG_IP_NF_MATCH_MAC is not set
# CONFIG_IP_NF_MATCH_PKTTYPE is not set
# CONFIG_IP_NF_MATCH_MARK is not set
# CONFIG_IP_NF_MATCH_MULTIPORT is not set
# CONFIG_IP_NF_MATCH_TOS is not set
# CONFIG_IP_NF_MATCH_RECENT is not set
# CONFIG_IP_NF_MATCH_ECN is not set
# CONFIG_IP_NF_MATCH_DSCP is not set
# CONFIG_IP_NF_MATCH_AH_ESP is not set
# CONFIG_IP_NF_MATCH_LENGTH is not set
# CONFIG_IP_NF_MATCH_TTL is not set
# CONFIG_IP_NF_MATCH_TCPMSS is not set
# CONFIG_IP_NF_MATCH_HELPER is not set
CONFIG_IP_NF_MATCH_STATE=y
CONFIG_IP_NF_MATCH_CONNTRACK=y
# CONFIG_IP_NF_MATCH_UNCLEAN is not set
# CONFIG_IP_NF_MATCH_OWNER is not set
CONFIG_IP_NF_FILTER=y
# CONFIG_IP_NF_TARGET_REJECT is not set
# CONFIG_IP_NF_TARGET_MIRROR is not set
# CONFIG_IP_NF_NAT is not set
# CONFIG_IP_NF_MANGLE is not set
CONFIG_IP_NF_TARGET_LOG=y
CONFIG_IP_NF_TARGET_ULOG=y
# CONFIG_IP_NF_TARGET_TCPMSS is not set
# CONFIG_IP_NF_ARPTABLES is not set


-- 
Steve Turnbull
Digital Content Developer
YHGfL Foundation

t 01724 275030
e steve.turnbull@yhgfl.net

Re: No chain/target/match by that name

[Steve Turnbull]

Jason Opperisano wrote:
> On Sun, 2004-09-05 at 10:31, Steve Turnbull wrote:
> 
>>Hi
>>
>>Our web server is configured;
>>Debian (Woody) (No X installed)
>>Kernel 2.4.23 - configured with iptables in mind
>>iptables v1.2.6a
>>
>>When we start the firewall script, we get this message;
>>'No chain/target/match by that name'
> 
> 
> start your fw script with the following:
> 
>         bash -x <script>
>         
> and it will show you the parsing of every line and you will be able to
> see which line causes the error.
> 
> if i had to take a stab in the dark--i'd guess it's "-m state" rule;
> which would mean you built your kernel without connection tracking
> support--which would explain the other behavior as well...
> 
> the connection tracking option is "CONFIG_IP_NF_CONNTRACK" in your
> kernel config.  i *highly* recommend including it unless you have a very
> compelling reason not to.
> 
> -j
> 
Also, using bash -x did show that the script falls over at the '-m 
state' rule...

Steve

-- 
Steve Turnbull
Digital Content Developer
YHGfL Foundation

t 01724 275030
e steve.turnbull@yhgfl.net

Re: No chain/target/match by that name

[Jose Maria Lopez]

El dom, 05 de 09 de 2004 a las 16:31, Steve Turnbull escribió:
> Hi
> 
> Our web server is configured;
> Debian (Woody) (No X installed)
> Kernel 2.4.23 - configured with iptables in mind
> iptables v1.2.6a
> 
> When we start the firewall script, we get this message;
> 'No chain/target/match by that name'
> 

You should check your firewall script and find the rule
that it's giving the error, just run it with "bash -x <script>"
and you can see line by line what's happening. Maybe it's
a misspelling of a rule.

> The firewall works however, but is constantly logging;
> 'Sep  5 16:00:52 www kernel: Input: IN=eth0 OUT= 
> MAC=00:e0:81:29:01:75:00:07:85:06:c2:e1:08:00 SRC=195.92.195.93 
> DST=195.92.38.54 LEN=302 TOS=0x00 PREC=0x00 TTL=61 ID=0 DF PROTO=UDP 
> SPT=53 DPT=32833 LEN=282'
> 

This is DNS normal traffic I think, so you shouldn't be logging
it.

> Something is ammis here, and we can't ping out from the server with the 
> firewall running, also, we can't use Lynx to browse. Turn the firewall 
> off and all is well for both of these.
> 

If you turn the policy to deny and then the firewall script gives an
error and exits then you don't have the ports you need open and that's
the problem.

> Has anybody got any ideas what is wrong? Our firewall rule is below.
> 
> Regards
> Steve
> 
> 
> 
> #!/bin/sh
> 
> 
> #
> # This is the firewall up script.
> #
> 
> #
> # Lets start by dropping all incoming traffic and allowing all
> # outbound traffic
> #
> 
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT ACCEPT
> 
> 
> 
> # Flush any existing rules...
> iptables -F
> 
> 
> # Allow any established connections to come on through...
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> 
> # This is a web server. We only require access to http ports
> # 80,21,53 and 443. New ports to allow will be added here...
> iptables -A INPUT -p tcp --dport 80 -j ACCEPT
> iptables -A INPUT -p tcp --dport 443 -j ACCEPT
> 
> #ssh
> iptables -A INPUT -p tcp --dport 22 -j ACCEPT
> 
> #ftp
> iptables -A INPUT -p tcp --dport 21 -j ACCEPT
> 
> #DNS
> iptables -A INPUT -p tcp --dport 53 -j ACCEPT
> iptables -A INPUT -p udp --dport 53 -j ACCEPT
> 
> 
> # Allow the loopback connection...
> iptables -A INPUT -i lo -j ACCEPT
> 
> 
> # Log stuff that doesn't match above rules...
> iptables -A INPUT -j LOG --log-prefix="Input: "
-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"

Re: No chain/target/match by that name

[Alistair Tonner]

On September 5, 2004 10:31 am, Steve Turnbull wrote:
> Hi
>
> Our web server is configured;
> Debian (Woody) (No X installed)
> Kernel 2.4.23 - configured with iptables in mind
> iptables v1.2.6a
>
> When we start the firewall script, we get this message;
> 'No chain/target/match by that name'

	urmm ... try rebuilding iptables code against this kernel?

	I'm not sure about Debian's packages, but is it possible that the iptables 
code is precompiled here?

>
> The firewall works however, but is constantly logging;
> 'Sep  5 16:00:52 www kernel: Input: IN=eth0 OUT=
> MAC=00:e0:81:29:01:75:00:07:85:06:c2:e1:08:00 SRC=195.92.195.93
> DST=195.92.38.54 LEN=302 TOS=0x00 PREC=0x00 TTL=61 ID=0 DF PROTO=UDP
> SPT=53 DPT=32833 LEN=282'
	
	This looks like a reply to a DNS query.   It the state rule below didn't get 
accepted this looks correct.

>
> Something is ammis here, and we can't ping out from the server with the
> firewall running, also, we can't use Lynx to browse. Turn the firewall
> off and all is well for both of these.
	
	You haven't included any rules here that regard ICMP -- no pings.

>
> Has anybody got any ideas what is wrong? Our firewall rule is below.
>
> Regards
> Steve
>
>
>
> #!/bin/sh
>
>
> #
> # This is the firewall up script.
> #
>
> #
> # Lets start by dropping all incoming traffic and allowing all
> # outbound traffic
> #
>
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT ACCEPT
>
>
>
> # Flush any existing rules...
> iptables -F
>
>
> # Allow any established connections to come on through...
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
>
> # This is a web server. We only require access to http ports
> # 80,21,53 and 443. New ports to allow will be added here...
> iptables -A INPUT -p tcp --dport 80 -j ACCEPT
> iptables -A INPUT -p tcp --dport 443 -j ACCEPT
>
> #ssh
> iptables -A INPUT -p tcp --dport 22 -j ACCEPT
>
> #ftp
> iptables -A INPUT -p tcp --dport 21 -j ACCEPT
>
> #DNS
> iptables -A INPUT -p tcp --dport 53 -j ACCEPT
> iptables -A INPUT -p udp --dport 53 -j ACCEPT
>
>
> # Allow the loopback connection...
> iptables -A INPUT -i lo -j ACCEPT
>
>
> # Log stuff that doesn't match above rules...
> iptables -A INPUT -j LOG --log-prefix="Input: "

Re: No chain/target/match by that name

[Steve Turnbull]

Alistair Tonner wrote:
> On September 5, 2004 10:31 am, Steve Turnbull wrote:
> 
>>Hi
>>
>>Our web server is configured;
>>Debian (Woody) (No X installed)
>>Kernel 2.4.23 - configured with iptables in mind
>>iptables v1.2.6a
>>
>>When we start the firewall script, we get this message;
>>'No chain/target/match by that name'
> 
> 
> 	urmm ... try rebuilding iptables code against this kernel?
> 
> 	I'm not sure about Debian's packages, but is it possible that the iptables 
> code is precompiled here?

	I have just rebuilt the Kernel - I daren't reboot into it until I am on 
site tomorrow - we will see what happens, I have added various 
components along side the existing ones.


> 
> 
>>The firewall works however, but is constantly logging;
>>'Sep  5 16:00:52 www kernel: Input: IN=eth0 OUT=
>>MAC=00:e0:81:29:01:75:00:07:85:06:c2:e1:08:00 SRC=195.92.195.93
>>DST=195.92.38.54 LEN=302 TOS=0x00 PREC=0x00 TTL=61 ID=0 DF PROTO=UDP
>>SPT=53 DPT=32833 LEN=282'
> 
> 	
> 	This looks like a reply to a DNS query.   It the state rule below didn't get 
> accepted this looks correct.
> 
> 
>>Something is ammis here, and we can't ping out from the server with the
>>firewall running, also, we can't use Lynx to browse. Turn the firewall
>>off and all is well for both of these.
> 
> 	
> 	You haven't included any rules here that regard ICMP -- no pings.

	I was meaning I couldn't ping out FROM the server. The rule for 
outgoing traffic is accept all - "iptables -P OUTPUT ACCEPT", this is 
why I was confused about the inability to ping or browse with Lynx outbound.

> 
> 
>>Has anybody got any ideas what is wrong? Our firewall rule is below.
>>
>>Regards
>>Steve
>>
>>
>>
>>#!/bin/sh
>>
>>
>>#
>># This is the firewall up script.
>>#
>>
>>#
>># Lets start by dropping all incoming traffic and allowing all
>># outbound traffic
>>#
>>
>>iptables -P INPUT DROP
>>iptables -P FORWARD DROP
>>iptables -P OUTPUT ACCEPT
>>
>>
>>
>># Flush any existing rules...
>>iptables -F
>>
>>
>># Allow any established connections to come on through...
>>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>
>>
>># This is a web server. We only require access to http ports
>># 80,21,53 and 443. New ports to allow will be added here...
>>iptables -A INPUT -p tcp --dport 80 -j ACCEPT
>>iptables -A INPUT -p tcp --dport 443 -j ACCEPT
>>
>>#ssh
>>iptables -A INPUT -p tcp --dport 22 -j ACCEPT
>>
>>#ftp
>>iptables -A INPUT -p tcp --dport 21 -j ACCEPT
>>
>>#DNS
>>iptables -A INPUT -p tcp --dport 53 -j ACCEPT
>>iptables -A INPUT -p udp --dport 53 -j ACCEPT
>>
>>
>># Allow the loopback connection...
>>iptables -A INPUT -i lo -j ACCEPT
>>
>>
>># Log stuff that doesn't match above rules...
>>iptables -A INPUT -j LOG --log-prefix="Input: "
> 
> 


-- 
Steve Turnbull
Digital Content Developer
YHGfL Foundation

t 01724 275030
e steve.turnbull@yhgfl.net

Re: No chain/target/match by that name

[Steve Turnbull]

Alistair Tonner wrote:
> On September 5, 2004 10:31 am, Steve Turnbull wrote:
> 
>>Hi
>>
>>Our web server is configured;
>>Debian (Woody) (No X installed)
>>Kernel 2.4.23 - configured with iptables in mind
>>iptables v1.2.6a
>>
>>When we start the firewall script, we get this message;
>>'No chain/target/match by that name'
> 
> 
> 	urmm ... try rebuilding iptables code against this kernel?
> 
> 	I'm not sure about Debian's packages, but is it possible that the iptables 
> code is precompiled here?
> 
> 
>>The firewall works however, but is constantly logging;
>>'Sep  5 16:00:52 www kernel: Input: IN=eth0 OUT=
>>MAC=00:e0:81:29:01:75:00:07:85:06:c2:e1:08:00 SRC=195.92.195.93
>>DST=195.92.38.54 LEN=302 TOS=0x00 PREC=0x00 TTL=61 ID=0 DF PROTO=UDP
>>SPT=53 DPT=32833 LEN=282'
> 
> 	
> 	This looks like a reply to a DNS query.   It the state rule below didn't get 
> accepted this looks correct.
> 
> 
>>Something is ammis here, and we can't ping out from the server with the
>>firewall running, also, we can't use Lynx to browse. Turn the firewall
>>off and all is well for both of these.
> 
> 	
> 	You haven't included any rules here that regard ICMP -- no pings.
> 
> 
>>Has anybody got any ideas what is wrong? Our firewall rule is below.
>>
>>Regards
>>Steve
>>
>>
>>
>>#!/bin/sh
>>
>>
>>#
>># This is the firewall up script.
>>#
>>
>>#
>># Lets start by dropping all incoming traffic and allowing all
>># outbound traffic
>>#
>>
>>iptables -P INPUT DROP
>>iptables -P FORWARD DROP
>>iptables -P OUTPUT ACCEPT
>>
>>
>>
>># Flush any existing rules...
>>iptables -F
>>
>>
>># Allow any established connections to come on through...
>>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>
>>
>># This is a web server. We only require access to http ports
>># 80,21,53 and 443. New ports to allow will be added here...
>>iptables -A INPUT -p tcp --dport 80 -j ACCEPT
>>iptables -A INPUT -p tcp --dport 443 -j ACCEPT
>>
>>#ssh
>>iptables -A INPUT -p tcp --dport 22 -j ACCEPT
>>
>>#ftp
>>iptables -A INPUT -p tcp --dport 21 -j ACCEPT
>>
>>#DNS
>>iptables -A INPUT -p tcp --dport 53 -j ACCEPT
>>iptables -A INPUT -p udp --dport 53 -j ACCEPT
>>
>>
>># Allow the loopback connection...
>>iptables -A INPUT -i lo -j ACCEPT
>>
>>
>># Log stuff that doesn't match above rules...
>>iptables -A INPUT -j LOG --log-prefix="Input: "
> 
> 
Turns out that it just needed some exra stuff comiling into the kernel - 
I added all of the state options and all is well now, thanks for he help

Steve

-- 
Steve Turnbull
Digital Content Developer
YHGfL Foundation

t 01724 275030
e steve.turnbull@yhgfl.net

No chain/target/match by that name

[Vlad]

Hallo , I'm trying to write a new module for iptables. I started with a 
dummy module. I can successfully compile it. But if I trying to use it, 
I get an error message:
 
$ iptables -A INPUT -s 128.0.0.1 -m secan --drop -j DROP
drop frame
iptables: No chain/target/match by that name

Can someone tell me what is a problem? Here is my code:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <getopt.h>
#include <iptables.h>

#include <linux/netfilter_ipv4/ip_tables.h>
#include "libipt_secan.h"

static void secan_help(void)
{
    printf(
"secan options:\n"
"  --drop    Drop Frame\n"
"  --accept    Accept Frame\n");
}

static int secan_parse(int c, char **argv, int invert, unsigned int *flags,
                     const void *entry, struct xt_entry_match **match)
{
    struct ipt_secan_info *info = (struct ipt_secan_info *) (*match)->data;
    switch (c) {
        case '1':
            if (*flags & SECAN_DROP)
            exit_error(PARAMETER_PROBLEM, "Only use --drop once!");
            *flags |= SECAN_DROP;
            info->flags |= SECAN_DROP;
            printf("drop frame\n");
            break;
        case '2':
            if (*flags & SECAN_ACCEPT)
            exit_error(PARAMETER_PROBLEM, "Only use --accept once!");
            *flags |= SECAN_ACCEPT;
            info->flags |= SECAN_ACCEPT;
            printf("accept frame\n");
            break;
        default:
            return 0;

    }

    return 1;
}

static void secan_check(unsigned int flags)
{
    if (!flags)
        exit_error(PARAMETER_PROBLEM,
            "SECAN: You must specify one of "
            "`--drop', `--accept'");
}

static void secan_print(const void *ip, const struct xt_entry_match *match,
                      int numeric)
{
    printf("SECAN match ");
}

static void secan_save(const void *ip, const struct xt_entry_match *match)
{
    const struct ipt_secan_info *info = (struct ipt_secan_info *) 
match->data;

    if (info->flags & SECAN_DROP)
    {
        printf("--drop ");
    }
    if (info->flags & SECAN_ACCEPT)
    {
        printf("--accept ");
    }
    printf("save");
}

static const struct option secan_opts[] = {
    { "drop", 0, NULL, '1' },
    { "accept", 0, NULL, '2'},
    { .name = NULL }
};

static struct xtables_match secan_reg = {
    .name        = "secan",
    .version    = XTABLES_VERSION,
    .family        = PF_INET,
    .size        = XT_ALIGN(sizeof(struct ipt_secan_info)),
    .userspacesize    = XT_ALIGN(sizeof(struct ipt_secan_info)),
    .help        = secan_help,
    .parse        = secan_parse,
    .final_check    = secan_check,
    .print        = secan_print,
    .save        = secan_save,
    .extra_opts    = secan_opts,
};


void _init(void)
{
    xtables_register_match(&secan_reg);
}
 
As I sad this is only a dummy module now and it doesn't do much.

Sincerely,
Vlad

Re: No chain/target/match by that name

[Jan Engelhardt]

On Tuesday 2009-03-17 11:19, Vlad wrote:

> Hallo , I'm trying to write a new module for iptables. I started with a dummy
> module. I can successfully compile it. But if I trying to use it, I get an
> error message:
>
> $ iptables -A INPUT -s 128.0.0.1 -m secan --drop -j DROP
> drop frame
> iptables: No chain/target/match by that name
>
> Can someone tell me what is a problem? Here is my code:
>[...]

The iptables code looks fine, but what about the kernel side module?

Re: No chain/target/match by that name

[Jan Engelhardt]

On Tuesday 2009-03-17 11:37, Vlad wrote:
>>>>       
>>>>> Hallo , I'm trying to write a new module for iptables. I started with a
>>>>> dummy
>>>>> module. I can successfully compile it. But if I trying to use it, I get an
>>>>> error message:
>>>>>
>>>>> $ iptables -A INPUT -s 128.0.0.1 -m secan --drop -j DROP
>>>>> drop frame
>>>>> iptables: No chain/target/match by that name
>>>>>
>>>>> Can someone tell me what is a problem? Here is my code:
>>>>> [...]
>>>>>           
>>>> The iptables code looks fine, but what about the kernel side module?
>>>>       
>>> All other iptables modules work fine. I'm pretty new to iptables, can you
>>> please tell me what kernel side module do you mean?
>>>    
>> Well, xt_secan.c that you (hopefully) wrote that does implement the actual
>> packet inspection.
>>
>>  
> I saved my module as libipt_secan.c in derictory iptables/extensions. Where
> should be xt_secan.c saved?

[ Do not strip CCs! ]

Ehrm, whereever it is convenient.

Since you seem to be not familiar with the matter, I suggest having a
read in the “Writing Netfilter modules” e-book, available on
http://jengelh.medozas.de/ .

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html