Linux Netfilter discussions
 help / color / mirror / Atom feed
* RedHat 8.0 upgrade problem 1.2.8
@ 2003-08-26  4:28 Jason S. Friedman
  2003-08-26  4:46 ` Stuart J. Browne
  0 siblings, 1 reply; 5+ messages in thread
From: Jason S. Friedman @ 2003-08-26  4:28 UTC (permalink / raw)
  To: netfilter

I use RedHat and use the Redhat-provided RPMs for all my server maintenance.
$ uname -a
Linux abigail 2.4.20-19.8 #1 Tue Jul 15 14:59:09 EDT 2003 i686 athlon i386 GNU/Linux

I downloaded the RPM for iptables v.1.2.8 and executed rpm -Uvh.  The command executed without errors and I can see six new files in /sbin:

-rwxr-xr-x    1 root     root        58386 Jul 31 09:51 iptables-save
-rwxr-xr-x    1 root     root        60196 Jul 31 09:51 iptables-restore
-rwxr-xr-x    1 root     root        55410 Jul 31 09:51 iptables
-rwxr-xr-x    1 root     root        60192 Jul 31 09:51 ip6tables-save
-rwxr-xr-x    1 root     root        60400 Jul 31 09:51 ip6tables-restore
-rwxr-xr-x    1 root     root        55760 Jul 31 09:51 ip6tables

I then entered
$ service iptables restart

These three lines appeared quickly:
Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: mangle nat filter         [  OK  ]
Unloading iptables modules:

and then nothing for five minutes.  My terminal would not respond to CTRL-C.  I opened another terminal and killed the job and saw this on the original terminal:

/sbin/service: line 67: 21934 Terminated              env -i LANG=$LANG PATH=$PATH "${SERVICEDIR}/${SERVICE}" ${OPTIONS}

I tried executing my normal iptables shell script (the one that worked without exception under 1.2.6a), below is a partial output:

+ iptables -t nat --flush
iptables v1.2.8: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
+ iptables -t mangle --flush
+ iptables -A INPUT -i lo -j ACCEPT
+ iptables -A OUTPUT -o lo -j ACCEPT
+ iptables --policy INPUT DROP
+ iptables --policy OUTPUT ACCEPT
+ iptables --policy FORWARD ACCEPT
+ iptables -t nat --policy PREROUTING ACCEPT
iptables v1.2.8: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
...
+ /sbin/insmod ip_tables
Using /lib/modules/2.4.20-19.8/kernel/net/ipv4/netfilter/ip_tables.o
insmod: a module named ip_tables already exists
+ /sbin/insmod ip_conntrack
Using /lib/modules/2.4.20-19.8/kernel/net/ipv4/netfilter/ip_conntrack.o
insmod: a module named ip_conntrack already exists
+ /sbin/insmod ip_conntrack_ftp
Using /lib/modules/2.4.20-19.8/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o
/lib/modules/2.4.20-19.8/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o: unresolved symbol ip_conntrack_helper_unregister_Reea5a3fd
/lib/modules/2.4.20-19.8/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o: unresolved symbol ip_conntrack_helper_register_Ra22d6eb5
/lib/modules/2.4.20-19.8/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o: unresolved symbol ip_conntrack_expect_related_Rfc718b15
+ /sbin/insmod iptable_nat
Using /lib/modules/2.4.20-19.8/kernel/net/ipv4/netfilter/iptable_nat.o
/lib/modules/2.4.20-19.8/kernel/net/ipv4/netfilter/iptable_nat.o: unresolved symbol ip_ct_find_helper_R2e1adde3
/lib/modules/2.4.20-19.8/kernel/net/ipv4/netfilter/iptable_nat.o: unresolved symbol ip_conntrack_htable_size_R8ef8af4c
/lib/modules/2.4.20-19.8/kernel/net/ipv4/netfilter/iptable_nat.o: unresolved symbol ip_ct_gather_frags_Rde4bd92c
/lib/modules/2.4.20-19.8/kernel/net/ipv4/netfilter/iptable_nat.o: unresolved symbol invert_tuplepr_R5e68d8a9
/lib/modules/2.4.20-19.8/kernel/net/ipv4/netfilter/iptable_nat.o: unresolved symbol ip_conntrack_module_Rb0361033
/lib/modules/2.4.20-19.8/kernel/net/ipv4/netfilter/iptable_nat.o: unresolved symbol ip_ct_selective_cleanup_R37fa06eb
/lib/modules/2.4.20-19.8/kernel/net/ipv4/netfilter/iptable_nat.o: unresolved symbol ip_conntrack_get_Rc412d48a
/lib/modules/2.4.20-19.8/kernel/net/ipv4/netfilter/iptable_nat.o: unresolved symbol ip_conntrack_tuple_taken_R4001f92d
/lib/modules/2.4.20-19.8/kernel/net/ipv4/netfilter/iptable_nat.o: unresolved symbol ip_conntrack_alter_reply_Rca0ced33
/lib/modules/2.4.20-19.8/kernel/net/ipv4/netfilter/iptable_nat.o: unresolved symbol __ip_ct_find_proto_R9e4bc5ef
/lib/modules/2.4.20-19.8/kernel/net/ipv4/netfilter/iptable_nat.o: unresolved symbol ip_conntrack_destroyed_R35dd3854

The result is that my INPUT, OUTPUT, and FORWARD chains remain unchanged (good) but I have no NAT table (bad).

Thank you


^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: RedHat 8.0 upgrade problem 1.2.8
@ 2003-08-26 13:07 Jason S. Friedman
  0 siblings, 0 replies; 5+ messages in thread
From: Jason S. Friedman @ 2003-08-26 13:07 UTC (permalink / raw)
  To: netfilter

I believe I am using a newer kernel (2.4.20); I don't believe RedHat supplies a newer one.

The trouble now is, how do I go back?  When I replace the newer iptables executables in /sbin I get these kinds of errors from my firewall script:

iptables v1.2.6a: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
Using /lib/modules/2.4.20-19.8/kernel/net/ipv4/netfilter/ip_tables.o
insmod: a module named ip_tables already exists
Using /lib/modules/2.4.20-19.8/kernel/net/ipv4/netfilter/ip_conntrack.o
insmod: a module named ip_conntrack already exists
Using /lib/modules/2.4.20-19.8/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o
/lib/modules/2.4.20-19.8/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o: unresolved symbol ip_conntrack_helper_unregister_Reea5a3fd

>iptables 1.2.8 RPM's is listed as requring the newer kernel builds.
>They broke something, and sent out an erratta notification earlier (I
>got it this morning, but have not tried doing the updates yet).
>
>I'm picking the kernel modules in memory are from the olde version, thus
>requring you to reboot into a newer kernel, or continue using the older
>iptables for the moment.
>
>>-----Original Message-----
>>From: netfilter-admin@lists.netfilter.org 
>>[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of 
>>Jason S. Friedman
>>Sent: Tuesday, 26 August 2003 14:28
>>To: netfilter@lists.netfilter.org
>>Subject: RedHat 8.0 upgrade problem 1.2.8
>>
>>
>>I use RedHat and use the Redhat-provided RPMs for all my 
>>server maintenance.
>>$ uname -a
>>Linux abigail 2.4.20-19.8 #1 Tue Jul 15 14:59:09 EDT 2003 i686 
>>athlon i386 GNU/Linux
>>
>>I downloaded the RPM for iptables v.1.2.8 and executed rpm 
>>-Uvh.  The command executed without errors and I can see six 
>>new files in /sbin:
>>
>>-rwxr-xr-x    1 root     root        58386 Jul 31 09:51 iptables-save
>>-rwxr-xr-x    1 root     root        60196 Jul 31 09:51 
>>iptables-restore
>>-rwxr-xr-x    1 root     root        55410 Jul 31 09:51 iptables
>>-rwxr-xr-x    1 root     root        60192 Jul 31 09:51 ip6tables-save
>>-rwxr-xr-x    1 root     root        60400 Jul 31 09:51 
>>ip6tables-restore
>>-rwxr-xr-x    1 root     root        55760 Jul 31 09:51 ip6tables
>>
>>I then entered
>>$ service iptables restart
>>
>>These three lines appeared quickly:
>>Flushing firewall rules:                                   [  OK  ]
>>Setting chains to policy ACCEPT: mangle nat filter         [  OK  ]
>>Unloading iptables modules:
>>
>>and then nothing for five minutes.  My terminal would not 
>>respond to CTRL-C.  I opened another terminal and killed the 
>>job and saw this on the original terminal:
>>
>>/sbin/service: line 67: 21934 Terminated              env -i 
>>LANG=$LANG PATH=$PATH "${SERVICEDIR}/${SERVICE}" ${OPTIONS}
>>
>>I tried executing my normal iptables shell script (the one 
>>that worked without exception under 1.2.6a), below is a partial output:
>>
>>+ iptables -t nat --flush
>>iptables v1.2.8: can't initialize iptables table `nat': Table 
>>does not exist (do you need to insmod?)
>>Perhaps iptables or your kernel needs to be upgraded.
>>+ iptables -t mangle --flush
>>+ iptables -A INPUT -i lo -j ACCEPT
>>+ iptables -A OUTPUT -o lo -j ACCEPT
>>+ iptables --policy INPUT DROP
>>+ iptables --policy OUTPUT ACCEPT
>>+ iptables --policy FORWARD ACCEPT
>>+ iptables -t nat --policy PREROUTING ACCEPT
>>iptables v1.2.8: can't initialize iptables table `nat': Table 
>>does not exist (do you need to insmod?)
>>Perhaps iptables or your kernel needs to be upgraded.
>>...
>>+ /sbin/insmod ip_tables
>>Using /lib/modules/2.4.20-19.8/kernel/net/ipv4/netfilter/ip_tables.o
>>insmod: a module named ip_tables already exists
>>+ /sbin/insmod ip_conntrack
>>Using /lib/modules/2.4.20-19.8/kernel/net/ipv4/netfilter/ip_conntrack.o
>>insmod: a module named ip_conntrack already exists
>>+ /sbin/insmod ip_conntrack_ftp
>>Using 
>>/lib/modules/2.4.20-19.8/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o
>>/lib/modules/2.4.20-19.8/kernel/net/ipv4/netfilter/ip_conntrack
>>_ftp.o: unresolved symbol ip_conntrack_helper_unregister_Reea5a3fd
>>/lib/modules/2.4.20-19.8/kernel/net/ipv4/netfilter/ip_conntrack
>>_ftp.o: unresolved symbol ip_conntrack_helper_register_Ra22d6eb5
>>/lib/modules/2.4.20-19.8/kernel/net/ipv4/netfilter/ip_conntrack
>>_ftp.o: unresolved symbol ip_conntrack_expect_related_Rfc718b15
>>+ /sbin/insmod iptable_nat
>>Using /lib/modules/2.4.20-19.8/kernel/net/ipv4/netfilter/iptable_nat.o
>>/lib/modules/2.4.20-19.8/kernel/net/ipv4/netfilter/iptable_nat.
>>o: unresolved symbol ip_ct_find_helper_R2e1adde3
>>/lib/modules/2.4.20-19.8/kernel/net/ipv4/netfilter/iptable_nat.
>>o: unresolved symbol ip_conntrack_htable_size_R8ef8af4c
>>/lib/modules/2.4.20-19.8/kernel/net/ipv4/netfilter/iptable_nat.
>>o: unresolved symbol ip_ct_gather_frags_Rde4bd92c
>>/lib/modules/2.4.20-19.8/kernel/net/ipv4/netfilter/iptable_nat.
>>o: unresolved symbol invert_tuplepr_R5e68d8a9
>>/lib/modules/2.4.20-19.8/kernel/net/ipv4/netfilter/iptable_nat.
>>o: unresolved symbol ip_conntrack_module_Rb0361033
>>/lib/modules/2.4.20-19.8/kernel/net/ipv4/netfilter/iptable_nat.
>>o: unresolved symbol ip_ct_selective_cleanup_R37fa06eb
>>/lib/modules/2.4.20-19.8/kernel/net/ipv4/netfilter/iptable_nat.
>>o: unresolved symbol ip_conntrack_get_Rc412d48a
>>/lib/modules/2.4.20-19.8/kernel/net/ipv4/netfilter/iptable_nat.
>>o: unresolved symbol ip_conntrack_tuple_taken_R4001f92d
>>/lib/modules/2.4.20-19.8/kernel/net/ipv4/netfilter/iptable_nat.
>>o: unresolved symbol ip_conntrack_alter_reply_Rca0ced33
>>/lib/modules/2.4.20-19.8/kernel/net/ipv4/netfilter/iptable_nat.
>>o: unresolved symbol __ip_ct_find_proto_R9e4bc5ef
>>/lib/modules/2.4.20-19.8/kernel/net/ipv4/netfilter/iptable_nat.
>>o: unresolved symbol ip_conntrack_destroyed_R35dd3854
>>
>>The result is that my INPUT, OUTPUT, and FORWARD chains remain 
>>unchanged (good) but I have no NAT table (bad).
>>
>>Thank you


^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: RedHat 8.0 upgrade problem 1.2.8
@ 2003-08-27  3:14 Jason S. Friedman
  0 siblings, 0 replies; 5+ messages in thread
From: Jason S. Friedman @ 2003-08-27  3:14 UTC (permalink / raw)
  To: netfilter

My problem is mostly solved, and I wanted to post the resolution for the benefit of others who might troll the archives someday.

Something about the "service iptables restart" command tripped up the modules.  I re-installed the old 1.2.6a version using rpm --oldpackage -Uvh <rpm file here> and rebooted and I was back in business.  I suppose that someone more familiar with kernel modules could have avoided a reboot.

My next step is to re-upgrade using the RPM, but I won't enter "service iptables restart".  Instead, I'll just run my standard firewall shell script.


^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2003-08-27  3:14 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-08-26  4:28 RedHat 8.0 upgrade problem 1.2.8 Jason S. Friedman
2003-08-26  4:46 ` Stuart J. Browne
2003-08-26 13:47   ` Arnt Karlsen
  -- strict thread matches above, loose matches on Subject: below --
2003-08-26 13:07 Jason S. Friedman
2003-08-27  3:14 Jason S. Friedman

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox