Linux Netfilter discussions
 help / color / mirror / Atom feed

* (no subject)
@ 2024-07-25  0:10 Tom Isaacson
  2024-07-25  0:34 ` Unknown option "--to-ports" Tom Isaacson
  0 siblings, 1 reply; 7+ messages in thread
From: Tom Isaacson @ 2024-07-25  0:10 UTC (permalink / raw)
  To: netfilter

Apologies if this is a stupid question but I'm stuck. We have an
embedded Linux ARM device built with Yocto Kirkstone. It has an LTE
modem (connected via USB) and Wifi. These are both working fine but I
wanted to setup a Wifi access point that shares the internet access
from LTE. A colleague suggested https://github.com/oblique/create_ap
but when I run it I get:
    # create_ap -w 2 wlan0 wwan0 APTest 12345678
    Config dir: /tmp/create_ap.wlan0.conf.XX59Vdf8
    PID: 537195
    Network Manager found, set wlan0 as unmanaged device...
[46988.754925] ieee80211 phy1:         DONE
    Sharing Internet using method: nat
    iptables v1.8.7 (legacy): unknown option "--to-ports"
    Try `iptables -h' or 'iptables --help' for more information.
    Doing cleanup.. done

The offending iptables commands are:
            iptables -w -t nat -D PREROUTING -s ${GATEWAY%.*}.0/24 -d
${GATEWAY} \
                -p tcp -m tcp --dport 53 -j REDIRECT --to-ports $DNS_PORT
            iptables -w -t nat -D PREROUTING -s ${GATEWAY%.*}.0/24 -d
${GATEWAY} \
                -p udp -m udp --dport 53 -j REDIRECT --to-ports $DNS_PORT

I searched around for a solution and found
https://community.unix.com/t/iptables-v1-8-7-nf-tables-unknown-option-to-ports/385377/3
but this command also fails:
    # iptables -A OUTPUT -m owner --uid 0
    iptables v1.8.7 (legacy): Couldn't load match `owner':No such file
or directory

iptables links to xtables-legacy-multi but it seems to have all of the
necessary files present. This
https://github.com/istio/istio/issues/23279#issuecomment-620776006
said iptables had been fixed in 1.8.4, but we have 1.8.7 so I don't
think we need to upgrade. Is there a kernel configuration we're
missing?

Thanks for any help.

Tom Isaacson

-- 


*For more information on how and why we collect your personal 
information, please visit our Privacy Policy 
<https://www.motorolasolutions.com/en_us/about/privacy-policy.html?elqTrackId=8980d888905940e39a2613a7a3dcb0a7&elqaid=2786&elqat=2#privacystatement>.*

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Unknown option "--to-ports"
  2024-07-25  0:10 Tom Isaacson
@ 2024-07-25  0:34 ` Tom Isaacson
  2024-07-25  2:19   ` Florian Westphal
  0 siblings, 1 reply; 7+ messages in thread
From: Tom Isaacson @ 2024-07-25  0:34 UTC (permalink / raw)
  To: netfilter

Sorry, adding subject.

On Thu, 25 Jul 2024 at 12:10, Tom Isaacson
<thomas.isaacson@motorolasolutions.com> wrote:
>
> Apologies if this is a stupid question but I'm stuck. We have an
> embedded Linux ARM device built with Yocto Kirkstone. It has an LTE
> modem (connected via USB) and Wifi. These are both working fine but I
> wanted to setup a Wifi access point that shares the internet access
> from LTE. A colleague suggested https://github.com/oblique/create_ap
> but when I run it I get:
>     # create_ap -w 2 wlan0 wwan0 APTest 12345678
>     Config dir: /tmp/create_ap.wlan0.conf.XX59Vdf8
>     PID: 537195
>     Network Manager found, set wlan0 as unmanaged device...
> [46988.754925] ieee80211 phy1:         DONE
>     Sharing Internet using method: nat
>     iptables v1.8.7 (legacy): unknown option "--to-ports"
>     Try `iptables -h' or 'iptables --help' for more information.
>     Doing cleanup.. done
>
> The offending iptables commands are:
>             iptables -w -t nat -D PREROUTING -s ${GATEWAY%.*}.0/24 -d
> ${GATEWAY} \
>                 -p tcp -m tcp --dport 53 -j REDIRECT --to-ports $DNS_PORT
>             iptables -w -t nat -D PREROUTING -s ${GATEWAY%.*}.0/24 -d
> ${GATEWAY} \
>                 -p udp -m udp --dport 53 -j REDIRECT --to-ports $DNS_PORT
>
> I searched around for a solution and found
> https://community.unix.com/t/iptables-v1-8-7-nf-tables-unknown-option-to-ports/385377/3
> but this command also fails:
>     # iptables -A OUTPUT -m owner --uid 0
>     iptables v1.8.7 (legacy): Couldn't load match `owner':No such file
> or directory
>
> iptables links to xtables-legacy-multi but it seems to have all of the
> necessary files present. This
> https://github.com/istio/istio/issues/23279#issuecomment-620776006
> said iptables had been fixed in 1.8.4, but we have 1.8.7 so I don't
> think we need to upgrade. Is there a kernel configuration we're
> missing?
>
> Thanks for any help.
>
> Tom Isaacson

-- 


*For more information on how and why we collect your personal 
information, please visit our Privacy Policy 
<https://www.motorolasolutions.com/en_us/about/privacy-policy.html?elqTrackId=8980d888905940e39a2613a7a3dcb0a7&elqaid=2786&elqat=2#privacystatement>.*

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Unknown option "--to-ports"
  2024-07-25  0:34 ` Unknown option "--to-ports" Tom Isaacson
@ 2024-07-25  2:19   ` Florian Westphal
  2024-07-25  2:29     ` Tom Isaacson
  0 siblings, 1 reply; 7+ messages in thread
From: Florian Westphal @ 2024-07-25  2:19 UTC (permalink / raw)
  To: Tom Isaacson; +Cc: netfilter

Tom Isaacson <thomas.isaacson@motorolasolutions.com> wrote:
> >     Sharing Internet using method: nat
> >     iptables v1.8.7 (legacy): unknown option "--to-ports"
> >     Try `iptables -h' or 'iptables --help' for more information.
> >     Doing cleanup.. done

Broken iptables installation.

> > The offending iptables commands are:
> >             iptables -w -t nat -D PREROUTING -s ${GATEWAY%.*}.0/24 -d
> > ${GATEWAY} \
> >                 -p tcp -m tcp --dport 53 -j REDIRECT --to-ports $DNS_PORT
> >             iptables -w -t nat -D PREROUTING -s ${GATEWAY%.*}.0/24 -d
> > ${GATEWAY} \
> >                 -p udp -m udp --dport 53 -j REDIRECT --to-ports $DNS_PORT
> >
> > I searched around for a solution and found
> > https://community.unix.com/t/iptables-v1-8-7-nf-tables-unknown-option-to-ports/385377/3

This has all diagnostic commands that you'll need to figure out whats
happening.

> > but this command also fails:
> >     # iptables -A OUTPUT -m owner --uid 0
> >     iptables v1.8.7 (legacy): Couldn't load match `owner':No such file
> > or directory
> >
> > iptables links to xtables-legacy-multi but it seems to have all of the
> > necessary files present.

iptables says it can't load match 'owner' (libxt_owner.so).

So its either missing or iptables is searching the wrong location.

strace should tell which directory iptables is searching to fetch
extensions.

Some embedded distros split packages into subpackages to save space,
so it might be missing package too.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Unknown option "--to-ports"
  2024-07-25  2:19   ` Florian Westphal
@ 2024-07-25  2:29     ` Tom Isaacson
  2024-07-28 16:58       ` Reindl Harald
  0 siblings, 1 reply; 7+ messages in thread
From: Tom Isaacson @ 2024-07-25  2:29 UTC (permalink / raw)
  To: Florian Westphal; +Cc: netfilter

I don't have strace on the device, it's pretty minimal. But
libxt_owner.so is present here:
/usr/lib/xtables/libxt_owner.so
along with all the other files.

The installation is from Yocto:
https://layers.openembedded.org/layerindex/recipe/300425/

On Thu, 25 Jul 2024 at 14:19, Florian Westphal <fw@strlen.de> wrote:
>
> Tom Isaacson <thomas.isaacson@motorolasolutions.com> wrote:
> > >     Sharing Internet using method: nat
> > >     iptables v1.8.7 (legacy): unknown option "--to-ports"
> > >     Try `iptables -h' or 'iptables --help' for more information.
> > >     Doing cleanup.. done
>
> Broken iptables installation.
>
> > > The offending iptables commands are:
> > >             iptables -w -t nat -D PREROUTING -s ${GATEWAY%.*}.0/24 -d
> > > ${GATEWAY} \
> > >                 -p tcp -m tcp --dport 53 -j REDIRECT --to-ports $DNS_PORT
> > >             iptables -w -t nat -D PREROUTING -s ${GATEWAY%.*}.0/24 -d
> > > ${GATEWAY} \
> > >                 -p udp -m udp --dport 53 -j REDIRECT --to-ports $DNS_PORT
> > >
> > > I searched around for a solution and found
> > > https://urldefense.proofpoint.com/v2/url?u=https-3A__community.unix.com_t_iptables-2Dv1-2D8-2D7-2Dnf-2Dtables-2Dunknown-2Doption-2Dto-2Dports_385377_3&d=DwIBAg&c=q3cDpHe1hF8lXU5EFjNM_C93KOmcBXCBnhee2v6PYlc&r=MO7EWU3DamJNNM8h6vHmeK6CEry2ufcorA3OreLf9oSJJvfzyukEHrKjEuU65HDv&m=3pEifEeIBaWYzhy_9MSuLYFwj7s1hDnpv2ftIP8xg0VZA5QWqX6RKTC79F1ylozp&s=sBy-V0FVFtnFXyvzNpVWO6IaPMyAYTyauL9S5RRjQrk&e=
>
> This has all diagnostic commands that you'll need to figure out whats
> happening.
>
> > > but this command also fails:
> > >     # iptables -A OUTPUT -m owner --uid 0
> > >     iptables v1.8.7 (legacy): Couldn't load match `owner':No such file
> > > or directory
> > >
> > > iptables links to xtables-legacy-multi but it seems to have all of the
> > > necessary files present.
>
> iptables says it can't load match 'owner' (libxt_owner.so).
>
> So its either missing or iptables is searching the wrong location.
>
> strace should tell which directory iptables is searching to fetch
> extensions.
>
> Some embedded distros split packages into subpackages to save space,
> so it might be missing package too.

-- 


*For more information on how and why we collect your personal 
information, please visit our Privacy Policy 
<https://www.motorolasolutions.com/en_us/about/privacy-policy.html?elqTrackId=8980d888905940e39a2613a7a3dcb0a7&elqaid=2786&elqat=2#privacystatement>.*

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Unknown option "--to-ports"
  2024-07-25  2:29     ` Tom Isaacson
@ 2024-07-28 16:58       ` Reindl Harald
  2024-07-29  5:44         ` Tom Isaacson
  0 siblings, 1 reply; 7+ messages in thread
From: Reindl Harald @ 2024-07-28 16:58 UTC (permalink / raw)
  To: Tom Isaacson, Florian Westphal; +Cc: netfilter



Am 25.07.24 um 04:29 schrieb Tom Isaacson:
> I don't have strace on the device, it's pretty minimal. But
> libxt_owner.so is present here:
> /usr/lib/xtables/libxt_owner.so
> along with all the other files.
> 
> The installation is from Yocto:
> https://layers.openembedded.org/layerindex/recipe/300425/

so why don't you ask them what they have done to cripple down the 
binary? upstream is innocent

> On Thu, 25 Jul 2024 at 14:19, Florian Westphal <fw@strlen.de> wrote:
>>
>> Tom Isaacson <thomas.isaacson@motorolasolutions.com> wrote:
>>>>      Sharing Internet using method: nat
>>>>      iptables v1.8.7 (legacy): unknown option "--to-ports"
>>>>      Try `iptables -h' or 'iptables --help' for more information.
>>>>      Doing cleanup.. done
>>
>> Broken iptables installation.
>>
>>>> The offending iptables commands are:
>>>>              iptables -w -t nat -D PREROUTING -s ${GATEWAY%.*}.0/24 -d
>>>> ${GATEWAY} \
>>>>                  -p tcp -m tcp --dport 53 -j REDIRECT --to-ports $DNS_PORT
>>>>              iptables -w -t nat -D PREROUTING -s ${GATEWAY%.*}.0/24 -d
>>>> ${GATEWAY} \
>>>>                  -p udp -m udp --dport 53 -j REDIRECT --to-ports $DNS_PORT
>>>>
>>>> I searched around for a solution and found
>>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__community.unix.com_t_iptables-2Dv1-2D8-2D7-2Dnf-2Dtables-2Dunknown-2Doption-2Dto-2Dports_385377_3&d=DwIBAg&c=q3cDpHe1hF8lXU5EFjNM_C93KOmcBXCBnhee2v6PYlc&r=MO7EWU3DamJNNM8h6vHmeK6CEry2ufcorA3OreLf9oSJJvfzyukEHrKjEuU65HDv&m=3pEifEeIBaWYzhy_9MSuLYFwj7s1hDnpv2ftIP8xg0VZA5QWqX6RKTC79F1ylozp&s=sBy-V0FVFtnFXyvzNpVWO6IaPMyAYTyauL9S5RRjQrk&e=
>>
>> This has all diagnostic commands that you'll need to figure out whats
>> happening.
>>
>>>> but this command also fails:
>>>>      # iptables -A OUTPUT -m owner --uid 0
>>>>      iptables v1.8.7 (legacy): Couldn't load match `owner':No such file
>>>> or directory
>>>>
>>>> iptables links to xtables-legacy-multi but it seems to have all of the
>>>> necessary files present.
>>
>> iptables says it can't load match 'owner' (libxt_owner.so).
>>
>> So its either missing or iptables is searching the wrong location.
>>
>> strace should tell which directory iptables is searching to fetch
>> extensions.
>>
>> Some embedded distros split packages into subpackages to save space,
>> so it might be missing package too.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Unknown option "--to-ports"
  2024-07-28 16:58       ` Reindl Harald
@ 2024-07-29  5:44         ` Tom Isaacson
  2024-07-29  7:23           ` Reindl Harald
  0 siblings, 1 reply; 7+ messages in thread
From: Tom Isaacson @ 2024-07-29  5:44 UTC (permalink / raw)
  To: Reindl Harald; +Cc: Florian Westphal, netfilter

I'm not accusing anyone, I was asking for help diagnosing the problem.
Luckily I ignored your suggestions because you were both wrong.

I managed to get strace copied to my device:
# strace iptables -A OUTPUT -m owner --uid 0
execve("/usr/sbin/iptables", ["iptables", "-A", "OUTPUT", "-m",
"owner", "--uid", "0"], 0x7ffa7423d0 /* 29 vars */) = 0
brk(NULL)                               = 0x55a5afa000
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x7f8502f000
faccessat(AT_FDCWD, "/etc/ld.so.preload", R_OK) = -1 ENOENT (No such
file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=32961, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 32961, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f85026000
close(3)                                = 0
openat(AT_FDCWD, "/usr/lib/libip4tc.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\267\0\1\0\0\0\0\0\0\0\0\0\0\0"...,
832) = 832
newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=31152, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 160296, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f84fd1000
mmap(0x7f84fe0000, 94760, PROT_READ|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x7f84fe0000
munmap(0x7f84fd1000, 61440)             = 0
munmap(0x7f84ff8000, 552)               = 0
mprotect(0x7f84fe7000, 61440, PROT_NONE) = 0
mmap(0x7f84ff6000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x7f84ff6000
close(3)                                = 0
openat(AT_FDCWD, "/usr/lib/libip6tc.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\267\0\1\0\0\0\0\0\0\0\0\0\0\0"...,
832) = 832
newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=31152, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 160296, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f84fb8000
mmap(0x7f84fc0000, 94760, PROT_READ|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x7f84fc0000
munmap(0x7f84fb8000, 32768)             = 0
munmap(0x7f84fd8000, 29224)             = 0
mprotect(0x7f84fc7000, 61440, PROT_NONE) = 0
mmap(0x7f84fd6000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x7f84fd6000
close(3)                                = 0
openat(AT_FDCWD, "/usr/lib/libxtables.so.12", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\267\0\1\0\0\0\0\0\0\0\0\0\0\0"...,
832) = 832
newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=59304, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 199720, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f84f8f000
mmap(0x7f84f90000, 134184, PROT_READ|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x7f84f90000
munmap(0x7f84f8f000, 4096)              = 0
munmap(0x7f84fb1000, 60456)             = 0
mprotect(0x7f84f9e000, 61440, PROT_NONE) = 0
mmap(0x7f84fad000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xd000) = 0x7f84fad000
mmap(0x7f84faf000, 7208, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f84faf000
close(3)                                = 0
openat(AT_FDCWD, "/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0\267\0\1\0\0\0@\264\2\0\0\0\0\0"...,
832) = 832
pread64(3, "\4\0\0\0\24\0\0\0\3\0\0\0GNU\0/\267c\324\361R\25\177\n\177\26\327\322\277\4\211"...,
68, 768) = 68
newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=1630088, ...},
AT_EMPTY_PATH) = 0
mmap(NULL, 1805328, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f84dd7000
mmap(0x7f84de0000, 1739792, PROT_READ|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x7f84de0000
munmap(0x7f84dd7000, 36864)             = 0
munmap(0x7f84f89000, 27664)             = 0
mprotect(0x7f84f68000, 61440, PROT_NONE) = 0
mmap(0x7f84f77000, 24576, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x187000) = 0x7f84f77000
mmap(0x7f84f7d000, 48144, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f84f7d000
close(3)                                = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x7f85024000
set_tid_address(0x7f850240f0)           = 25050
set_robust_list(0x7f85024100, 24)       = 0
rseq(0x7f850247c0, 0x20, 0, 0xd428bc00) = 0
mprotect(0x7f84f77000, 12288, PROT_READ) = 0
mprotect(0x7f84fad000, 4096, PROT_READ) = 0
mprotect(0x7f84fd6000, 4096, PROT_READ) = 0
mprotect(0x7f84ff6000, 4096, PROT_READ) = 0
mprotect(0x557a8bc000, 4096, PROT_READ) = 0
mprotect(0x7f85033000, 8192, PROT_READ) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024,
rlim_max=RLIM64_INFINITY}) = 0
munmap(0x7f85026000, 32961)             = 0
newfstatat(AT_FDCWD, "/usr/lib/xtables/libipt_owner.so", 0x7fdac3dc78,
0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/lib/xtables/libxt_owner.so",
{st_mode=S_IFREG|0755, st_size=18904, ...}, 0) = 0
getrandom("\x89\xee\xcc\x55\xdc\x6d\x75\xd8", 8, GRND_NONBLOCK) = 8
brk(NULL)                               = 0x55a5afa000
brk(0x55a5b1b000)                       = 0x55a5b1b000
openat(AT_FDCWD, "/usr/lib/xtables/libxt_owner.so", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\267\0\1\0\0\0\0\0\0\0\0\0\0\0"...,
832) = 832
newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=18904, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 148048, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f84dbb000
mmap(0x7f84dc0000, 82512, PROT_READ|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x7f84dc0000
munmap(0x7f84dbb000, 20480)             = 0
munmap(0x7f84dd5000, 41552)             = 0
mprotect(0x7f84dc3000, 65536, PROT_NONE) = 0
mmap(0x7f84dd3000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x7f84dd3000
close(3)                                = 0
mprotect(0x7f84dd3000, 4096, PROT_READ) = 0
socket(AF_INET, SOCK_RAW, IPPROTO_RAW)  = 3
fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
newfstatat(AT_FDCWD, "/proc/net/ip_tables_names",
{st_mode=S_IFREG|0440, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
statfs("/proc/net/ip_tables_names", {f_type=PROC_SUPER_MAGIC,
f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0,
f_fsid={val=[0, 0]}, f_namelen=255, f_frsize=4096,
f_flags=ST_VALID|ST_NOSUID|ST_NODEV|ST_NOEXEC|ST_RELATIME}) = 0
getsockopt(3, SOL_IP, IPT_SO_GET_REVISION_MATCH, 0x7fdac3db68, [30]) =
-1 ENOENT (No such file or directory)
close(3)                                = 0
socket(AF_INET, SOCK_RAW, IPPROTO_RAW)  = 3
fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
getsockopt(3, SOL_IP, IPT_SO_GET_REVISION_MATCH, 0x7fdac3db68, [30]) =
-1 ENOENT (No such file or directory)
close(3)                                = 0
write(2, "iptables v1.8.7 (legacy): ", 26iptables v1.8.7 (legacy): ) = 26
write(2, "Couldn't load match `owner':No s"..., 54Couldn't load match
`owner':No such file or directory
) = 54
write(2, "\n", 1
)                       = 1
write(2, "Try `iptables -h' or 'iptables -"..., 61Try `iptables -h' or
'iptables --help' for more information.
) = 61
exit_group(2)                           = ?
+++ exited with 2 +++

Looks like we're missing /usr/lib/xtables/libipt_owner.so?
https://forums.gentoo.org/viewtopic-t-754259-start-0.html suggests
this requires CONFIG_NETFILTER_XT_MATCH_OWNER=m so I tried rebuilding
the kernel with that:
# iptables -A OUTPUT -m owner --uid 0
No error returned.

But /usr/lib/xtables/libipt_owner.so is still missing. If I run the
working version with strace the difference seems to be getsockopt,
from:
newfstatat(AT_FDCWD, "/proc/net/ip_tables_names",
{st_mode=S_IFREG|0440, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
statfs("/proc/net/ip_tables_names", {f_type=PROC_SUPER_MAGIC,
f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0,
f_fsid={val=[0, 0]}, f_namelen=255, f_frsize=4096,
f_flags=ST_VALID|ST_NOSUID|ST_NODEV|ST_NOEXEC|ST_RELATIME}) = 0
getsockopt(3, SOL_IP, IPT_SO_GET_REVISION_MATCH, 0x7fdac3db68, [30]) =
-1 ENOENT (No such file or directory)

to:
newfstatat(AT_FDCWD, "/proc/net/ip_tables_names",
{st_mode=S_IFREG|0440, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
statfs("/proc/net/ip_tables_names", {f_type=PROC_SUPER_MAGIC,
f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0,
f_fsid={val=[0, 0]}, f_namelen=255, f_frsize=4096,
f_flags=ST_VALID|ST_NOSUID|ST_NODEV|ST_NOEXEC|ST_RELATIME}) = 0
getsockopt(3, SOL_IP, IPT_SO_GET_REVISION_MATCH,
"owner\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1", [30]) = 0

I don't understand why getsockopt() doesn't show the string in the
first instance, makes diagnosing the problem difficult.

The full command still fails:
# strace iptables -w -t nat -I PREROUTING -s 192.168.12.0/24 -d
192.168.12.1 -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 5353
execve("/usr/sbin/iptables", ["iptables", "-w", "-t", "nat", "-I",
"PREROUTING", "-s", "192.168.12.0/24", "-d", "192.168.12.1", "-p",
"tcp", "-m", "tcp", "--dport", "53", "-j", "REDIRECT", "--to-ports",
"5353"], 0x7ff90c7de8 /* 29 vars */) = 0
brk(NULL)                               = 0x55b6039000
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x7fb4e97000
faccessat(AT_FDCWD, "/etc/ld.so.preload", R_OK) = -1 ENOENT (No such
file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=32961, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 32961, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fb4e8e000
close(3)                                = 0
openat(AT_FDCWD, "/usr/lib/libip4tc.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\267\0\1\0\0\0\0\0\0\0\0\0\0\0"...,
832) = 832
newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=31152, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 160296, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb4e39000
mmap(0x7fb4e40000, 94760, PROT_READ|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x7fb4e40000
munmap(0x7fb4e39000, 28672)             = 0
munmap(0x7fb4e58000, 33320)             = 0
mprotect(0x7fb4e47000, 61440, PROT_NONE) = 0
mmap(0x7fb4e56000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x7fb4e56000
close(3)                                = 0
openat(AT_FDCWD, "/usr/lib/libip6tc.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\267\0\1\0\0\0\0\0\0\0\0\0\0\0"...,
832) = 832
newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=31152, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 160296, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb4e18000
mmap(0x7fb4e20000, 94760, PROT_READ|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x7fb4e20000
munmap(0x7fb4e18000, 32768)             = 0
munmap(0x7fb4e38000, 29224)             = 0
mprotect(0x7fb4e27000, 61440, PROT_NONE) = 0
mmap(0x7fb4e36000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x7fb4e36000
close(3)                                = 0
openat(AT_FDCWD, "/usr/lib/libxtables.so.12", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\267\0\1\0\0\0\0\0\0\0\0\0\0\0"...,
832) = 832
newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=59304, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 199720, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb4def000
mmap(0x7fb4df0000, 134184, PROT_READ|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x7fb4df0000
munmap(0x7fb4def000, 4096)              = 0
munmap(0x7fb4e11000, 60456)             = 0
mprotect(0x7fb4dfe000, 61440, PROT_NONE) = 0
mmap(0x7fb4e0d000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xd000) = 0x7fb4e0d000
mmap(0x7fb4e0f000, 7208, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fb4e0f000
close(3)                                = 0
openat(AT_FDCWD, "/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0\267\0\1\0\0\0@\264\2\0\0\0\0\0"...,
832) = 832
pread64(3, "\4\0\0\0\24\0\0\0\3\0\0\0GNU\0/\267c\324\361R\25\177\n\177\26\327\322\277\4\211"...,
68, 768) = 68
newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=1630088, ...},
AT_EMPTY_PATH) = 0
mmap(NULL, 1805328, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb4c37000
mmap(0x7fb4c40000, 1739792, PROT_READ|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x7fb4c40000
munmap(0x7fb4c37000, 36864)             = 0
munmap(0x7fb4de9000, 27664)             = 0
mprotect(0x7fb4dc8000, 61440, PROT_NONE) = 0
mmap(0x7fb4dd7000, 24576, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x187000) = 0x7fb4dd7000
mmap(0x7fb4ddd000, 48144, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fb4ddd000
close(3)                                = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x7fb4e8c000
set_tid_address(0x7fb4e8c0f0)           = 83953
set_robust_list(0x7fb4e8c100, 24)       = 0
rseq(0x7fb4e8c7c0, 0x20, 0, 0xd428bc00) = 0
mprotect(0x7fb4dd7000, 12288, PROT_READ) = 0
mprotect(0x7fb4e0d000, 4096, PROT_READ) = 0
mprotect(0x7fb4e36000, 4096, PROT_READ) = 0
mprotect(0x7fb4e56000, 4096, PROT_READ) = 0
mprotect(0x558371f000, 4096, PROT_READ) = 0
mprotect(0x7fb4e9b000, 8192, PROT_READ) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024,
rlim_max=RLIM64_INFINITY}) = 0
munmap(0x7fb4e8e000, 32961)             = 0
getrandom("\xfa\xf8\xa1\x00\x5e\xc6\xd6\x38", 8, GRND_NONBLOCK) = 8
brk(NULL)                               = 0x55b6039000
brk(0x55b605a000)                       = 0x55b605a000
newfstatat(AT_FDCWD, "/etc/nsswitch.conf", {st_mode=S_IFREG|0644,
st_size=482, ...}, 0) = 0
newfstatat(AT_FDCWD, "/", {st_mode=S_IFDIR|0755, st_size=4096, ...}, 0) = 0
openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=482, ...}, AT_EMPTY_PATH) = 0
read(3, "# /etc/nsswitch.conf\n#\n# Example"..., 4096) = 482
read(3, "", 4096)                       = 0
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=482, ...}, AT_EMPTY_PATH) = 0
close(3)                                = 0
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=32961, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 32961, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fb4e8e000
close(3)                                = 0
openat(AT_FDCWD, "/lib/tls/aarch64/libnss_db.so.2",
O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/lib/tls/aarch64", 0x7fe4e67730, 0) = -1 ENOENT
(No such file or directory)
openat(AT_FDCWD, "/lib/tls/libnss_db.so.2", O_RDONLY|O_CLOEXEC) = -1
ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/lib/tls", 0x7fe4e67730, 0) = -1 ENOENT (No such
file or directory)
openat(AT_FDCWD, "/lib/aarch64/libnss_db.so.2", O_RDONLY|O_CLOEXEC) =
-1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/lib/aarch64", 0x7fe4e67730, 0) = -1 ENOENT (No
such file or directory)
openat(AT_FDCWD, "/lib/libnss_db.so.2", O_RDONLY|O_CLOEXEC) = -1
ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/lib", {st_mode=S_IFDIR|0755, st_size=4096, ...}, 0) = 0
openat(AT_FDCWD, "/usr/lib/tls/aarch64/libnss_db.so.2",
O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/lib/tls/aarch64", 0x7fe4e67730, 0) = -1
ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/tls/libnss_db.so.2", O_RDONLY|O_CLOEXEC) =
-1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/lib/tls", 0x7fe4e67730, 0) = -1 ENOENT (No
such file or directory)
openat(AT_FDCWD, "/usr/lib/aarch64/libnss_db.so.2",
O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/lib/aarch64", 0x7fe4e67730, 0) = -1 ENOENT
(No such file or directory)
openat(AT_FDCWD, "/usr/lib/libnss_db.so.2", O_RDONLY|O_CLOEXEC) = -1
ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/lib", {st_mode=S_IFDIR|0755, st_size=32768,
...}, 0) = 0
munmap(0x7fb4e8e000, 32961)             = 0
openat(AT_FDCWD, "/etc/protocols", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=2932, ...}, AT_EMPTY_PATH) = 0
lseek(3, 0, SEEK_SET)                   = 0
read(3, "# Internet (IP) protocols\n#\n# Up"..., 4096) = 2932
close(3)                                = 0
newfstatat(AT_FDCWD, "/usr/lib/xtables/libipt_tcp.so", 0x7fe4e68508,
0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/lib/xtables/libxt_tcp.so",
{st_mode=S_IFREG|0755, st_size=14424, ...}, 0) = 0
openat(AT_FDCWD, "/usr/lib/xtables/libxt_tcp.so", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\267\0\1\0\0\0\0\0\0\0\0\0\0\0"...,
832) = 832
newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=14424, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 143568, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb4c1c000
mmap(0x7fb4c20000, 78032, PROT_READ|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x7fb4c20000
munmap(0x7fb4c1c000, 16384)             = 0
munmap(0x7fb4c34000, 45264)             = 0
mprotect(0x7fb4c23000, 61440, PROT_NONE) = 0
mmap(0x7fb4c32000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7fb4c32000
close(3)                                = 0
mprotect(0x7fb4c32000, 4096, PROT_READ) = 0
socket(AF_INET, SOCK_RAW, IPPROTO_RAW)  = 3
fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
newfstatat(AT_FDCWD, "/proc/net/ip_tables_names",
{st_mode=S_IFREG|0440, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
statfs("/proc/net/ip_tables_names", {f_type=PROC_SUPER_MAGIC,
f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0,
f_fsid={val=[0, 0]}, f_namelen=255, f_frsize=4096,
f_flags=ST_VALID|ST_NOSUID|ST_NODEV|ST_NOEXEC|ST_RELATIME}) = 0
getsockopt(3, SOL_IP, IPT_SO_GET_REVISION_MATCH,
"tcp\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", [30]) = 0
close(3)                                = 0
newfstatat(AT_FDCWD, "/usr/lib/xtables/libipt_REDIRECT.so",
{st_mode=S_IFREG|0755, st_size=10344, ...}, 0) = 0
openat(AT_FDCWD, "/usr/lib/xtables/libipt_REDIRECT.so", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\267\0\1\0\0\0\0\0\0\0\0\0\0\0"...,
832) = 832
newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=10344, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 139480, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb4bfd000
mmap(0x7fb4c00000, 73944, PROT_READ|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x7fb4c00000
munmap(0x7fb4bfd000, 12288)             = 0
munmap(0x7fb4c13000, 49368)             = 0
mprotect(0x7fb4c02000, 61440, PROT_NONE) = 0
mmap(0x7fb4c11000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1000) = 0x7fb4c11000
close(3)                                = 0
mprotect(0x7fb4c11000, 4096, PROT_READ) = 0
socket(AF_INET, SOCK_RAW, IPPROTO_RAW)  = 3
fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
getsockopt(3, SOL_IP, IPT_SO_GET_REVISION_TARGET, 0x7fe4e683e8, [30])
= -1 ENOENT (No such file or directory)
close(3)                                = 0
write(2, "iptables v1.8.7 (legacy): ", 26iptables v1.8.7 (legacy): ) = 26
write(2, "unknown option \"--to-ports\"", 27unknown option "--to-ports") = 27
write(2, "\n", 1
)                       = 1
write(2, "Try `iptables -h' or 'iptables -"..., 61Try `iptables -h' or
'iptables --help' for more information.
) = 61
exit_group(2)                           = ?
+++ exited with 2 +++

Previously we had a failure with IPT_SO_GET_REVISION_MATCH, now it's
IPT_SO_GET_REVISION_TARGET. I looked for usage of this in the Linux
source for v5.4.238:
https://elixir.bootlin.com/linux/v5.4.238/C/ident/IPT_SO_GET_REVISION_TARGET
They're used in the same function.
I also noticed that if you run without --to-ports you get:
# iptables -w -t nat -I PREROUTING -s 192.168.12.0/24 -d 192.168.12.1
-p tcp -m tcp --dport 53 -j REDIRECT
iptables v1.8.7 (legacy): Couldn't load target `REDIRECT':No such file
or directory

So if adding CONFIG_NETFILTER_XT_MATCH_OWNER fixed
IPT_SO_GET_REVISION_MATCH, would adding
CONFIG_NETFILTER_XT_TARGET_REDIRECT fix IPT_SO_GET_REVISION_TARGET?

Yes it does, NAT method now works.


On Mon, 29 Jul 2024 at 04:58, Reindl Harald <h.reindl@thelounge.net> wrote:
>
>
>
> Am 25.07.24 um 04:29 schrieb Tom Isaacson:
> > I don't have strace on the device, it's pretty minimal. But
> > libxt_owner.so is present here:
> > /usr/lib/xtables/libxt_owner.so
> > along with all the other files.
> >
> > The installation is from Yocto:
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__layers.openembedded.org_layerindex_recipe_300425_&d=DwICaQ&c=q3cDpHe1hF8lXU5EFjNM_C93KOmcBXCBnhee2v6PYlc&r=MO7EWU3DamJNNM8h6vHmeK6CEry2ufcorA3OreLf9oSJJvfzyukEHrKjEuU65HDv&m=qra8kepdXvk2kSHd5pZNDgZwemrhMGNw-eOtKfUoleBSvjSCrB1FYvyXb5aXbklA&s=nDKMvy2KD4qfYfMInybCHSfKn1_vI_KQd3Re6Bp8lxA&e=
>
> so why don't you ask them what they have done to cripple down the
> binary? upstream is innocent
>
> > On Thu, 25 Jul 2024 at 14:19, Florian Westphal <fw@strlen.de> wrote:
> >>
> >> Tom Isaacson <thomas.isaacson@motorolasolutions.com> wrote:
> >>>>      Sharing Internet using method: nat
> >>>>      iptables v1.8.7 (legacy): unknown option "--to-ports"
> >>>>      Try `iptables -h' or 'iptables --help' for more information.
> >>>>      Doing cleanup.. done
> >>
> >> Broken iptables installation.
> >>
> >>>> The offending iptables commands are:
> >>>>              iptables -w -t nat -D PREROUTING -s ${GATEWAY%.*}.0/24 -d
> >>>> ${GATEWAY} \
> >>>>                  -p tcp -m tcp --dport 53 -j REDIRECT --to-ports $DNS_PORT
> >>>>              iptables -w -t nat -D PREROUTING -s ${GATEWAY%.*}.0/24 -d
> >>>> ${GATEWAY} \
> >>>>                  -p udp -m udp --dport 53 -j REDIRECT --to-ports $DNS_PORT
> >>>>
> >>>> I searched around for a solution and found
> >>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__community.unix.com_t_iptables-2Dv1-2D8-2D7-2Dnf-2Dtables-2Dunknown-2Doption-2Dto-2Dports_385377_3&d=DwIBAg&c=q3cDpHe1hF8lXU5EFjNM_C93KOmcBXCBnhee2v6PYlc&r=MO7EWU3DamJNNM8h6vHmeK6CEry2ufcorA3OreLf9oSJJvfzyukEHrKjEuU65HDv&m=3pEifEeIBaWYzhy_9MSuLYFwj7s1hDnpv2ftIP8xg0VZA5QWqX6RKTC79F1ylozp&s=sBy-V0FVFtnFXyvzNpVWO6IaPMyAYTyauL9S5RRjQrk&e=
> >>
> >> This has all diagnostic commands that you'll need to figure out whats
> >> happening.
> >>
> >>>> but this command also fails:
> >>>>      # iptables -A OUTPUT -m owner --uid 0
> >>>>      iptables v1.8.7 (legacy): Couldn't load match `owner':No such file
> >>>> or directory
> >>>>
> >>>> iptables links to xtables-legacy-multi but it seems to have all of the
> >>>> necessary files present.
> >>
> >> iptables says it can't load match 'owner' (libxt_owner.so).
> >>
> >> So its either missing or iptables is searching the wrong location.
> >>
> >> strace should tell which directory iptables is searching to fetch
> >> extensions.
> >>
> >> Some embedded distros split packages into subpackages to save space,
> >> so it might be missing package too.

-- 


*For more information on how and why we collect your personal 
information, please visit our Privacy Policy 
<https://www.motorolasolutions.com/en_us/about/privacy-policy.html?elqTrackId=8980d888905940e39a2613a7a3dcb0a7&elqaid=2786&elqat=2#privacystatement>.*

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Unknown option "--to-ports"
  2024-07-29  5:44         ` Tom Isaacson
@ 2024-07-29  7:23           ` Reindl Harald
  0 siblings, 0 replies; 7+ messages in thread
From: Reindl Harald @ 2024-07-29  7:23 UTC (permalink / raw)
  To: Tom Isaacson; +Cc: Florian Westphal, netfilter



Am 29.07.24 um 07:44 schrieb Tom Isaacson:
> I'm not accusing anyone, I was asking for help diagnosing the problem.
> Luckily I ignored your suggestions because you were both wrong

no, below you postet a strace / compile orgy which shouldn't have been 
necessary if the distribution would have built the kernel binary right

[harry@srv-rhsoft:/downloads]$ rpm -q --file 
/usr/lib64/xtables/libxt_owner.so
iptables-libs-1.8.9-5.fc39.x86_64

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2024-07-29  7:23 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-07-25  0:10 Tom Isaacson
2024-07-25  0:34 ` Unknown option "--to-ports" Tom Isaacson
2024-07-25  2:19   ` Florian Westphal
2024-07-25  2:29     ` Tom Isaacson
2024-07-28 16:58       ` Reindl Harald
2024-07-29  5:44         ` Tom Isaacson
2024-07-29  7:23           ` Reindl Harald

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox