Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Linux>
  3. Kernel
Linux 2.6.17-rc1: /sbin/iptables does not find kernel netfilter
vherva at vianova
Apr 8, 2006, 1:09 PM
Post #1 of 14 (2940 views)
Permalink
On Sun, Apr 02, 2006 at 08:47:06PM -0700, you [Linus Torvalds] wrote:
>
> Ok,
> it's two weeks since 2.6.16, and the merge window is closed.

I upgraded from 2.6.15-rc7 to 2.6.17-rc1. rc1 seems nice other than that
iptables stopped working:

failed iptables v1.3.5: can't initialize iptables table filter: iptables
who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

iptables is compiled in the kernel, not a module:
CONFIG_NETFILTER=y

I can even do "modprobe iptable_nat" successfully (iptable_nat is module),
but iptables refuses to work. iptables is of version iptables-1.3.5-1.2.

The kernel config is copied with make oldconfig from 2.6.15-rc7 (which
worked), not much else has changed. I just booted back to 2.6.15-rc7 and
verified it works. Any ideas?



-- v --

v@iki.fi

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: Linux 2.6.17-rc1: /sbin/iptables does not find kernel netfilter [ In reply to ]
davem at davemloft
Apr 8, 2006, 3:05 PM
Post #2 of 14 (2908 views)
Permalink
From: Ville Herva <vherva@vianova.fi>
Date: Sat, 8 Apr 2006 23:09:15 +0300

> I upgraded from 2.6.15-rc7 to 2.6.17-rc1. rc1 seems nice other than that
> iptables stopped working:

Please report this to the netfilter developer list next time.

Nevertheless I've CC:'d one of the netfilter developers so that it
gets looked into.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: Linux 2.6.17-rc1: /sbin/iptables does not find kernel netfilter [ In reply to ]
kaber at trash
Apr 8, 2006, 9:09 PM
Post #3 of 14 (2900 views)
Permalink
Ville Herva wrote:
> I upgraded from 2.6.15-rc7 to 2.6.17-rc1. rc1 seems nice other than that
> iptables stopped working:
>
> failed iptables v1.3.5: can't initialize iptables table filter: iptables
> who? (do you need to insmod?)
> Perhaps iptables or your kernel needs to be upgraded.
>
> iptables is compiled in the kernel, not a module:
> CONFIG_NETFILTER=y
>
> I can even do "modprobe iptable_nat" successfully (iptable_nat is module),
> but iptables refuses to work. iptables is of version iptables-1.3.5-1.2.
>
> The kernel config is copied with make oldconfig from 2.6.15-rc7 (which
> worked), not much else has changed. I just booted back to 2.6.15-rc7 and
> verified it works. Any ideas?

Most likely you didn't enable the new xtables options. Please post your
full config.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: Linux 2.6.17-rc1: /sbin/iptables does not find kernel netfilter [ In reply to ]
vherva at vianova
Apr 9, 2006, 12:43 AM
Post #4 of 14 (2896 views)
Permalink
On Sun, Apr 09, 2006 at 06:09:44AM +0200, you [Patrick McHardy] wrote:
> Ville Herva wrote:
> > I upgraded from 2.6.15-rc7 to 2.6.17-rc1. rc1 seems nice other than that
> > iptables stopped working:
> >
> > failed iptables v1.3.5: can't initialize iptables table filter: iptables
> > who? (do you need to insmod?)
> > Perhaps iptables or your kernel needs to be upgraded.
> >
> > iptables is compiled in the kernel, not a module:
> > CONFIG_NETFILTER=y
> >
> > I can even do "modprobe iptable_nat" successfully (iptable_nat is module),
> > but iptables refuses to work. iptables is of version iptables-1.3.5-1.2.
> >
> > The kernel config is copied with make oldconfig from 2.6.15-rc7 (which
> > worked), not much else has changed. I just booted back to 2.6.15-rc7 and
> > verified it works. Any ideas?
>
> Most likely you didn't enable the new xtables options. Please post your
> full config.

The full .config is here
http://www.iki.fi/v/tmp/2.6.17-rc1.config

I indeed do not have xfilter enabled (I was unaware that such thing had been
introduced :):
--8<-----------------------------------------------------------------------
...
CONFIG_NETFILTER=y
# CONFIG_NETFILTER_DEBUG is not set

#
# Core Netfilter Configuration
#
# CONFIG_NETFILTER_NETLINK is not set
# CONFIG_NETFILTER_XTABLES is not set

#
# IP: Netfilter Configuration
#
CONFIG_IP_NF_CONNTRACK=m
# CONFIG_IP_NF_CT_ACCT is not set
# CONFIG_IP_NF_CONNTRACK_MARK is not set
# CONFIG_IP_NF_CONNTRACK_EVENTS is not set
# CONFIG_IP_NF_CT_PROTO_SCTP is not set
CONFIG_IP_NF_FTP=m
# CONFIG_IP_NF_IRC is not set
# CONFIG_IP_NF_NETBIOS_NS is not set
# CONFIG_IP_NF_TFTP is not set
# CONFIG_IP_NF_AMANDA is not set
# CONFIG_IP_NF_PPTP is not set
# CONFIG_IP_NF_H323 is not set
# CONFIG_IP_NF_QUEUE is not set
...
--8<-----------------------------------------------------------------------

I'll try building a new kernel with CONFIG_NETFILTER_XTABLES enabled and
report back. Thanks!


-- v --

v@iki.fi

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: Linux 2.6.17-rc1: /sbin/iptables does not find kernel netfilter [ In reply to ]
vherva at vianova
Apr 9, 2006, 7:44 AM
Post #5 of 14 (2894 views)
Permalink
On Sun, Apr 09, 2006 at 10:43:13AM +0300, you [Ville Herva] wrote:
> >
> > Most likely you didn't enable the new xtables options. Please post your
> > full config.
>
> The full .config is here
> http://www.iki.fi/v/tmp/2.6.17-rc1.config

Now "iptables -L" works, but I still get

> iptables -A INPUT -p tcp -d 0.0.0.0/0 --dport http -m state --state NEW,ESTABLISHED -j ACCEPT
iptables: Unknown error 4294967295

from about half of the iptables rules.
My current config is here:

http://www.iki.fi/v/tmp/2.6.17-rc1.config.new

The following modules are loaded:
iptable_nat 6948 1
ip_nat 14860 1 iptable_nat
ip_conntrack 43188 2 iptable_nat,ip_nat
ipt_REJECT 4704 0
iptable_filter 2784 0

and
CONFIG_NETFILTER=y
CONFIG_NETFILTER_XTABLES=y
CONFIG_IP_NF_IPTABLES=y
are compiled in statically.

I just realized
# CONFIG_NETFILTER_XT_MATCH_STATE is not set
should probably be set. I'm building a new kernel now...


-- v --

v@iki.fi

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: Linux 2.6.17-rc1: /sbin/iptables does not find kernel netfilter [ In reply to ]
vherva at vianova
Apr 9, 2006, 7:45 AM
Post #6 of 14 (2899 views)
Permalink
On Sun, Apr 09, 2006 at 05:44:16PM +0300, you [Ville Herva] wrote:
> I just realized
> # CONFIG_NETFILTER_XT_MATCH_STATE is not set
> should probably be set. I'm building a new kernel now...

Ok, that seems to do it.

Thanks for the help, and sorry for the noise. I hope not too many people hit
the same glitch while upgrading...


-- v --

v@iki.fi

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: Linux 2.6.17-rc1: /sbin/iptables does not find kernel netfilter [ In reply to ]
nix at esperi
Apr 9, 2006, 9:00 AM
Post #7 of 14 (2899 views)
Permalink
On 9 Apr 2006, Ville Herva yowled:
> On Sun, Apr 09, 2006 at 05:44:16PM +0300, you [Ville Herva] wrote:
>> I just realized
>> # CONFIG_NETFILTER_XT_MATCH_STATE is not set
>> should probably be set. I'm building a new kernel now...
>
> Ok, that seems to do it.
>
> Thanks for the help, and sorry for the noise. I hope not too many people hit
> the same glitch while upgrading...

I cetainly did. A simple `make oldconfig' ends up zapping pretty much
all the old iptables CONFIG_ options, so you end up with not much of
iptables or netfilter left.

I must admit not quite understanding why the xtables stuff is needed:
I thought that was needed for userspace connection tracking, which
while it sounds cool isn't something I'm using yet.

--
`On a scale of 1-10, X's "brokenness rating" is 1.1, but that's only
because bringing Windows into the picture rescaled "brokenness" by
a factor of 10.' --- Peter da Silva
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: Linux 2.6.17-rc1: /sbin/iptables does not find kernel netfilter [ In reply to ]
andre at tomt
Apr 9, 2006, 9:23 AM
Post #8 of 14 (2893 views)
Permalink
Nix wrote:
> I cetainly did. A simple `make oldconfig' ends up zapping pretty much
> all the old iptables CONFIG_ options, so you end up with not much of
> iptables or netfilter left.
>
> I must admit not quite understanding why the xtables stuff is needed:
> I thought that was needed for userspace connection tracking, which
> while it sounds cool isn't something I'm using yet.
>

Beeing bitten by such issues in the past, I always diff the old and the
new config and look for anything suspicious going down.

--
André Tomt
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: Linux 2.6.17-rc1: /sbin/iptables does not find kernel netfilter [ In reply to ]
kaber at trash
Apr 9, 2006, 9:37 AM
Post #9 of 14 (2887 views)
Permalink
Nix wrote:
> On 9 Apr 2006, Ville Herva yowled:
>
>>On Sun, Apr 09, 2006 at 05:44:16PM +0300, you [Ville Herva] wrote:
>>
>>>I just realized
>>># CONFIG_NETFILTER_XT_MATCH_STATE is not set
>>>should probably be set. I'm building a new kernel now...
>>
>>Ok, that seems to do it.
>>
>>Thanks for the help, and sorry for the noise. I hope not too many people hit
>>the same glitch while upgrading...
>
>
> I cetainly did. A simple `make oldconfig' ends up zapping pretty much
> all the old iptables CONFIG_ options, so you end up with not much of
> iptables or netfilter left.

But it does show you all the new options. Admittedly, it would
have been better to automatically select the new options when
needed, but probably not worth changing it now, it has been
like this for two releases I think.

> I must admit not quite understanding why the xtables stuff is needed:
> I thought that was needed for userspace connection tracking, which
> while it sounds cool isn't something I'm using yet.

Its a unification of the matches and targets that are address family
independant.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: Linux 2.6.17-rc1: /sbin/iptables does not find kernel netfilter [ In reply to ]
nix at esperi
Apr 9, 2006, 9:53 AM
Post #10 of 14 (2894 views)
Permalink
On Sun, 09 Apr 2006, Patrick McHardy murmured woefully:
> Nix wrote:
>>>Thanks for the help, and sorry for the noise. I hope not too many people hit
>>>the same glitch while upgrading...
>>
>>
>> I cetainly did. A simple `make oldconfig' ends up zapping pretty much
>> all the old iptables CONFIG_ options, so you end up with not much of
>> iptables or netfilter left.
>
> But it does show you all the new options. Admittedly, it would
> have been better to automatically select the new options when
> needed, but probably not worth changing it now, it has been
> like this for two releases I think.

Oh, yes, it did, and I thought they were userspace-matching related and
left them off. The real problem is that oldconfig doesn't mention when
options you *had* enabled disappear.

>> I must admit not quite understanding why the xtables stuff is needed:
>> I thought that was needed for userspace connection tracking, which
>> while it sounds cool isn't something I'm using yet.
>
> Its a unification of the matches and targets that are address family
> independant.

Ah, hence the ipv6-matching stuff turning up in 2.6.16. I see.

--
`On a scale of 1-10, X's "brokenness rating" is 1.1, but that's only
because bringing Windows into the picture rescaled "brokenness" by
a factor of 10.' --- Peter da Silva
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: Linux 2.6.17-rc1: /sbin/iptables does not find kernel netfilter [ In reply to ]
vherva at vianova
Apr 9, 2006, 10:10 AM
Post #11 of 14 (2895 views)
Permalink
On Sun, Apr 09, 2006 at 05:53:54PM +0100, you [Nix] wrote:
> On Sun, 09 Apr 2006, Patrick McHardy murmured woefully:
> >> I cetainly did. A simple `make oldconfig' ends up zapping pretty much
> >> all the old iptables CONFIG_ options, so you end up with not much of
> >> iptables or netfilter left.
> >
> > But it does show you all the new options. Admittedly, it would
> > have been better to automatically select the new options when
> > needed, but probably not worth changing it now, it has been
> > like this for two releases I think.
>
> Oh, yes, it did, and I thought they were userspace-matching related and
> left them off. The real problem is that oldconfig doesn't mention when
> options you *had* enabled disappear.

Likewise for me.

Perhaps iptables could point to a document or a webpage (in case kernel is newer
than the userspace iptables, and has introduced new requirements) that lists
the kernel options that need to be enabled, instead of saying

failed iptables v1.3.5: can't initialize iptables table filter: iptables
who? (do you need to insmod?)

Such verbosity might not be unixy, but during Old Unix times, thousands of people
weren't following -rc kernels...


-- v --

v@iki.fi

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: Linux 2.6.17-rc1: /sbin/iptables does not find kernel netfilter [ In reply to ]
laforge at netfilter
Apr 11, 2006, 2:03 AM
Post #12 of 14 (2892 views)
Permalink
On Sun, Apr 09, 2006 at 06:37:47PM +0200, Patrick McHardy wrote:

> But it does show you all the new options. Admittedly, it would
> have been better to automatically select the new options when
> needed,

I spent a long time trying to do this with Kconfig, including
suggestions from Rusty, but couldn't get it to work at all.

--
- Harald Welte <laforge@netfilter.org> http://netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
Re: Linux 2.6.17-rc1: /sbin/iptables does not find kernel netfilter [ In reply to ]
jengelh at linux01
Apr 11, 2006, 4:27 AM
Post #13 of 14 (2891 views)
Permalink
>
> Beeing bitten by such issues in the past, I always diff the old and the new
> config and look for anything suspicious going down.
>

My way:
gzip -cd /proc/config.gz >.config
make

The configurator will stop at any new config option, which includes
xtables. :)


Jan Engelhardt
--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: Linux 2.6.17-rc1: /sbin/iptables does not find kernel netfilter [ In reply to ]
davidsen at tmr
Apr 11, 2006, 12:10 PM
Post #14 of 14 (2884 views)
Permalink
Nix wrote:
> On 9 Apr 2006, Ville Herva yowled:
>> On Sun, Apr 09, 2006 at 05:44:16PM +0300, you [Ville Herva] wrote:
>>> I just realized
>>> # CONFIG_NETFILTER_XT_MATCH_STATE is not set
>>> should probably be set. I'm building a new kernel now...
>> Ok, that seems to do it.
>>
>> Thanks for the help, and sorry for the noise. I hope not too many people hit
>> the same glitch while upgrading...
>
> I cetainly did. A simple `make oldconfig' ends up zapping pretty much
> all the old iptables CONFIG_ options, so you end up with not much of
> iptables or netfilter left.
>
> I must admit not quite understanding why the xtables stuff is needed:
> I thought that was needed for userspace connection tracking, which
> while it sounds cool isn't something I'm using yet.
>
I think the root of the problem is that "make oldconfig" doesn't give
any warning when options are removed. So there's no warning that
iptables is gone, because the help for the new options doesn't tell you
"replaces XXXX" even if you as for help.

Suggestion: how hard would it be to have some extra value like y/n/m
which says print the help even though the option is gone? That would be
a reasonable thing to do for a version or two after things go away, and
certainly lower cost than having testers ask questions, rebuild kernels,
or just go away mad.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal