ip6tables filter breakage.

ip6tables filter breakage.

[Dave Jones]

After updating to Linus' current tree with todays net/ merge,
I noticed that ip6tables doesn't work any more..

# ip6tables -F
ip6tables v1.4.19.1: can't initialize ip6tables table `filter': No
chain/target/match by that name
Perhaps ip6tables or your kernel needs to be upgraded

My config has CONFIG_IP6_NF_FILTER=m
I also note that ip6table_filter.ko doesn't get auto-loaded now.
But even after modprobing it, I get the same message.

Is there some additional option I now need to enable ?


I was a little surprised by how CONFIG_NF_TABLES is mandatory
for iptables to keep working, even if you don't have nft userspace.
(The only relevant thing in the Kconfig was related to x_tables,
 which I wasn't using).

Perhaps either some select's, or additional help text ?

	Dave

Re: ip6tables filter breakage.

[David Miller]

From: Dave Jones <davej@redhat.com>
Date: Wed, 6 Aug 2014 15:52:22 -0400

CC:'ing netfilter-devel, Dave please do this in the future for
netfilter reports, thanks.

> After updating to Linus' current tree with todays net/ merge,
> I noticed that ip6tables doesn't work any more..
> 
> # ip6tables -F
> ip6tables v1.4.19.1: can't initialize ip6tables table `filter': No
> chain/target/match by that name
> Perhaps ip6tables or your kernel needs to be upgraded
> 
> My config has CONFIG_IP6_NF_FILTER=m
> I also note that ip6table_filter.ko doesn't get auto-loaded now.
> But even after modprobing it, I get the same message.
> 
> Is there some additional option I now need to enable ?
> 
> 
> I was a little surprised by how CONFIG_NF_TABLES is mandatory
> for iptables to keep working, even if you don't have nft userspace.
> (The only relevant thing in the Kconfig was related to x_tables,
>  which I wasn't using).
> 
> Perhaps either some select's, or additional help text ?
> 
> 	Dave
> 
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: ip6tables filter breakage.

[Pablo Neira Ayuso]

On Wed, Aug 06, 2014 at 01:13:54PM -0700, David Miller wrote:
> From: Dave Jones <davej@redhat.com>
> Date: Wed, 6 Aug 2014 15:52:22 -0400
> 
> CC:'ing netfilter-devel, Dave please do this in the future for
> netfilter reports, thanks.
> 
> > After updating to Linus' current tree with todays net/ merge,
> > I noticed that ip6tables doesn't work any more..
> > 
> > # ip6tables -F
> > ip6tables v1.4.19.1: can't initialize ip6tables table `filter': No
> > chain/target/match by that name
> > Perhaps ip6tables or your kernel needs to be upgraded
> > 
> > My config has CONFIG_IP6_NF_FILTER=m
> > I also note that ip6table_filter.ko doesn't get auto-loaded now.
> > But even after modprobing it, I get the same message.
> > 
> > Is there some additional option I now need to enable ?
> > 
> > 
> > I was a little surprised by how CONFIG_NF_TABLES is mandatory
> > for iptables to keep working, even if you don't have nft userspace.
> > (The only relevant thing in the Kconfig was related to x_tables,
> >  which I wasn't using).
> > 
> > Perhaps either some select's, or additional help text ?

Cc'ing Tom:

cb1ce2e ipv6: Implement automatic flow label generation on transmit
has allocated socket option 64 which is already reserved by ip6tables.

I'm going to send a patch to fix this.

Re: ip6tables filter breakage.

[Tom Herbert]

Thanks for catch an fix!

On Wed, Aug 6, 2014 at 3:01 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Wed, Aug 06, 2014 at 01:13:54PM -0700, David Miller wrote:
>> From: Dave Jones <davej@redhat.com>
>> Date: Wed, 6 Aug 2014 15:52:22 -0400
>>
>> CC:'ing netfilter-devel, Dave please do this in the future for
>> netfilter reports, thanks.
>>
>> > After updating to Linus' current tree with todays net/ merge,
>> > I noticed that ip6tables doesn't work any more..
>> >
>> > # ip6tables -F
>> > ip6tables v1.4.19.1: can't initialize ip6tables table `filter': No
>> > chain/target/match by that name
>> > Perhaps ip6tables or your kernel needs to be upgraded
>> >
>> > My config has CONFIG_IP6_NF_FILTER=m
>> > I also note that ip6table_filter.ko doesn't get auto-loaded now.
>> > But even after modprobing it, I get the same message.
>> >
>> > Is there some additional option I now need to enable ?
>> >
>> >
>> > I was a little surprised by how CONFIG_NF_TABLES is mandatory
>> > for iptables to keep working, even if you don't have nft userspace.
>> > (The only relevant thing in the Kconfig was related to x_tables,
>> >  which I wasn't using).
>> >
>> > Perhaps either some select's, or additional help text ?
>
> Cc'ing Tom:
>
> cb1ce2e ipv6: Implement automatic flow label generation on transmit
> has allocated socket option 64 which is already reserved by ip6tables.
>
> I'm going to send a patch to fix this.