iptables-1.3.7 Requires ip_tables to be built as module

iptables-1.3.7 Requires ip_tables to be built as module

[Harvey Muller]

Graham,

Assuming you've built ip_tables into the kernel (not as a module), then I'd be interested in learning the difference in the process you used to install iptables between versions 1.3.5 and 1.3.7.  Version 1.3.5 works fine for me with kernel version 2.6.20 built in (not as a module).  But when I use the same install process for 1.3.7, I get the error messages.  And when I go back and configure ip_tables as a module, then the error message goes away, which is what one would expect.

Thanks,

Harvey

Re: iptables-1.3.7 Requires ip_tables to be built as module

[Graham Murray]

Harvey Muller <hlmuller@yahoo.com> writes:

> Graham,
>
> Assuming you've built ip_tables into the kernel (not as a module),
> then I'd be interested in learning the difference in the process you
> used to install iptables between versions 1.3.5 and 1.3.7.  Version
> 1.3.5 works fine for me with kernel version 2.6.20 built in (not as
> a module).  But when I use the same install process for 1.3.7, I get
> the error messages.  And when I go back and configure ip_tables as a
> module, then the error message goes away, which is what one would
> expect.

No difference at all. They are both built using the 'standard' Gentoo
ebuild system. In the kernel config I have both
CONFIG_IP_NF_IPTABLES=y and CONFIG_IP6_NF_IPTABLES=y, as well as all
the targets set to yes, all the parts of netfilter which I use are
built into the kernel, none are built as modules.

Re: iptables-1.3.7 Requires ip_tables to be built as module

[Yasuyuki KOZAKAI]

Hi,

From: Graham Murray <graham@gmurray.org.uk>
Date: Tue, 13 Feb 2007 07:21:58 +0000

> Harvey Muller <hlmuller@yahoo.com> writes:
> 
> > Graham,
> >
> > Assuming you've built ip_tables into the kernel (not as a module),
> > then I'd be interested in learning the difference in the process you
> > used to install iptables between versions 1.3.5 and 1.3.7.  Version
> > 1.3.5 works fine for me with kernel version 2.6.20 built in (not as
> > a module).  But when I use the same install process for 1.3.7, I get
> > the error messages.  And when I go back and configure ip_tables as a
> > module, then the error message goes away, which is what one would
> > expect.
> 
> No difference at all. They are both built using the 'standard' Gentoo
> ebuild system. In the kernel config I have both
> CONFIG_IP_NF_IPTABLES=y and CONFIG_IP6_NF_IPTABLES=y, as well as all
> the targets set to yes, all the parts of netfilter which I use are
> built into the kernel, none are built as modules.

I've met same error message, too. iptables was build with NO_SHARED_LIBS=1,
and all kernel part is built-in kernel.

BTW, it should work fine even if error message is printed.
I saw the output of 'iptables -L -v -n' printed rules I inserted.

I'll check codes when I have anytime.

Regards,

-- Yasuyuki Kozakai

[RFC][PATCH][IPTABLES]: suppress the error of modprobe

[Yasuyuki KOZAKAI]

Hi, all,

Freitas Freitas and Harvey Muller reported that iptables 1.3.7 prints
"FATAL: module ip_tables not found" when ip_tables is built in the
kernel.

I found that is because iptables always tries to load ip_tables.ko before
getting the revision supported by kernel.

To suppress that, the following patch ignores the error message by modprobe
ONLY when checking revision. Instead, load_iptables_ko() tries to load
ip_tables.ko if all prior tries has failed.

Usually I don't like ignoring error message because that hides
the unexpected bugs. But do_command() can print the same error message
as ever, so I think it's not so bad in this case.

The alternative solution I thought about were as follows.

- compatible_revision() issues IPT_SO_* to check that kernel has
  ip_tables.ko or not. I think this is too much.
- compatible_revision() tries to load ip_tables.ko only when it has failed
  to get the revision from kernel at first time. It retries in that case.
  This doesn't fix issue because the 2.4 kernel with built-in ip_tables.ko
  still prints 'Fatal: ...'

developers, how do you think ?


Index: include/ip6tables.h
===================================================================
--- include/ip6tables.h	(revision 6759)
+++ include/ip6tables.h	(working copy)
@@ -174,7 +174,7 @@
 extern int for_each_chain(int (*fn)(const ip6t_chainlabel, int, ip6tc_handle_t *), int verbose, int builtinstoo, ip6tc_handle_t *handle);
 extern int flush_entries(const ip6t_chainlabel chain, int verbose, ip6tc_handle_t *handle);
 extern int delete_chain(const ip6t_chainlabel chain, int verbose, ip6tc_handle_t *handle);
-extern int ip6tables_insmod(const char *modname, const char *modprobe);
-extern int load_ip6tables_ko(const char *modprobe);
+extern int ip6tables_insmod(const char *modname, const char *modprobe, int quit);
+extern int load_ip6tables_ko(const char *modprobe, int quit);
 
 #endif /*_IP6TABLES_USER_H*/
Index: include/iptables_common.h
===================================================================
--- include/iptables_common.h	(revision 6759)
+++ include/iptables_common.h	(working copy)
@@ -27,8 +27,8 @@
 			    unsigned long long int, 
 			    unsigned long long int,
 			    unsigned long long *);
-extern int iptables_insmod(const char *modname, const char *modprobe);
-extern int load_iptables_ko(const char *modprobe);
+extern int iptables_insmod(const char *modname, const char *modprobe, int quit);
+extern int load_iptables_ko(const char *modprobe, int quit);
 void exit_error(enum exittype, char *, ...)__attribute__((noreturn,
 							  format(printf,2,3)));
 extern const char *program_name, *program_version;
Index: iptables.c
===================================================================
--- iptables.c	(revision 6759)
+++ iptables.c	(working copy)
@@ -1149,7 +1149,7 @@
 		exit(1);
 	}
 
-	load_iptables_ko(modprobe);
+	load_iptables_ko(modprobe, 1);
 
 	strcpy(rev.name, name);
 	rev.revision = revision;
@@ -1813,10 +1813,10 @@
 	return NULL;
 }
 
-int iptables_insmod(const char *modname, const char *modprobe)
+int iptables_insmod(const char *modname, const char *modprobe, int quit)
 {
 	char *buf = NULL;
-	char *argv[3];
+	char *argv[4];
 	int status;
 
 	/* If they don't explicitly set it, read out of kernel */
@@ -1831,7 +1831,13 @@
 	case 0:
 		argv[0] = (char *)modprobe;
 		argv[1] = (char *)modname;
-		argv[2] = NULL;
+		if (quit) {
+			argv[2] = "-q";
+			argv[3] = NULL;
+		} else {
+			argv[2] = NULL;
+			argv[3] = NULL;
+		}
 		execv(argv[0], argv);
 
 		/* not usually reached */
@@ -1849,14 +1855,14 @@
 	return -1;
 }
 
-int load_iptables_ko(const char *modprobe)
+int load_iptables_ko(const char *modprobe, int quit)
 {
 	static int loaded = 0;
 	static int ret = -1;
 
 	if (!loaded) {
-		ret = iptables_insmod("ip_tables", NULL);
-		loaded = 1;
+		ret = iptables_insmod("ip_tables", NULL, quit);
+		loaded = (ret == 0);
 	}
 
 	return ret;
@@ -2442,7 +2448,7 @@
 		*handle = iptc_init(*table);
 
 	/* try to insmod the module if iptc_init failed */
-	if (!*handle && load_iptables_ko(modprobe) != -1)
+	if (!*handle && load_iptables_ko(modprobe, 0) != -1)
 		*handle = iptc_init(*table);
 
 	if (!*handle)
Index: ip6tables-restore.c
===================================================================
--- ip6tables-restore.c	(revision 6759)
+++ ip6tables-restore.c	(working copy)
@@ -62,7 +62,7 @@
 
 	if (!handle) {
 		/* try to insmod the module if iptc_init failed */
-		ip6tables_insmod("ip6_tables", modprobe);
+		ip6tables_insmod("ip6_tables", modprobe, 1);
 		handle = ip6tc_init(tablename);
 	}
 
Index: iptables-restore.c
===================================================================
--- iptables-restore.c	(revision 6759)
+++ iptables-restore.c	(working copy)
@@ -59,7 +59,7 @@
 
 	if (!handle) {
 		/* try to insmod the module if iptc_init failed */
-		iptables_insmod("ip_tables", modprobe);
+		iptables_insmod("ip_tables", modprobe, 0);
 		handle = iptc_init(tablename);
 	}
 
Index: ip6tables.c
===================================================================
--- ip6tables.c	(revision 6759)
+++ ip6tables.c	(working copy)
@@ -1126,7 +1126,7 @@
 	strcpy(rev.name, name);
 	rev.revision = revision;
 
-	load_ip6tables_ko(modprobe);
+	load_ip6tables_ko(modprobe, 1);
 
 	max_rev = getsockopt(sockfd, IPPROTO_IPV6, opt, &rev, &s);
 	if (max_rev < 0) {
@@ -1751,10 +1751,10 @@
 	return NULL;
 }
 
-int ip6tables_insmod(const char *modname, const char *modprobe)
+int ip6tables_insmod(const char *modname, const char *modprobe, int quit)
 {
 	char *buf = NULL;
-	char *argv[3];
+	char *argv[4];
 	int status;
 
 	/* If they don't explicitly set it, read out of kernel */
@@ -1769,7 +1769,13 @@
 	case 0:
 		argv[0] = (char *)modprobe;
 		argv[1] = (char *)modname;
-		argv[2] = NULL;
+		if (quit) {
+			argv[2] = "-q";
+			argv[3] = NULL;
+		} else {
+			argv[2] = NULL;
+			argv[3] = NULL;
+		}
 		execv(argv[0], argv);
 
 		/* not usually reached */
@@ -1787,14 +1793,14 @@
 	return -1;
 }
 
-int load_ip6tables_ko(const char *modprobe)
+int load_ip6tables_ko(const char *modprobe, int quit)
 {
 	static int loaded = 0;
 	static int ret = -1;
 
 	if (!loaded) {
-		ret = ip6tables_insmod("ip6_tables", modprobe);
-		loaded = 1;
+		ret = ip6tables_insmod("ip6_tables", modprobe, quit);
+		loaded = (ret == 0);
 	}
 
 	return ret;
@@ -2355,7 +2361,7 @@
 		*handle = ip6tc_init(*table);
 
 	/* try to insmod the module if iptc_init failed */
-	if (!*handle && load_ip6tables_ko(modprobe) != -1)
+	if (!*handle && load_ip6tables_ko(modprobe, 0) != -1)
 		*handle = ip6tc_init(*table);
 
 	if (!*handle)

iptables-1.3.7 Requires ip_tables to be built as module

[Harvey Muller]

Yasuyuki,

During the review, I noticed the inclusion of the load_iptables_ko function within the
compatible_revision function.  Removal of the inclusion results in no error messages,
and testing of firewall doesn't seem to show adverse affects.

This is the patch I created for testing:

diff -Naur iptables-1.3.7.orig/ip6tables.c iptables-1.3.7/ip6tables.c
--- iptables-1.3.7.orig/ip6tables.c    2007-02-15 14:04:54.000000000 -0500
+++ iptables-1.3.7/ip6tables.c    2007-02-15 14:06:32.000000000 -0500
@@ -1120,8 +1120,6 @@
     strcpy(rev.name, name);
     rev.revision = revision;
 
-    load_ip6tables_ko(modprobe);
-
     max_rev = getsockopt(sockfd, IPPROTO_IPV6, opt, &rev, &s);
     if (max_rev < 0) {
         /* Definitely don't support this? */
diff -Naur iptables-1.3.7.orig/iptables.c iptables-1.3.7/iptables.c
--- iptables-1.3.7.orig/iptables.c    2007-02-15 14:04:54.000000000 -0500
+++ iptables-1.3.7/iptables.c    2007-02-15 14:06:09.000000000 -0500
@@ -1148,8 +1148,6 @@
         exit(1);
     }
 
-    load_iptables_ko(modprobe);
-
     strcpy(rev.name, name);
     rev.revision = revision;

Best regards,

Harvey

iptables-1.3.7 Requires ip_tables to be built as module

[Harvey Muller]

Yasuyuki,

I did not see your post until Wednesday.  I tried all the methods the Gentoo devs used in their ebuild,
but I still get the error, FATAL: module ip_tables not found.

I understand from your post that iptables is probably still working correctly despite the errors.

I've only begun to learn C, so much of the source I read is still unclear to me.  But after reviewing iptables.c,
I believe the problem is related to function load_iptables_ko.  It is the only new addition to the code that would
seem to be creating the problem.

Best regards,

Harvey

Re: iptables-1.3.7 Requires ip_tables to be built as module

[Harvey Muller]

Graham,

Thanks, that's information I can use.  I'll research the ebuilds to see what
the Gentoo devs did differently between versions.

I come from Gentoo userland, but am using LFS/CLFS variants lately to learn
more about what goes into the guts of building a distribution.  So presently,
I can't lean on portage to do things automatically for me.  But I'll check the
ebuilds out to see what I can learn.

Best regards,

Harvey

Re: iptables-1.3.7 Requires ip_tables to be built as module

[Graham Murray]

Harvey Muller <hlmuller@yahoo.com> writes:

> I'm using kernel version 2.6.20 on an x86 based system.  Iptables emits
> errors, "FATAL: module ip_tables not found" when ip_tables is built in the
> kernel.  The only workaround is to build ip_tables as a module.

I too am running kernel 2.6.20 and running iptables 1.3.7 and have all
of the iptables features built into the kernel and it works with no
problems or error messages.

iptables-1.3.7 Requires ip_tables to be built as module

[Harvey Muller]

This is a duplicate report, Freitas reported it first on this list Feb 2.

I'm using kernel version 2.6.20 on an x86 based system.  Iptables emits
errors, "FATAL: module ip_tables not found" when ip_tables is built in the
kernel.  The only workaround is to build ip_tables as a module.

If iptables is being developed to be used ONLY as a module, you might include
a note in the INSTALL document to alert the users.

Best regards,

Harvey