--iif argument unrecognized by iptables

--iif argument unrecognized by iptables

[Andy Theuninck]

I'm running into a fairly odd issue. I want to redirect certain
incoming packets to a different interface. I'm trying to do this using
the ROUTE target in the mangle table, but for some reason it doesn't
work. Here's what I'm seeing:

# iptables -t mangle -A INPUT -d 192.168.1.2 -s !
192.168.1.0/255.255.255.0 -p udp --dport 500 -j ROUTE --iif eth0:1
iptables v1.3.5: Unknown arg `--iif'
Try `iptables -h' or 'iptables --help' for more information.

I'm a bit baffled. I can't find anything in the man page that I'm
missing. It seems like this *should* work.

Re: --iif argument unrecognized by iptables

[Pascal Hambourg]

Hello,

Andy Theuninck a écrit :
> 
> # iptables -t mangle -A INPUT -d 192.168.1.2 -s !
> 192.168.1.0/255.255.255.0 -p udp --dport 500 -j ROUTE --iif eth0:1
> iptables v1.3.5: Unknown arg `--iif'
> Try `iptables -h' or 'iptables --help' for more information.

Maybe your iptables was build without the ROUTE support. What is the 
output of :

iptables -j ROUTE -h

Unrelated to the error message, eth0:0 is not an interface name but an 
IP alias label. Iptables rules require interface names such as eth0, not 
aliases.

Re: --iif argument unrecognized by iptables

[Andy Theuninck]

iptables -j ROUTE -h gives identical output to iptables -h.

Thanks for the tip though. Apparently ROUTE isn't going to solve my
problem anyway.

On Mon, Jan 26, 2009 at 3:57 AM, Pascal Hambourg
<pascal.mail@plouf.fr.eu.org> wrote:
> Hello,
>
> Andy Theuninck a écrit :
>>
>> # iptables -t mangle -A INPUT -d 192.168.1.2 -s !
>> 192.168.1.0/255.255.255.0 -p udp --dport 500 -j ROUTE --iif eth0:1
>> iptables v1.3.5: Unknown arg `--iif'
>> Try `iptables -h' or 'iptables --help' for more information.
>
> Maybe your iptables was build without the ROUTE support. What is the output
> of :
>
> iptables -j ROUTE -h
>
> Unrelated to the error message, eth0:0 is not an interface name but an IP
> alias label. Iptables rules require interface names such as eth0, not
> aliases.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: --iif argument unrecognized by iptables

[Pascal Hambourg]

Andy Theuninck a écrit :
> iptables -j ROUTE -h gives identical output to iptables -h.

Even at the very end ? It should display help about the ROUTE target 
like here :

> ROUTE target v1.11 options:
>     --oif       ifname          Route packet through `ifname' network interface
>     --iif       ifname          Change packet's incoming interface to `ifname'
>     --gw        ip              Route packet via this gateway `ip'
>     --continue                  Route packet and continue traversing the
>                                 rules. Not valid with --iif or --tee.
>     --tee                       Duplicate packet, route the duplicate,
>                                 continue traversing with original packet.
>                                 Not valid with --iif or --continue.

Else it means this target is not supported by your iptables build.
I remember that (by default ?) some versions built only shared libraries 
for matches and target supported in the kernel, so you had to rebuild 
iptables after enabling a new feature in the kernel.

Re: --iif argument unrecognized by iptables

[Andy Theuninck]

Yep. iptables -j ROUTE -h | grep -i ROUTE gives no output at all. So
CentOS and/or RHEL must need rebuilding like you said.

I was actually trying to ROUTE to an IP alias to get around an ipsec
problem introduced by a Red Hat patch. If I have to rebuild something
either way, I'll go straight to the source of the trouble and
recompile openswan without the problem patch.

On Mon, Jan 26, 2009 at 9:12 AM, Pascal Hambourg
<pascal.mail@plouf.fr.eu.org> wrote:
> Andy Theuninck a écrit :
>>
>> iptables -j ROUTE -h gives identical output to iptables -h.
>
> Even at the very end ? It should display help about the ROUTE target like
> here :
>
>> ROUTE target v1.11 options:
>>    --oif       ifname          Route packet through `ifname' network
>> interface
>>    --iif       ifname          Change packet's incoming interface to
>> `ifname'
>>    --gw        ip              Route packet via this gateway `ip'
>>    --continue                  Route packet and continue traversing the
>>                                rules. Not valid with --iif or --tee.
>>    --tee                       Duplicate packet, route the duplicate,
>>                                continue traversing with original packet.
>>                                Not valid with --iif or --continue.
>
> Else it means this target is not supported by your iptables build.
> I remember that (by default ?) some versions built only shared libraries for
> matches and target supported in the kernel, so you had to rebuild iptables
> after enabling a new feature in the kernel.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>