Re: Linux 2.6.17-rc1: /sbin/iptables does not find kernel netfilter

Re: Linux 2.6.17-rc1: /sbin/iptables does not find kernel netfilter

[Ville Herva]

On Sun, Apr 09, 2006 at 06:09:44AM +0200, you [Patrick McHardy] wrote:
> Ville Herva wrote:
> > I upgraded from 2.6.15-rc7 to 2.6.17-rc1. rc1 seems nice other than that
> > iptables stopped working:
> > 
> >  failed iptables v1.3.5: can't initialize iptables table filter: iptables
> >  who? (do you need to insmod?) 
> >  Perhaps iptables or your kernel needs to be upgraded.
> > 
> > iptables is compiled in the kernel, not a module:
> >  CONFIG_NETFILTER=y
> > 
> > I can even do "modprobe iptable_nat" successfully (iptable_nat is module),
> > but iptables refuses to work. iptables is of version iptables-1.3.5-1.2. 
> > 
> > The kernel config is copied with make oldconfig from 2.6.15-rc7 (which
> > worked), not much else has changed. I just booted back to 2.6.15-rc7 and
> > verified it works. Any ideas?
> 
> Most likely you didn't enable the new xtables options. Please post your
> full config.

The full .config is here
 http://www.iki.fi/v/tmp/2.6.17-rc1.config

I indeed do not have xfilter enabled (I was unaware that such thing had been
introduced :):
--8<-----------------------------------------------------------------------
...
CONFIG_NETFILTER=y
# CONFIG_NETFILTER_DEBUG is not set

#
# Core Netfilter Configuration
#
# CONFIG_NETFILTER_NETLINK is not set
# CONFIG_NETFILTER_XTABLES is not set

#
# IP: Netfilter Configuration
#
CONFIG_IP_NF_CONNTRACK=m
# CONFIG_IP_NF_CT_ACCT is not set
# CONFIG_IP_NF_CONNTRACK_MARK is not set
# CONFIG_IP_NF_CONNTRACK_EVENTS is not set
# CONFIG_IP_NF_CT_PROTO_SCTP is not set
CONFIG_IP_NF_FTP=m
# CONFIG_IP_NF_IRC is not set
# CONFIG_IP_NF_NETBIOS_NS is not set
# CONFIG_IP_NF_TFTP is not set
# CONFIG_IP_NF_AMANDA is not set
# CONFIG_IP_NF_PPTP is not set
# CONFIG_IP_NF_H323 is not set
# CONFIG_IP_NF_QUEUE is not set
...
--8<-----------------------------------------------------------------------

I'll try building a new kernel with CONFIG_NETFILTER_XTABLES enabled and
report back. Thanks!


-- v -- 

v@iki.fi

Re: Linux 2.6.17-rc1: /sbin/iptables does not find kernel netfilter

[Ville Herva]

On Sun, Apr 09, 2006 at 10:43:13AM +0300, you [Ville Herva] wrote:
> > 
> > Most likely you didn't enable the new xtables options. Please post your
> > full config.
> 
> The full .config is here
>  http://www.iki.fi/v/tmp/2.6.17-rc1.config

Now "iptables -L" works, but I still get

> iptables -A INPUT         -p tcp -d 0.0.0.0/0   --dport  http -m state --state NEW,ESTABLISHED -j ACCEPT
iptables: Unknown error 4294967295

from about half of the iptables rules.
My current config is here:

http://www.iki.fi/v/tmp/2.6.17-rc1.config.new

The following modules are loaded:
iptable_nat             6948  1 
ip_nat                 14860  1 iptable_nat
ip_conntrack           43188  2 iptable_nat,ip_nat
ipt_REJECT              4704  0 
iptable_filter          2784  0 

and 
CONFIG_NETFILTER=y
CONFIG_NETFILTER_XTABLES=y
CONFIG_IP_NF_IPTABLES=y
are compiled in statically.

I just realized 
# CONFIG_NETFILTER_XT_MATCH_STATE is not set
should probably be set. I'm building a new kernel now...


-- v -- 

v@iki.fi

Re: Linux 2.6.17-rc1: /sbin/iptables does not find kernel netfilter

[Ville Herva]

On Sun, Apr 09, 2006 at 05:44:16PM +0300, you [Ville Herva] wrote:
> I just realized 
> # CONFIG_NETFILTER_XT_MATCH_STATE is not set
> should probably be set. I'm building a new kernel now...

Ok, that seems to do it.

Thanks for the help, and sorry for the noise. I hope not too many people hit
the same glitch while upgrading...


-- v -- 

v@iki.fi

Re: Linux 2.6.17-rc1: /sbin/iptables does not find kernel netfilter

[Nix]

On 9 Apr 2006, Ville Herva yowled:
> On Sun, Apr 09, 2006 at 05:44:16PM +0300, you [Ville Herva] wrote:
>> I just realized 
>> # CONFIG_NETFILTER_XT_MATCH_STATE is not set
>> should probably be set. I'm building a new kernel now...
> 
> Ok, that seems to do it.
> 
> Thanks for the help, and sorry for the noise. I hope not too many people hit
> the same glitch while upgrading...

I cetainly did. A simple `make oldconfig' ends up zapping pretty much
all the old iptables CONFIG_ options, so you end up with not much of
iptables or netfilter left.

I must admit not quite understanding why the xtables stuff is needed:
I thought that was needed for userspace connection tracking, which
while it sounds cool isn't something I'm using yet.

-- 
`On a scale of 1-10, X's "brokenness rating" is 1.1, but that's only
 because bringing Windows into the picture rescaled "brokenness" by
 a factor of 10.' --- Peter da Silva

Re: Linux 2.6.17-rc1: /sbin/iptables does not find kernel netfilter

[Andre Tomt]

Nix wrote:
> I cetainly did. A simple `make oldconfig' ends up zapping pretty much
> all the old iptables CONFIG_ options, so you end up with not much of
> iptables or netfilter left.
> 
> I must admit not quite understanding why the xtables stuff is needed:
> I thought that was needed for userspace connection tracking, which
> while it sounds cool isn't something I'm using yet.
> 

Beeing bitten by such issues in the past, I always diff the old and the 
new config and look for anything suspicious going down.

-- 
André Tomt

Re: Linux 2.6.17-rc1: /sbin/iptables does not find kernel netfilter

[Patrick McHardy]

Nix wrote:
> On 9 Apr 2006, Ville Herva yowled:
> 
>>On Sun, Apr 09, 2006 at 05:44:16PM +0300, you [Ville Herva] wrote:
>>
>>>I just realized 
>>># CONFIG_NETFILTER_XT_MATCH_STATE is not set
>>>should probably be set. I'm building a new kernel now...
>>
>>Ok, that seems to do it.
>>
>>Thanks for the help, and sorry for the noise. I hope not too many people hit
>>the same glitch while upgrading...
> 
> 
> I cetainly did. A simple `make oldconfig' ends up zapping pretty much
> all the old iptables CONFIG_ options, so you end up with not much of
> iptables or netfilter left.

But it does show you all the new options. Admittedly, it would
have been better to automatically select the new options when
needed, but probably not worth changing it now, it has been
like this for two releases I think.

> I must admit not quite understanding why the xtables stuff is needed:
> I thought that was needed for userspace connection tracking, which
> while it sounds cool isn't something I'm using yet.

Its a unification of the matches and targets that are address family
independant.

Re: Linux 2.6.17-rc1: /sbin/iptables does not find kernel netfilter

[Nix]

On Sun, 09 Apr 2006, Patrick McHardy murmured woefully:
> Nix wrote:
>>>Thanks for the help, and sorry for the noise. I hope not too many people hit
>>>the same glitch while upgrading...
>> 
>> 
>> I cetainly did. A simple `make oldconfig' ends up zapping pretty much
>> all the old iptables CONFIG_ options, so you end up with not much of
>> iptables or netfilter left.
> 
> But it does show you all the new options. Admittedly, it would
> have been better to automatically select the new options when
> needed, but probably not worth changing it now, it has been
> like this for two releases I think.

Oh, yes, it did, and I thought they were userspace-matching related and
left them off. The real problem is that oldconfig doesn't mention when
options you *had* enabled disappear.

>> I must admit not quite understanding why the xtables stuff is needed:
>> I thought that was needed for userspace connection tracking, which
>> while it sounds cool isn't something I'm using yet.
> 
> Its a unification of the matches and targets that are address family
> independant.

Ah, hence the ipv6-matching stuff turning up in 2.6.16. I see.

-- 
`On a scale of 1-10, X's "brokenness rating" is 1.1, but that's only
 because bringing Windows into the picture rescaled "brokenness" by
 a factor of 10.' --- Peter da Silva

Re: Linux 2.6.17-rc1: /sbin/iptables does not find kernel netfilter

[Ville Herva]

On Sun, Apr 09, 2006 at 05:53:54PM +0100, you [Nix] wrote:
> On Sun, 09 Apr 2006, Patrick McHardy murmured woefully:
> >> I cetainly did. A simple `make oldconfig' ends up zapping pretty much
> >> all the old iptables CONFIG_ options, so you end up with not much of
> >> iptables or netfilter left.
> > 
> > But it does show you all the new options. Admittedly, it would
> > have been better to automatically select the new options when
> > needed, but probably not worth changing it now, it has been
> > like this for two releases I think.
> 
> Oh, yes, it did, and I thought they were userspace-matching related and
> left them off. The real problem is that oldconfig doesn't mention when
> options you *had* enabled disappear.

Likewise for me.

Perhaps iptables could point to a document or a webpage (in case kernel is newer
than the userspace iptables, and has introduced new requirements) that lists
the kernel options that need to be enabled, instead of saying 

 failed iptables v1.3.5: can't initialize iptables table filter: iptables
 who? (do you need to insmod?)

Such verbosity might not be unixy, but during Old Unix times, thousands of people
weren't following -rc kernels...


-- v -- 

v@iki.fi

Re: Linux 2.6.17-rc1: /sbin/iptables does not find kernel netfilter

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 710 bytes --]

On Sun, Apr 09, 2006 at 06:37:47PM +0200, Patrick McHardy wrote:

> But it does show you all the new options. Admittedly, it would
> have been better to automatically select the new options when
> needed, 

I spent a long time trying to do this with Kconfig, including
suggestions from Rusty, but couldn't get it to work at all.

-- 
- Harald Welte <laforge@netfilter.org>                 http://netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 191 bytes --]

Re: Linux 2.6.17-rc1: /sbin/iptables does not find kernel netfilter

[Jan Engelhardt]

>
> Beeing bitten by such issues in the past, I always diff the old and the new
> config and look for anything suspicious going down.
>

My way:
  gzip -cd /proc/config.gz >.config
  make

The configurator will stop at any new config option, which includes 
xtables. :)


Jan Engelhardt
-- 

Re: Linux 2.6.17-rc1: /sbin/iptables does not find kernel netfilter

[Bill Davidsen]

Nix wrote:
> On 9 Apr 2006, Ville Herva yowled:
>> On Sun, Apr 09, 2006 at 05:44:16PM +0300, you [Ville Herva] wrote:
>>> I just realized 
>>> # CONFIG_NETFILTER_XT_MATCH_STATE is not set
>>> should probably be set. I'm building a new kernel now...
>> Ok, that seems to do it.
>>
>> Thanks for the help, and sorry for the noise. I hope not too many people hit
>> the same glitch while upgrading...
> 
> I cetainly did. A simple `make oldconfig' ends up zapping pretty much
> all the old iptables CONFIG_ options, so you end up with not much of
> iptables or netfilter left.
> 
> I must admit not quite understanding why the xtables stuff is needed:
> I thought that was needed for userspace connection tracking, which
> while it sounds cool isn't something I'm using yet.
> 
I think the root of the problem is that "make oldconfig" doesn't give 
any warning when options are removed. So there's no warning that 
iptables is gone, because the help for the new options doesn't tell you 
"replaces XXXX" even if you as for help.

Suggestion: how hard would it be to have some extra value like y/n/m 
which says print the help even though the option is gone? That would be 
a reasonable thing to do for a version or two after things go away, and 
certainly lower cost than having testers ask questions, rebuild kernels, 
or just go away mad.