Re: Linux 4.3.1 regression: -m state returns "Protocol wrong type for socket"

Re: Linux 4.3.1 regression: -m state returns "Protocol wrong type for socket"

[Jozsef Kadlecsik]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 1111 bytes --]

On Sat, 12 Dec 2015, Remzi AKYÜZ wrote:

> Please use with -p tcp
> 
> iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT

That's not a solution at all, this can break a huge number of 
configurations.

Best regards,
Jozsef 

> 12-12-2015 05:38 tarihinde Dâniel Fraga yazd?:
> > 	After upgrading the kernel from 4.3.0 to 4.3.1 (with the same
> > configuration), -m state doesn't work anymore.
> >
> > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> >
> > 	returns:
> >
> > iptables: Protocol wrong type for socket.
> >
> > 	I'm using iptables v1.4.21.
> >
> > 	Any hints?
> >
> 
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary

Re: Linux 4.3.1 regression: -m state returns "Protocol wrong type for socket"

[Remzi AKYÜZ]

Hi,

"-m state " could not use without protocol. Therefore we must use witch
-p tcp.

If we have alot of rule we can use additional parameter like as;

iptables -A INPUT -p tcp --dport 22 -s 1.2.3.4 -m state --state
ESTABLISHED,RELATED -j ACCEPT

maybe this is better;

iptables -A INPUT -p tcp --dport 22 -s 1.2.3.4 -m conntrack --ctstate
RELATED,ESTABLISHED -j ACCEPT

What you need, iptables give it to you. :-)

12-12-2015 12:18 tarihinde Jozsef Kadlecsik yazdı:
> On Sat, 12 Dec 2015, Remzi AKYÜZ wrote:
>
>> Please use with -p tcp
>>
>> iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
> That's not a solution at all, this can break a huge number of 
> configurations.
>
> Best regards,
> Jozsef 
>
>> 12-12-2015 05:38 tarihinde Dâniel Fraga yazd?:
>>> 	After upgrading the kernel from 4.3.0 to 4.3.1 (with the same
>>> configuration), -m state doesn't work anymore.
>>>
>>> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>>
>>> 	returns:
>>>
>>> iptables: Protocol wrong type for socket.
>>>
>>> 	I'm using iptables v1.4.21.
>>>
>>> 	Any hints?
>>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
> -
> E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
> PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
> Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
>           H-1525 Budapest 114, POB. 49, Hungary

Re: Linux 4.3.1 regression: -m state returns "Protocol wrong type for socket"

[Jozsef Kadlecsik]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 2419 bytes --]

On Sat, 12 Dec 2015, Remzi AKYÜZ wrote:

> "-m state " could not use without protocol. Therefore we must use witch
> -p tcp.

Why should the "state" match be used with protocol? It was never required, 
nowhere described and the match always worked without any other parameters 
in the rule.

Best regards,
Jozsef

> If we have alot of rule we can use additional parameter like as;
> 
> iptables -A INPUT -p tcp --dport 22 -s 1.2.3.4 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> 
> maybe this is better;
> 
> iptables -A INPUT -p tcp --dport 22 -s 1.2.3.4 -m conntrack --ctstate
> RELATED,ESTABLISHED -j ACCEPT
> 
> What you need, iptables give it to you. :-)
> 
> 12-12-2015 12:18 tarihinde Jozsef Kadlecsik yazd?:
> > On Sat, 12 Dec 2015, Remzi AKYÜZ wrote:
> >
> >> Please use with -p tcp
> >>
> >> iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
> > That's not a solution at all, this can break a huge number of 
> > configurations.
> >
> > Best regards,
> > Jozsef 
> >
> >> 12-12-2015 05:38 tarihinde Dâniel Fraga yazd?:
> >>> 	After upgrading the kernel from 4.3.0 to 4.3.1 (with the same
> >>> configuration), -m state doesn't work anymore.
> >>>
> >>> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> >>>
> >>> 	returns:
> >>>
> >>> iptables: Protocol wrong type for socket.
> >>>
> >>> 	I'm using iptables v1.4.21.
> >>>
> >>> 	Any hints?
> >>>
> >> --
> >> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> >> the body of a message to majordomo@vger.kernel.org
> >> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> >>
> > -
> > E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
> > PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
> > Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
> >           H-1525 Budapest 114, POB. 49, Hungary
> 
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary

Re: Linux 4.3.1 regression: -m state returns "Protocol wrong type for socket"

[Noel Kuntze]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello,

> > "-m state " could not use without protocol. Therefore we must use witch
> > -p tcp.
> Why should the "state" match be used with protocol? It was never required,
> nowhere described and the match always worked without any other parameters
> in the rule.

Because that's wrong.
Remzi is wrong.
- -m state just accesses the conntrack states, like -m conntrack does.
It is not protocol specific. All connections, independent of the used protocol
have connection states assigned to them. They are neither protocol
specific, nor protocol exclusive.

- -m state has been deprecated for some time though.
Please try using -m conntrack instead. It offers more
functionality and is not considered deprecated.
Translation of -m state to --m conntrack:
- -m state --state foo,bar -> -m conntrack --ctstate foo,bar

- -- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWbA5zAAoJEDg5KY9j7GZY6LEQAIzah6RLIfu+4qGZTIcSRLqF
+uiAR1Vv8P3oifmoKiSWIvH54wFoJVnZoqXa+ZTLoDB6gwXyw1857Hc6ZQBhKGNh
xgrmB/XVCj+d+FwdQMoXO3ayTK3aiEGIcxqLqlLcSoKYgRHUsd6LuNRXFPVU2l3f
BsaXJefOGM+LTsLrZnLFLIfkMARFV1ihwq7qVTjsAakzzHh3wka2+708py1nBRBm
GYU7mBKKizX6kGOlVuCjDkyo8t/rB5UfAxIfCv0+pdI+oapGgdaDXpz8y836nZm9
StU5WhdW0/2dRP6Lwx8chnSffPGiHDfvWScbPw/0KvigsyrclDHgiW1nWJp+ygPB
ChullV+mdbztDqXXpTxG3lfyL7KfkJNR1lvWNd6TmZew4/2i1F2aw4hyEjuhGBgj
QhkE4bLkllBhvBTz9hNun9SkomIkZU9nDXuNR6LaouNK8TJPt3t7ccUYdxOiTpR0
Yl1kLGAfIcxfnJkMHJoRzGjhHKAULzwYJRgjLqIJvBZ6SkY5TEkIHyxGysEt4sGg
QFZQc+QQZe/LFk2MTQ9OsH/YijolA0sgr3iGZSLERdUdZ7vUF8Ss/H1L+YZU9lF3
dcpb5vrM3tC5D6KT+FIky1lqkQGoe3vsWf2R8WgLt7hO/H3GikRXpFho2+ypKkWz
fCw8TfyINXdY9/N0pSfB
=HfZC
-----END PGP SIGNATURE-----

Re: Linux 4.3.1 regression: -m state returns "Protocol wrong type for socket"

[Dâniel Fraga]

On Sat, 12 Dec 2015 13:09:25 +0100
Noel Kuntze <noel@familie-kuntze.de> wrote:

> - -m state has been deprecated for some time though.
> Please try using -m conntrack instead. It offers more
> functionality and is not considered deprecated.
> Translation of -m state to --m conntrack:
> - -m state --state foo,bar -> -m conntrack --ctstate foo,bar

	I tried this:

iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

	And I got the same error:

iptables: Protocol wrong type for socket.

	I'm afraid something has changed between 4.3.0 and 4.3.1 kernel
and some module isn't loading correctly. Here are the loaded modules:

xt_conntrack            3401  0 
x_tables               15108  7 xt_comment,ip_tables,xt_tcpudp,xt_conntrack,xt_LOG,iptable_filter,ipt_REJECT
nf_conntrack_ftp        6750  0 
nf_conntrack           56108  2 xt_conntrack,nf_conntrack_ftp

	Is there something missing?

-- 
Linux 4.3.2: Blurry Fish Butt
http://www.youtube.com/DanielFragaBR
http://exchangewar.info
Bitcoin: 12H6661yoLDUZaYPdah6urZS5WiXwTAUgL

Re: Linux 4.3.1 regression: -m state returns "Protocol wrong type for socket"

[Pablo Neira Ayuso]

On Sat, Dec 12, 2015 at 01:09:25PM +0100, Noel Kuntze wrote:
[...]
> -m state has been deprecated for some time though.
> Please try using -m conntrack instead. It offers more
> functionality and is not considered deprecated.

For the record, -m state is *not* deprecated.

This syntax is still supported and will always be.

Re: Linux 4.3.1 regression: -m state returns "Protocol wrong type for socket"

[Noel Kuntze]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Jeff from #netfilter on Freenode says it is. You should talk
to him about that.
"Also, notice a couple other things. First, the old -m state module is deprecated. Now we use conntrack. This module adds a lot more to state tracking, as seen below:"[1]

[1] http://sfvlug.editthis.info/wiki/Things_You_Should_Know_About_Netfilter
- -- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWbHPjAAoJEDg5KY9j7GZYl7MP/RNzo2m5sbEOQgjq76RpFXQk
nGz3NUBskho5WhsegE2Fj82VKjBx5d/luk4dc63+JNKpgciv4PJdd0SE/8e2npkU
sHCz+YWU+SQJpgPbvNBvxuqtZojAVazL3jcLH/tF6u2P+bPom0xze969gGO5n+3j
+/tcRkx4w4F4EyU3WqwQH3leYDpbP0q0DmJvMtri4Du1lxIGyi7EJZRR5z+qhDX3
6HPOvDJSEyQ7FfVdxoezs2Weazu1yJzJ6cIkOJmQOdLahVtq4VET7r+Hz4k+oT0n
FDFBcRmdaMQe544xv2J2jz6x3/dC3fkLs/iICiH9i2L+TySRHyPFAAOfH5SMrxpE
70smlm7vUE8LJxdKjzLt//XT4OXm3UCnp8twN1Wodc4y/Wp8ApkDU7sInMn09eWa
VCv1uHUR7ydJrpR+V2MiLWFE5q+knlMzqf2eCPza4oAmwHNNfF+rAgM4qYqT7B8O
PHkq/LT8J7XHKedudVr///VjJexrUVri4639L3n/p5y86z6naCaaYvAfv4A1lLrt
D9F+i9ddc5/jtwAUoQ54x4+4hsRZ7h/pGkiVgH/bTlGDUsmPje0cEbOBFt3y8Myf
2rgnuqQfcTaP8QgN904nULVjIsyOA0baJApHuB/i+JFO/AkHIxcty9jMXmcPgOjk
IzhzEssDylk0v4Lakill
=/27T
-----END PGP SIGNATURE-----

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Linux 4.3.1 regression: -m state returns "Protocol wrong type for socket"

[Noel Kuntze]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Jeff
Jefe
- -- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWbHQQAAoJEDg5KY9j7GZYvVQP/2XvhihAO+HabZwFFgXF3y4M
s8W8R8s0QN8aH0UXLKCdTSd2miXZyB/uMQX+wjQ9XlOOQQ4waSefKgO18f/cKcyb
EtP2KTS4O60VZnmQbQUx/e0kWFlXXYx2uNEdVBVI6/+OOfW2ncxEP/MFncWNLV/P
KbqTHrqJ84UA6wZfxfgwwuAiLbUNkLBKiQugOTdl/PDx4zsGSw1FVxRLwiXOT9fV
n6V6riU5VgGJ95pbjTf1K5wNAyT4T5oCL8240hCA2sfsal9SQNDZ8iILIRzL7Bg3
ydxMs9UhvWfqlT2QClsjBKhg/vpy6O35PmzB0Fqlu3rRLcFfKZU01F/quyZqB2/L
XbuIRXk+8AE2VgnymQj1OnRSv66+tLUiQ1L91HAQ+zh0VvcG2LTZENeuNB32+uku
GITcL55ME5HyB5etC/8Erut455mmqdhW9/leeaheXKJ17w8kDixsEYxwNA+Q4vHK
hVxoNJk8cuCJg5AwYcGdua5imq/VSKfNZQmX+C/IaB4IbkDqQiaUvi+AhqYhP3kO
wZs/et6qSVYs529AM2fuJ/pHjEtim/wXjSzmlbUKsCIwztNBWlASB0FZXtTUn1rx
VMgoHQMbdE+CCKN1up7II/cmekapNbVoMLjtOD/Ly9FBu4aeizyTQ5RnQLmjqrK0
CJXTt9GdDZD3ixhuB5Gy
=GDRx
-----END PGP SIGNATURE-----

Re: Linux 4.3.1 regression: -m state returns "Protocol wrong type for socket"

[Pablo Neira Ayuso]

[-- Attachment #1: Type: text/plain, Size: 659 bytes --]

On Sat, Dec 12, 2015 at 02:06:55PM -0200, Dâniel Fraga wrote:
> 	I tried this:
> 
> iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> 
> 	And I got the same error:
> 
> iptables: Protocol wrong type for socket.

There is some problem with the revision infrastructure.

iptables is asking for a match revision that is not available in the
kernel. So the negotiation between userspace and kernel to use a given
version of this match is failing for some reason.

Could you apply this patch and tell me what it shows when you run this
command and the one using -m state?

BTW, any particularly on your setup that is worth mention?

Thanks.

[-- Attachment #2: x.patch --]
[-- Type: text/x-diff, Size: 472 bytes --]

diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index f14d503..d0e942c 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -825,6 +825,8 @@ int xtables_compatible_revision(const char *name, uint8_t revision, int opt)
 
 static int compatible_match_revision(const char *name, uint8_t revision)
 {
+	printf("compatible_match_revision name=%s revision=%u\n",
+		name, revision);
 	return xt_params->compat_rev(name, revision, afinfo->so_rev_match);
 }
 

Re: Linux 4.3.1 regression: -m state returns "Protocol wrong type for socket"

[Dâniel Fraga]

On Sat, 12 Dec 2015 20:10:19 +0100
Pablo Neira Ayuso <pablo@netfilter.org> wrote:

> For the record, -m state is *not* deprecated.
> 
> This syntax is still supported and will always be.

	Thanks, but why it works on Linux 4.3.0 and it doesn't work on
Linux 4.3.1 and above? Any hints?

-- 
Linux 4.3.2: Blurry Fish Butt
http://www.youtube.com/DanielFragaBR
http://exchangewar.info
Bitcoin: 12H6661yoLDUZaYPdah6urZS5WiXwTAUgL

Re: Linux 4.3.1 regression: -m state returns "Protocol wrong type for socket"

[Dâniel Fraga]

On Sat, 12 Dec 2015 20:32:37 +0100
Pablo Neira Ayuso <pablo@netfilter.org> wrote:

> There is some problem with the revision infrastructure.
> 
> iptables is asking for a match revision that is not available in the
> kernel. So the negotiation between userspace and kernel to use a given
> version of this match is failing for some reason.
> 
> Could you apply this patch and tell me what it shows when you run this
> command and the one using -m state?
> 
> BTW, any particularly on your setup that is worth mention?
	
	Nothing special here. I'll try the patch and reply back. Just a
minute.

-- 
Linux 4.3.2: Blurry Fish Butt
http://www.youtube.com/DanielFragaBR
http://exchangewar.info
Bitcoin: 12H6661yoLDUZaYPdah6urZS5WiXwTAUgL

Re: Linux 4.3.1 regression: -m state returns "Protocol wrong type for socket"

[Pablo Neira Ayuso]

On Sat, Dec 12, 2015 at 08:22:13PM +0100, Noel Kuntze wrote:
> 
> Jeff from #netfilter on Freenode says it is. You should talk
> to him about that.
> "Also, notice a couple other things. First, the old -m state module is deprecated. Now we use conntrack. This module adds a lot more to state tracking, as seen below:"[1]
> 
> [1] http://sfvlug.editthis.info/wiki/Things_You_Should_Know_About_Netfilter

Then please, fix that wiki page and tell other users on #netfilter
that the state match is fine to be used.

Thanks.

Re: Linux 4.3.1 regression: -m state returns "Protocol wrong type for socket"

[Dâniel Fraga]

On Sat, 12 Dec 2015 20:32:37 +0100
Pablo Neira Ayuso <pablo@netfilter.org> wrote:

> There is some problem with the revision infrastructure.
> 
> iptables is asking for a match revision that is not available in the
> kernel. So the negotiation between userspace and kernel to use a given
> version of this match is failing for some reason.
> 
> Could you apply this patch and tell me what it shows when you run this
> command and the one using -m state?
> 
> BTW, any particularly on your setup that is worth mention?
> 
> Thanks.

	Pablo, here's the result with your patch applied:

compatible_match_revision name=conntrack revision=3
compatible_match_revision name=conntrack revision=3
compatible_match_revision name=conntrack revision=3
iptables: Protocol wrong type for socket.

	If you need more info, just ask.

-- 
Linux 4.3.2: Blurry Fish Butt
http://www.youtube.com/DanielFragaBR
http://exchangewar.info
Bitcoin: 12H6661yoLDUZaYPdah6urZS5WiXwTAUgL

Re: Linux 4.3.1 regression: -m state returns "Protocol wrong type for socket"

[Florian Westphal]

Dâniel Fraga <fragabr@gmail.com> wrote:
> iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> 
> 	And I got the same error:
> 
> iptables: Protocol wrong type for socket.
> 
> 	I'm afraid something has changed between 4.3.0 and 4.3.1 kernel
> and some module isn't loading correctly. Here are the loaded modules:
> 
> xt_conntrack            3401  0 
> x_tables               15108  7 xt_comment,ip_tables,xt_tcpudp,xt_conntrack,xt_LOG,iptable_filter,ipt_REJECT
> nf_conntrack_ftp        6750  0 
> nf_conntrack           56108  2 xt_conntrack,nf_conntrack_ftp
> 
> 	Is there something missing?

Yes: nf_conntrack_ipv4

Re: Linux 4.3.1 regression: -m state returns "Protocol wrong type for socket"

[Dâniel Fraga]

On Sun, 13 Dec 2015 00:20:44 +0100
Florian Westphal <fw@strlen.de> wrote:

> > 	Is there something missing?  
> 
> Yes: nf_conntrack_ipv4

	Thanks. This solved the problem.

	Any reason this module is necessary for kernel 4.3.1 and not
for 4.3.0? Maybe when the user compiles the state module, this option
should be marked automatically to prevent this, since state depends now
on nf_conntrack_ipv4 module.

-- 
Linux 4.3.2: Blurry Fish Butt
http://www.youtube.com/DanielFragaBR
http://exchangewar.info
Bitcoin: 12H6661yoLDUZaYPdah6urZS5WiXwTAUgL

Re: Linux 4.3.1 regression: -m state returns "Protocol wrong type for socket"

[Jan Engelhardt]

On Sunday 2015-12-13 00:31, Dâniel Fraga wrote:
>
>> > 	Is there something missing?  
>> 
>> Yes: nf_conntrack_ipv4
>
>	Thanks. This solved the problem.
>
>	Any reason this module is necessary for kernel 4.3.1 and not
>for 4.3.0?

git log --oneline v4.3..v4.3.1 net/netfilter/ | wc -l
0

Now, that makes me wonder if 4.3.1 is the culprit, or whether your
surrounding system is. Like, someone once inserted the module into
the running system without adding it to /etc/modprobe.d, and now a
recent reboot exposed the issue.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Linux 4.3.1 regression: -m state returns "Protocol wrong type for socket"

[Dâniel Fraga]

On Sun, 13 Dec 2015 00:34:02 +0100 (CET)
Jan Engelhardt <jengelh@inai.de> wrote:

> git log --oneline v4.3..v4.3.1 net/netfilter/ | wc -l
> 0
> 
> Now, that makes me wonder if 4.3.1 is the culprit, or whether your
> surrounding system is. Like, someone once inserted the module into
> the running system without adding it to /etc/modprobe.d, and now a
> recent reboot exposed the issue.

	I don't think so. I maintain my own Linux setup (like Linux
from scratch). Everything was fine until 4.3.1. Nothing else was
changed.

	Anyway, don't you think nf_conntrack_ipv4 should be
auto-selected when "state" module is selected?

-- 
Linux 4.3.2: Blurry Fish Butt
http://www.youtube.com/DanielFragaBR
http://exchangewar.info
Bitcoin: 12H6661yoLDUZaYPdah6urZS5WiXwTAUgL

Re: Linux 4.3.1 regression: -m state returns "Protocol wrong type for socket"

[Jan Engelhardt]

On Sunday 2015-12-13 01:05, Dâniel Fraga wrote:
>> git log --oneline v4.3..v4.3.1 net/netfilter/ | wc -l
>> 0
>> 
>> Now, that makes me wonder if 4.3.1 is the culprit, or whether your
>> surrounding system is. Like [...]
>
>	Anyway, don't you think nf_conntrack_ipv4 should be
>auto-selected when "state" module is selected?

nf_conntrack_ipv4 is indeed autoloaded (provided modprobe can do it)
when you cause instantiation of a xt_conntrack (or xt_state) rule
object through ip(4)tables. And if modprobe cannot satisfy the
request, that feeds back through the kernel and to iptables, which
may then report it to stderr.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Linux 4.3.1 regression: -m state returns "Protocol wrong type for socket"

[Dâniel Fraga]

On Sun, 13 Dec 2015 01:30:17 +0100 (CET)
Jan Engelhardt <jengelh@inai.de> wrote:

> nf_conntrack_ipv4 is indeed autoloaded (provided modprobe can do it)
> when you cause instantiation of a xt_conntrack (or xt_state) rule
> object through ip(4)tables. And if modprobe cannot satisfy the
> request, that feeds back through the kernel and to iptables, which
> may then report it to stderr.

	No, I mean selected in the "make menuconfig" ;) If the user
chooses to compile state module, menuconfig won't select automatically
nf_conntrack_ipv4 (and it should, since it depends on it).

-- 
Linux 4.3.2: Blurry Fish Butt
http://www.youtube.com/DanielFragaBR
http://exchangewar.info
Bitcoin: 12H6661yoLDUZaYPdah6urZS5WiXwTAUgL

Re: Linux 4.3.1 regression: -m state returns "Protocol wrong type for socket"

[Jan Engelhardt]

On Sunday 2015-12-13 01:32, Dâniel Fraga wrote:

>On Sun, 13 Dec 2015 01:30:17 +0100 (CET)
>Jan Engelhardt <jengelh@inai.de> wrote:
>
>> nf_conntrack_ipv4 is indeed autoloaded (provided modprobe can do it)
>> when you cause instantiation of a xt_conntrack (or xt_state) rule
>> object through ip(4)tables. And if modprobe cannot satisfy the
>> request, that feeds back through the kernel and to iptables, which
>> may then report it to stderr.
>
>	No, I mean selected in the "make menuconfig" ;) If the user
>chooses to compile state module, menuconfig won't select automatically
>nf_conntrack_ipv4 (and it should, since it depends on it).

There is nothing to add to Kconfig, because there is no build-time 
dependency here. In addition, some people might get grumpy if the 
CONFIG_NETFILTER_XT_MATCH_CONNTRACK gained a dependency on something it 
does not depend on at runtime in 100% of cases.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Linux 4.3.1 regression: -m state returns "Protocol wrong type for socket"

[Jozsef Kadlecsik]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 1845 bytes --]

On Sun, 13 Dec 2015, Jan Engelhardt wrote:

> On Sunday 2015-12-13 01:32, Dâniel Fraga wrote:
> 
> >On Sun, 13 Dec 2015 01:30:17 +0100 (CET)
> >Jan Engelhardt <jengelh@inai.de> wrote:
> >
> >> nf_conntrack_ipv4 is indeed autoloaded (provided modprobe can do it)
> >> when you cause instantiation of a xt_conntrack (or xt_state) rule
> >> object through ip(4)tables. And if modprobe cannot satisfy the
> >> request, that feeds back through the kernel and to iptables, which
> >> may then report it to stderr.
> >
> >	No, I mean selected in the "make menuconfig" ;) If the user
> >chooses to compile state module, menuconfig won't select automatically
> >nf_conntrack_ipv4 (and it should, since it depends on it).
> 
> There is nothing to add to Kconfig, because there is no build-time 
> dependency here. In addition, some people might get grumpy if the 
> CONFIG_NETFILTER_XT_MATCH_CONNTRACK gained a dependency on something it 
> does not depend on at runtime in 100% of cases.

But the reversed dependency is what seems to be missing, something like 
this:

diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index a355841..a1dfd23 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -12,6 +12,7 @@ config NF_DEFRAG_IPV4
 config NF_CONNTRACK_IPV4
        tristate "IPv4 connection tracking support (required for NAT)"
        depends on NF_CONNTRACK
+       default NETFILTER_XT_MATCH_CONNTRACK
        default m if NETFILTER_ADVANCED=n
        select NF_DEFRAG_IPV4
        ---help---

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary

Re: Linux 4.3.1 regression: -m state returns "Protocol wrong type for socket"

[Pablo Neira Ayuso]

On Mon, Dec 14, 2015 at 09:47:31PM +0100, Jozsef Kadlecsik wrote:
> diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
> index a355841..a1dfd23 100644
> --- a/net/ipv4/netfilter/Kconfig
> +++ b/net/ipv4/netfilter/Kconfig
> @@ -12,6 +12,7 @@ config NF_DEFRAG_IPV4
>  config NF_CONNTRACK_IPV4
>         tristate "IPv4 connection tracking support (required for NAT)"
>         depends on NF_CONNTRACK
> +       default NETFILTER_XT_MATCH_CONNTRACK

I know of some people already giving a try to compiling nftables only
kernels, I think this would create an unnecessary dependency.

>         default m if NETFILTER_ADVANCED=n
>         select NF_DEFRAG_IPV4
>         ---help---
> 
> Best regards,
> Jozsef
> -
> E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
> PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
> Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
>           H-1525 Budapest 114, POB. 49, Hungary

Re: Linux 4.3.1 regression: -m state returns "Protocol wrong type for socket"

[Jozsef Kadlecsik]

On Mon, 14 Dec 2015, Pablo Neira Ayuso wrote:

> On Mon, Dec 14, 2015 at 09:47:31PM +0100, Jozsef Kadlecsik wrote:
> > diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
> > index a355841..a1dfd23 100644
> > --- a/net/ipv4/netfilter/Kconfig
> > +++ b/net/ipv4/netfilter/Kconfig
> > @@ -12,6 +12,7 @@ config NF_DEFRAG_IPV4
> >  config NF_CONNTRACK_IPV4
> >         tristate "IPv4 connection tracking support (required for NAT)"
> >         depends on NF_CONNTRACK
> > +       default NETFILTER_XT_MATCH_CONNTRACK
> 
> I know of some people already giving a try to compiling nftables only
> kernels, I think this would create an unnecessary dependency.
> 
> >         default m if NETFILTER_ADVANCED=n
> >         select NF_DEFRAG_IPV4
> >         ---help---

It don't see why would it be a dependency for nftables only kernels. In 
that case NETFILTER_XT_MATCH_CONNTRACK is set to "n", so the default would 
be the same as currently and just right.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary

Re: Linux 4.3.1 regression: -m state returns "Protocol wrong type for socket"

[Jozsef Kadlecsik]

On Mon, 14 Dec 2015, Jozsef Kadlecsik wrote:

> On Mon, 14 Dec 2015, Pablo Neira Ayuso wrote:
> 
> > On Mon, Dec 14, 2015 at 09:47:31PM +0100, Jozsef Kadlecsik wrote:
> > > diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
> > > index a355841..a1dfd23 100644
> > > --- a/net/ipv4/netfilter/Kconfig
> > > +++ b/net/ipv4/netfilter/Kconfig
> > > @@ -12,6 +12,7 @@ config NF_DEFRAG_IPV4
> > >  config NF_CONNTRACK_IPV4
> > >         tristate "IPv4 connection tracking support (required for NAT)"
> > >         depends on NF_CONNTRACK
> > > +       default NETFILTER_XT_MATCH_CONNTRACK
> > 
> > I know of some people already giving a try to compiling nftables only
> > kernels, I think this would create an unnecessary dependency.
> > 
> > >         default m if NETFILTER_ADVANCED=n
> > >         select NF_DEFRAG_IPV4
> > >         ---help---
> 
> It don't see why would it be a dependency for nftables only kernels. In 
> that case NETFILTER_XT_MATCH_CONNTRACK is set to "n", so the default would 
> be the same as currently and just right.

Hmmm, the default would remain the same but wouldn't be right for 
nftables...

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary