Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
Not eligible to see or edit group visibility for this bug.
View Bug Activity | Format For Printing | XML | Clone This Bug
I am following the iptables HOWTO at http://gentoo-wiki.com/HOWTO_Iptables_for_newbies. My iptables.bak has a line like: -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 20 --name DEFAULT --rsource -j DROP When I try to run the command: # iptables-restore /etc/iptables.bak I get the following error: iptables-restore v1.3.8: Couldn't load match `recent':/lib64/iptables/libipt_recent.so: cannot open shared object file: No such file or directory Error occurred at line: 15 Based on the man page, I would expect that "-m recent" is still valid syntax. Here is my emerge --info: Portage 2.1.3.5 (default-linux/amd64/2007.0/desktop, gcc-4.2.0, glibc-2.6.1-r0, 2.6.22-gentoo-r3 x86_64) ================================================================= System uname: 2.6.22-gentoo-r3 x86_64 Dual Core AMD Opteron(tm) Processor 275 Gentoo Base System release 1.12.10 Timestamp of tree: Tue, 14 Aug 2007 17:00:01 +0000 dev-java/java-config: 1.3.7, 2.0.33-r1 dev-lang/python: 2.5.1-r2 dev-python/pycrypto: 2.0.1-r6 sys-apps/sandbox: 1.2.18.1 sys-devel/autoconf: 2.13, 2.61-r1 sys-devel/automake: 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.17, 2.17.50.0.17 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.24 virtual/os-headers: 2.6.22-r2 ACCEPT_KEYWORDS="amd64 ~amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -march=k8 -mtune=k8 -pipe -fomit-frame-pointer" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-O2 -march=k8 -mtune=k8 -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="distlocks fixpackages metadata-transfer sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LANG="en_US.UTF-8" LC_ALL="en_US.UTF-8" LINGUAS="en en_US" MAKEOPTS="-j5" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="3dnow X aac acl acpi alsa amd64 apache2 arts atlas avahi bash-completion berkdb bitmap-fonts blas bookmarks branding bzip2 cairo cblas cdr cli cracklib crypt ctype cups dbus doc dri dvd dvdr dvdread eds emacs emboss encode epydoc esd evo examples f77 fam fftw firefox foomativdb fortran gdbm gif gimpprint gpm gstreamer gtk hal iconv imagemagick imap isdnlog ivman java jpeg jpeg2k kde kdeenablefinal kerberos lapack latex ldap mad mdnsresponder-compat midi mikmod mime mmap mmx mozbranding mozilla mozsvg mp3 mpeg mplayer mudflap multislot ncurses nptl nptlonly nsplugin ogg opengl openmp oss pam pcre pdf perl pic png ppds pppd python qt3 qt3support qt4 quicktime readline reflection rss samba sdl sensord session spell spl sse sse2 ssl subversion svg symlink tcltk tcpd tetex threads tiff tk truetype truetype-fonts type1-fonts umfpack unicode usb vorbis webdav winbind wxwindows xcomposite xfs xinerama xml xorg xv zeroconf zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en en_US" USERLAND="GNU" VIDEO_CARDS="ati vga fglrx" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OP Reproducible: Always
Maybe it will work better if you enable CONFIG_IP_NF_MATCH_RECENT Networking options ---> Network packet filtering framework (Netfilter) ---> IP: Netfilter Configuration ---> <M> IP tables support (required for filtering/masq/NAT) <M> recent match support
(In reply to comment #1) > Maybe it will work better if you enable CONFIG_IP_NF_MATCH_RECENT > > Networking options ---> > Network packet filtering framework (Netfilter) ---> > IP: Netfilter Configuration ---> > <M> IP tables support (required for filtering/masq/NAT) > <M> recent match support > It was enabled as a module when I filed the bug.
Recompile iptables and try again; if it still doesn't work, attach you kernel .config here.
Created an attachment (id=128157) [details] build log for iptables build log for iptables
Created an attachment (id=128159) [details] kernel .config
Reopening. I'll apologize in advance if I have done something stupid, but I have had iptables working on this machine in the past, with the same rules and the same config settings. I dont know when the problem began occuring, maybe when I upgraded to 2.6.22?
should be fixed in 1.3.8-r2, thanks for the report !
*** Bug 190611 has been marked as a duplicate of this bug. ***
What's about closing a bug report as "RESOLVED FIXED" not before the package is marked as stable ?
generally bug reports reflect latest in the tree, not stable
*** Bug 194038 has been marked as a duplicate of this bug. ***
Maybe I'm missing something here, but 1.3.8-r2 doesn't work either. I saw this problem because I'm using shorewall. Shorewall has a nice command: shorewall show capabilities which shows precisely which parts of iptables are enabled. With 1.3.5-r4 this is shown: Shorewall has detected the following iptables/netfilter capabilities: NAT: Available Packet Mangling: Available Multi-port Match: Available Extended Multi-port Match: Available Connection Tracking Match: Available Packet Type Match: Available Policy Match: Available Physdev Match: Not available Packet length Match: Available IP range Match: Available Recent Match: Available Owner Match: Available Ipset Match: Not available CONNMARK Target: Available Extended CONNMARK Target: Available Connmark Match: Available Extended Connmark Match: Available Raw Table: Available IPP2P Match: Available CLASSIFY Target: Available Extended REJECT: Available Repeat match: Not available MARK Target: Available Extended MARK Target: Available Mangle FORWARD Chain: Available Comments: Available Address Type Match: Available TCPMSS Match: Available Hashlimit Match: Available With exactly the same config in everything else, just compiling 1.3.8-r2 (as well as r1) shows this: Shorewall has detected the following iptables/netfilter capabilities: NAT: Available Packet Mangling: Available Multi-port Match: Available Extended Multi-port Match: Available Connection Tracking Match: Available Packet Type Match: Available Policy Match: Available Physdev Match: Not available Packet length Match: Available IP range Match: Available Recent Match: Available Owner Match: Available Ipset Match: Not available CONNMARK Target: Available Extended CONNMARK Target: Available Connmark Match: Available Extended Connmark Match: Available Raw Table: Available IPP2P Match: Available CLASSIFY Target: Available Extended REJECT: Available Repeat match: Not available MARK Target: Available Extended MARK Target: Available Mangle FORWARD Chain: Available Comments: Available Address Type Match: Available TCPMSS Match: Available Hashlimit Match: Available As you can see, a lot of Not Available's that were available with 1.3.5-r4. I saw on bug 194038 that maybe the extensions use-flag would fix this, but it didn't. Same problem. Rolling back to 1.3.5-r4. My prognosis: >=1.3.8 doesn't load modules. I think a bug should be filed to unstabilize 1.3.8. Should I do it? Or can we use this bug? Thanks!
I must be just asleep today or something. Pasted the same output of shorewall show capabilities twice... Sorry for that. The output of the command with 1.3.8-rX is: Shorewall has detected the following iptables/netfilter capabilities: NAT: Available Packet Mangling: Not available Multi-port Match: Available Extended Multi-port Match: Available Connection Tracking Match: Available Packet Type Match: Available Policy Match: Available Physdev Match: Not available Packet length Match: Available IP range Match: Available Recent Match: Available Owner Match: Available Ipset Match: Not available CONNMARK Target: Not available Connmark Match: Available Extended Connmark Match: Available Raw Table: Available IPP2P Match: Not available CLASSIFY Target: Not available Extended REJECT: Available Repeat match: Available MARK Target: Not available Mangle FORWARD Chain: Not available Comments: Available Address Type Match: Available TCPMSS Match: Available Hashlimit Match: Available
*** Bug 196924 has been marked as a duplicate of this bug. ***
