* "No chain/target/match by that name" when using -m state
@ 2005-06-22 15:05 Ami Ganguli
2005-06-22 15:21 ` Marius Mertens
2005-06-22 15:26 ` Jason Opperisano
0 siblings, 2 replies; 4+ messages in thread
From: Ami Ganguli @ 2005-06-22 15:05 UTC (permalink / raw)
To: netfilter
Hi all,
I've been searching around for the answer to this and I've finally
given up trying to solve it on my own. Any hints would be much
appreciated.
I'm entering the following command (cut and paste from the command line):
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
which appears in various docs. It looks pretty straightforward, but I
get this error:
iptables: No chain/target/match by that name
If I enter the same command without "-m state --state
ESTABLISHED,RELATED" it's accepted, so I figure my problem is there
somewhere.
I thought that maybe my kernel (2.6.11.10, ARCH=xen) was compiled
without connection tracking, but dmesg includes the following:
ip_tables: (C) 2000-2002 Netfilter core team
ip_conntrack version 2.1 (1024 buckets, 8192 max) - 244 bytes per conntrack
also, if I enter "iptables -m state --help" I get the normal help with
this at the end:
state v1.2.11 options:
[!] --state [INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED][,...]
State(s) to match
so I figure I must have the necessary bits installed.
Any ideas or hints on what I should do next to debug this?
Regards,
Ami.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: "No chain/target/match by that name" when using -m state
2005-06-22 15:05 "No chain/target/match by that name" when using -m state Ami Ganguli
@ 2005-06-22 15:21 ` Marius Mertens
2005-06-22 15:26 ` Jason Opperisano
1 sibling, 0 replies; 4+ messages in thread
From: Marius Mertens @ 2005-06-22 15:21 UTC (permalink / raw)
To: netfilter
Hi everybody,
On Wednesday, June 22, 2005 5:05 PM,
Ami Ganguli wrote:
> [...]
> so I figure I must have the necessary bits installed.
>
> Any ideas or hints on what I should do next to debug this?
It's possible that just the ipt_state module is missing. You can try
modprobe ipt_state
If it works after that, everything is fine, but if it complains that the
module cannot be found, you might have to reconfigure, recompile your kernel
(modules) or get another kernel image from your distribution so you have the
code either built into the kernel, or as module, where module should be the
better choice under normal conditions.
Good luck,
Marius
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: "No chain/target/match by that name" when using -m state
2005-06-22 15:05 "No chain/target/match by that name" when using -m state Ami Ganguli
2005-06-22 15:21 ` Marius Mertens
@ 2005-06-22 15:26 ` Jason Opperisano
2005-06-22 15:31 ` Ami Ganguli
1 sibling, 1 reply; 4+ messages in thread
From: Jason Opperisano @ 2005-06-22 15:26 UTC (permalink / raw)
To: netfilter
On Wed, Jun 22, 2005 at 06:05:21PM +0300, Ami Ganguli wrote:
> Hi all,
>
> I've been searching around for the answer to this and I've finally
> given up trying to solve it on my own. Any hints would be much
> appreciated.
>
> I'm entering the following command (cut and paste from the command line):
>
> iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> which appears in various docs. It looks pretty straightforward, but I
> get this error:
>
> iptables: No chain/target/match by that name
>
> If I enter the same command without "-m state --state
> ESTABLISHED,RELATED" it's accepted, so I figure my problem is there
> somewhere.
>
> I thought that maybe my kernel (2.6.11.10, ARCH=xen) was compiled
> without connection tracking, but dmesg includes the following:
>
> ip_tables: (C) 2000-2002 Netfilter core team
> ip_conntrack version 2.1 (1024 buckets, 8192 max) - 244 bytes per conntrack
>
> also, if I enter "iptables -m state --help" I get the normal help with
> this at the end:
>
> state v1.2.11 options:
> [!] --state [INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED][,...]
> State(s) to match
>
> so I figure I must have the necessary bits installed.
>
> Any ideas or hints on what I should do next to debug this?
it sounds like your kernel doesn't have support for the state match,
which would be...rather odd.
i'd start by checking:
cat /proc/net/ip_tables_matches
(specifically: grep state /proc/net/ip_tables_matches)
cat /proc/net/ip_tables_names
cat /proc/net/ip_tables_targets
and
lsmod | grep ^ip
(specifically: look for ipt_state)
and
grep _NF_ /path/to/running/kernel/config
(specifically: look for CONFIG_IP_NF_MATCH_STATE)
-j
--
"Dennis Miller: I don't want to go on a rant, here, but America's
foreign policy makes about as much sense as Beowulf having sex
with Robert Fulton at the first battle of Antietam. I mean when
a neo-conservative defenestrates it's like Raskolnikov filibuster
deoxymonohydroxinate...
Peter: What the hell does rant mean?"
--Family Guy
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: "No chain/target/match by that name" when using -m state
2005-06-22 15:26 ` Jason Opperisano
@ 2005-06-22 15:31 ` Ami Ganguli
0 siblings, 0 replies; 4+ messages in thread
From: Ami Ganguli @ 2005-06-22 15:31 UTC (permalink / raw)
To: Jason Opperisano, netfilter
On 6/22/05, Jason Opperisano <opie@817west.com> wrote:
> it sounds like your kernel doesn't have support for the state match,
> which would be...rather odd.
Yup, that's the problem. It's a precompiled Xen kernel.
Thanks,
Ami.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2005-06-22 15:31 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-06-22 15:05 "No chain/target/match by that name" when using -m state Ami Ganguli
2005-06-22 15:21 ` Marius Mertens
2005-06-22 15:26 ` Jason Opperisano
2005-06-22 15:31 ` Ami Ganguli
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox