missing module for tcp-flags match?

missing module for tcp-flags match?

[Henning Sprang]

Hi,
I am having trouble to add a rule as simple as

iptables -A INPUT --protocol tcp --tcp-flags ALL SYN,ACK -j DROP

I only get  the error:

iptables: No chain/target/match by that name

I am experimenting with an embedded box (linksys NSLU) and I realized
before that some other rules did fail because some kernel modules
where missing and I found out which and then installed them.
But with this rule I have, after searching for a long time now,
absolutely no idea which kernel module can be missing to give me the
match tcp-flags. None of the howtos or tutorials nor google gives any
hint on that. The only kernel module that seems to have something to
do with tcp-flags at all I found by searching in the kernel source is
TCPMSS, but that doesn't look like helping with general analysis of
tcp flags.

Any ideas?

Henning

missing module for tcp-flags match?

[Henning Sprang]

Hi,
I am having trouble to add a rule as simple as

iptables -A INPUT --protocol tcp --tcp-flags ALL SYN,ACK -j DROP

I only get  the error:

iptables: No chain/target/match by that name

This happens while I am playing with an embedded box (linksys NSLU). I realized
before that some other rules did fail because some kernel modules
where missing and I found out which and then installed them.

But with this rule I have, after searching for a long time now,
absolutely no idea which kernel module can be missing to give me the
match tcp-flags. No howtos or tutorials nor google or the Kernel
sources gives any
hint on that.
The only kernel module that seems to have something to
do with tcp-flags at all is TCPMSS, but that doesn't look like helping
with general analysis of
tcp flags.

Any ideas?

Henning

Re: missing module for tcp-flags match?

[Henning Sprang]

Hi,
Sorry for having posted this message twice. I did't see it coming back
through the list, and realized I sent it from the wrong address. I
then sent it again from the address whic is actually subscribed.
Now that I wondered why even the second mail didn't come back to me, I
looked in the list archive and saw that the mail actually came through
the list, even twice. I wonder why I didn't get a copy, because all
other lists I know send copies of mails also to the sender himself -
is the netfilter list different in this?

But for the topic itself: unfortunately, I got no reply at all, I
assume because you are annoxed by the double post, or because the
question was unclear. As I explained the first problem, I try to ask
the question in a different way:

When tyring to set up the rule:

iptables -A INPUT --protocol tcp --tcp-flags ALL SYN,ACK -j DROP

I only get the error:

iptables: No chain/target/match by that name

When I remove the tcp-flags part, the rules is accepted. I assume to
be missing a kernel module for tcp-flags match, but have no idea which
module this could be. Which Kernel module is required for getting
tcp-flags matches?

Henning

Re: missing module for tcp-flags match?

[Pascal Hambourg]

Hello,

Henning Sprang a écrit :
> Sorry for having posted this message twice. I did't see it coming back
> through the list, and realized I sent it from the wrong address.

Messages sent with an address which is not subscribed to the list must 
wait to be approved by a list manager, this can take some time.

> I then sent it again from the address whic is actually subscribed.
> Now that I wondered why even the second mail didn't come back to me, I
> looked in the list archive and saw that the mail actually came through
> the list, even twice. I wonder why I didn't get a copy, because all
> other lists I know send copies of mails also to the sender himself -
> is the netfilter list different in this?

There is an option to not receive a copy of your own messages, maybe you 
enabled it.

> When tyring to set up the rule:
> 
> iptables -A INPUT --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
> 
> I only get the error:
> 
> iptables: No chain/target/match by that name
> 
> When I remove the tcp-flags part, the rules is accepted. I assume to
> be missing a kernel module for tcp-flags match, but have no idea which
> module this could be. Which Kernel module is required for getting
> tcp-flags matches?

AFAIK, there is no specific module for --tcp-flags. It is a standard tcp 
match, like --dport and --sport. I see no reason why you get an error.

Re: missing module for tcp-flags match?

[Henning Sprang]

On 9/22/06, Pascal Hambourg <pascal.mail@plouf.fr.eu.org> wrote:
> [...]
> There is an option to not receive a copy of your own messages, maybe you
> enabled it.

O.k. that explains it - I read a lot of lists but never saw such a feature.
Not that I know of, I only wrote  my address into the subscription form.

Still, I just looked at the config, because I wanted to enable that I
get copies of my own posts(I find not getting them rather irritating),
but it's already saying "yes". But i really don't get them.

I'll mail the list admin about that - seems not to work correctly, and
by default people should get there mails because I guess most people
will wonder and repost if they don't get their mails back...

Thanks,
Henning

Re: missing module for tcp-flags match?

[Mike Wright]

Henning Sprang wrote:
> When tyring to set up the rule:
> 
> iptables -A INPUT --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
>

I just tried this with iptables 1.3.5, linux-2.6.16-xen:

iptables -A INPUT -p tcp -m tcp \
          --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN,ACK -j DROP

and it works.

> I only get the error:
> 
> iptables: No chain/target/match by that name
>

Not sure this is relevant but while attempting to add ipset support I 
got the same error message. It turned out that my kernel and modules 
were out of sync.

Hope that helps, :m)

Re: missing module for tcp-flags match?

[Jan Engelhardt]

>> When tyring to set up the rule:
>> 
>> iptables -A INPUT --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
>> 
>
> I just tried this with iptables 1.3.5, linux-2.6.16-xen:
>
> iptables -A INPUT -p tcp -m tcp \
> --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN,ACK -j DROP
>
> and it works.

And if you drop "-m tcp" now, since that should be implied by "-p tcp"?

Jan Engelhardt
-- 

Re: missing module for tcp-flags match?

[Mike Wright]

Jan Engelhardt wrote:
>>>When tyring to set up the rule:
>>
>>iptables -A INPUT -p tcp -m tcp \
>>--tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN,ACK -j DROP
> 
> And if you drop "-m tcp" now, since that should be implied by "-p tcp"?
> 

Yes, according to the man page.

Re: missing module for tcp-flags match?

[Henning Sprang]

On 9/22/06, Mike Wright <xktnniuymlla@mailinator.com> wrote:
> [...]
> Not sure this is relevant but while attempting to add ipset support I
> got the same error message. It turned out that my kernel and modules
> were out of sync.

You mean for example, different versions, or build with different
configurations?
It seems unlikely, but it could be it. The kernel is integrated into
the firmware and the additional modules come from the package
repository. (I even had to install and addtional package to get the
state match, and even for the REJECT target). But both are from the
people who make the free DebianSlug firmware for the Linksys NSLU.

Still, I get not errors about any problems with that - the logs look
quite free of errors.
Do you have an idea how I can find out if that is the type of problem I have?

Thanks anyway for the hint
Henning

Re: missing module for tcp-flags match?

[Mike Wright]

Henning Sprang wrote:
> On 9/22/06, Mike Wright <xktnniuymlla@mailinator.com> wrote:
> 
>> [...]
>> Not sure this is relevant but while attempting to add ipset support I
>> got the same error message. It turned out that my kernel and modules
>> were out of sync.
> 
> You mean for example, different versions, or build with different
> configurations?

Different configurations.  Then I made it worse by manually trying to 
move things around...  F+  (failed with honors)