iptables-1.3.7 Requires ip_tables to be built as module

iptables-1.3.7 Requires ip_tables to be built as module

[Harvey Muller]

This is a duplicate report, Freitas reported it first on this list Feb 2.

I'm using kernel version 2.6.20 on an x86 based system.  Iptables emits
errors, "FATAL: module ip_tables not found" when ip_tables is built in the
kernel.  The only workaround is to build ip_tables as a module.

If iptables is being developed to be used ONLY as a module, you might include
a note in the INSTALL document to alert the users.

Best regards,

Harvey

Re: iptables-1.3.7 Requires ip_tables to be built as module

[Graham Murray]

Harvey Muller <hlmuller@yahoo.com> writes:

> I'm using kernel version 2.6.20 on an x86 based system.  Iptables emits
> errors, "FATAL: module ip_tables not found" when ip_tables is built in the
> kernel.  The only workaround is to build ip_tables as a module.

I too am running kernel 2.6.20 and running iptables 1.3.7 and have all
of the iptables features built into the kernel and it works with no
problems or error messages.

iptables-1.3.7 Requires ip_tables to be built as module

[Harvey Muller]

Yasuyuki,

During the review, I noticed the inclusion of the load_iptables_ko function within the
compatible_revision function.  Removal of the inclusion results in no error messages,
and testing of firewall doesn't seem to show adverse affects.

This is the patch I created for testing:

diff -Naur iptables-1.3.7.orig/ip6tables.c iptables-1.3.7/ip6tables.c
--- iptables-1.3.7.orig/ip6tables.c    2007-02-15 14:04:54.000000000 -0500
+++ iptables-1.3.7/ip6tables.c    2007-02-15 14:06:32.000000000 -0500
@@ -1120,8 +1120,6 @@
     strcpy(rev.name, name);
     rev.revision = revision;
 
-    load_ip6tables_ko(modprobe);
-
     max_rev = getsockopt(sockfd, IPPROTO_IPV6, opt, &rev, &s);
     if (max_rev < 0) {
         /* Definitely don't support this? */
diff -Naur iptables-1.3.7.orig/iptables.c iptables-1.3.7/iptables.c
--- iptables-1.3.7.orig/iptables.c    2007-02-15 14:04:54.000000000 -0500
+++ iptables-1.3.7/iptables.c    2007-02-15 14:06:09.000000000 -0500
@@ -1148,8 +1148,6 @@
         exit(1);
     }
 
-    load_iptables_ko(modprobe);
-
     strcpy(rev.name, name);
     rev.revision = revision;

Best regards,

Harvey

iptables-1.3.7 Requires ip_tables to be built as module

[Harvey Muller]

Yasuyuki,

I did not see your post until Wednesday.  I tried all the methods the Gentoo devs used in their ebuild,
but I still get the error, FATAL: module ip_tables not found.

I understand from your post that iptables is probably still working correctly despite the errors.

I've only begun to learn C, so much of the source I read is still unclear to me.  But after reviewing iptables.c,
I believe the problem is related to function load_iptables_ko.  It is the only new addition to the code that would
seem to be creating the problem.

Best regards,

Harvey

Re: iptables-1.3.7 Requires ip_tables to be built as module

[Harvey Muller]

Graham,

Thanks, that's information I can use.  I'll research the ebuilds to see what
the Gentoo devs did differently between versions.

I come from Gentoo userland, but am using LFS/CLFS variants lately to learn
more about what goes into the guts of building a distribution.  So presently,
I can't lean on portage to do things automatically for me.  But I'll check the
ebuilds out to see what I can learn.

Best regards,

Harvey

Re: iptables-1.3.7 Requires ip_tables to be built as module

[Yasuyuki KOZAKAI]

Hi,

From: Graham Murray <graham@gmurray.org.uk>
Date: Tue, 13 Feb 2007 07:21:58 +0000

> Harvey Muller <hlmuller@yahoo.com> writes:
> 
> > Graham,
> >
> > Assuming you've built ip_tables into the kernel (not as a module),
> > then I'd be interested in learning the difference in the process you
> > used to install iptables between versions 1.3.5 and 1.3.7.  Version
> > 1.3.5 works fine for me with kernel version 2.6.20 built in (not as
> > a module).  But when I use the same install process for 1.3.7, I get
> > the error messages.  And when I go back and configure ip_tables as a
> > module, then the error message goes away, which is what one would
> > expect.
> 
> No difference at all. They are both built using the 'standard' Gentoo
> ebuild system. In the kernel config I have both
> CONFIG_IP_NF_IPTABLES=y and CONFIG_IP6_NF_IPTABLES=y, as well as all
> the targets set to yes, all the parts of netfilter which I use are
> built into the kernel, none are built as modules.

I've met same error message, too. iptables was build with NO_SHARED_LIBS=1,
and all kernel part is built-in kernel.

BTW, it should work fine even if error message is printed.
I saw the output of 'iptables -L -v -n' printed rules I inserted.

I'll check codes when I have anytime.

Regards,

-- Yasuyuki Kozakai

Re: iptables-1.3.7 Requires ip_tables to be built as module

[Graham Murray]

Harvey Muller <hlmuller@yahoo.com> writes:

> Graham,
>
> Assuming you've built ip_tables into the kernel (not as a module),
> then I'd be interested in learning the difference in the process you
> used to install iptables between versions 1.3.5 and 1.3.7.  Version
> 1.3.5 works fine for me with kernel version 2.6.20 built in (not as
> a module).  But when I use the same install process for 1.3.7, I get
> the error messages.  And when I go back and configure ip_tables as a
> module, then the error message goes away, which is what one would
> expect.

No difference at all. They are both built using the 'standard' Gentoo
ebuild system. In the kernel config I have both
CONFIG_IP_NF_IPTABLES=y and CONFIG_IP6_NF_IPTABLES=y, as well as all
the targets set to yes, all the parts of netfilter which I use are
built into the kernel, none are built as modules.

iptables-1.3.7 Requires ip_tables to be built as module

[Harvey Muller]

Graham,

Assuming you've built ip_tables into the kernel (not as a module), then I'd be interested in learning the difference in the process you used to install iptables between versions 1.3.5 and 1.3.7.  Version 1.3.5 works fine for me with kernel version 2.6.20 built in (not as a module).  But when I use the same install process for 1.3.7, I get the error messages.  And when I go back and configure ip_tables as a module, then the error message goes away, which is what one would expect.

Thanks,

Harvey