Bug 188873 - net-firewall/iptables-1.3.8 - iptables-restore couldn't load match `recent'
|
Bug#:
188873
|
Product: Gentoo Linux
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: major
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: base-system@gentoo.org
|
Reported By: dsdale24@gmail.com
|
|
Component: Applications
|
|
|
URL:
|
|
Summary: net-firewall/iptables-1.3.8 - iptables-restore couldn't load match `recent'
|
|
Keywords:
|
|
Status Whiteboard:
|
|
Opened: 2007-08-14 18:12 0000
|
I am following the iptables HOWTO at
http://gentoo-wiki.com/HOWTO_Iptables_for_newbies. My iptables.bak has a line
like:
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update
--seconds 60 --hitcount 20 --name DEFAULT --rsource -j DROP
When I try to run the command:
# iptables-restore /etc/iptables.bak
I get the following error:
iptables-restore v1.3.8: Couldn't load match
`recent':/lib64/iptables/libipt_recent.so: cannot open shared object file: No
such file or directory
Error occurred at line: 15
Based on the man page, I would expect that "-m recent" is still valid syntax.
Here is my emerge --info:
Portage 2.1.3.5 (default-linux/amd64/2007.0/desktop, gcc-4.2.0, glibc-2.6.1-r0,
2.6.22-gentoo-r3 x86_64)
=================================================================
System uname: 2.6.22-gentoo-r3 x86_64 Dual Core AMD Opteron(tm) Processor 275
Gentoo Base System release 1.12.10
Timestamp of tree: Tue, 14 Aug 2007 17:00:01 +0000
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python: 2.5.1-r2
dev-python/pycrypto: 2.0.1-r6
sys-apps/sandbox: 1.2.18.1
sys-devel/autoconf: 2.13, 2.61-r1
sys-devel/automake: 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils: 2.17, 2.17.50.0.17
sys-devel/gcc-config: 1.3.16
sys-devel/libtool: 1.5.24
virtual/os-headers: 2.6.22-r2
ACCEPT_KEYWORDS="amd64 ~amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -march=k8 -mtune=k8 -pipe -fomit-frame-pointer"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/revdep-rebuild
/etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -march=k8 -mtune=k8 -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="distlocks fixpackages metadata-transfer sandbox sfperms strict
unmerge-orphans userfetch"
GENTOO_MIRRORS="http://distfiles.gentoo.org
http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LANG="en_US.UTF-8"
LC_ALL="en_US.UTF-8"
LINGUAS="en en_US"
MAKEOPTS="-j5"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude=/distfiles --exclude=/local --exclude=/packages
--filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="3dnow X aac acl acpi alsa amd64 apache2 arts atlas avahi bash-completion
berkdb bitmap-fonts blas bookmarks branding bzip2 cairo cblas cdr cli cracklib
crypt ctype cups dbus doc dri dvd dvdr dvdread eds emacs emboss encode epydoc
esd evo examples f77 fam fftw firefox foomativdb fortran gdbm gif gimpprint gpm
gstreamer gtk hal iconv imagemagick imap isdnlog ivman java jpeg jpeg2k kde
kdeenablefinal kerberos lapack latex ldap mad mdnsresponder-compat midi mikmod
mime mmap mmx mozbranding mozilla mozsvg mp3 mpeg mplayer mudflap multislot
ncurses nptl nptlonly nsplugin ogg opengl openmp oss pam pcre pdf perl pic png
ppds pppd python qt3 qt3support qt4 quicktime readline reflection rss samba sdl
sensord session spell spl sse sse2 ssl subversion svg symlink tcltk tcpd tetex
threads tiff tk truetype truetype-fonts type1-fonts umfpack unicode usb vorbis
webdav winbind wxwindows xcomposite xfs xinerama xml xorg xv zeroconf zlib"
ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x
ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3
trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw
asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa
lfloat linear meter mulaw multi null plug rate route share shm softvol"
ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad
cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en
en_US" USERLAND="GNU" VIDEO_CARDS="ati vga fglrx"
Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_COMPRESS,
PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OP
Reproducible: Always
Maybe it will work better if you enable CONFIG_IP_NF_MATCH_RECENT
Networking options --->
Network packet filtering framework (Netfilter) --->
IP: Netfilter Configuration --->
<M> IP tables support (required for filtering/masq/NAT)
<M> recent match support
(In reply to comment #1)
> Maybe it will work better if you enable CONFIG_IP_NF_MATCH_RECENT
>
> Networking options --->
> Network packet filtering framework (Netfilter) --->
> IP: Netfilter Configuration --->
> <M> IP tables support (required for filtering/masq/NAT)
> <M> recent match support
>
It was enabled as a module when I filed the bug.
Recompile iptables and try again; if it still doesn't work, attach you kernel
.config here.
Reopening. I'll apologize in advance if I have done something stupid, but I
have had iptables working on this machine in the past, with the same rules and
the same config settings. I dont know when the problem began occuring, maybe
when I upgraded to 2.6.22?
should be fixed in 1.3.8-r2, thanks for the report !
*** Bug 190611 has been marked as a duplicate of this bug. ***
What's about closing a bug report as "RESOLVED FIXED" not before the package is
marked as stable ?
generally bug reports reflect latest in the tree, not stable
*** Bug 194038 has been marked as a duplicate of this bug. ***
Maybe I'm missing something here, but 1.3.8-r2 doesn't work either. I saw this
problem because I'm using shorewall. Shorewall has a nice command:
shorewall show capabilities
which shows precisely which parts of iptables are enabled. With 1.3.5-r4 this
is shown:
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Extended Multi-port Match: Available
Connection Tracking Match: Available
Packet Type Match: Available
Policy Match: Available
Physdev Match: Not available
Packet length Match: Available
IP range Match: Available
Recent Match: Available
Owner Match: Available
Ipset Match: Not available
CONNMARK Target: Available
Extended CONNMARK Target: Available
Connmark Match: Available
Extended Connmark Match: Available
Raw Table: Available
IPP2P Match: Available
CLASSIFY Target: Available
Extended REJECT: Available
Repeat match: Not available
MARK Target: Available
Extended MARK Target: Available
Mangle FORWARD Chain: Available
Comments: Available
Address Type Match: Available
TCPMSS Match: Available
Hashlimit Match: Available
With exactly the same config in everything else, just compiling 1.3.8-r2 (as
well as r1) shows this:
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Extended Multi-port Match: Available
Connection Tracking Match: Available
Packet Type Match: Available
Policy Match: Available
Physdev Match: Not available
Packet length Match: Available
IP range Match: Available
Recent Match: Available
Owner Match: Available
Ipset Match: Not available
CONNMARK Target: Available
Extended CONNMARK Target: Available
Connmark Match: Available
Extended Connmark Match: Available
Raw Table: Available
IPP2P Match: Available
CLASSIFY Target: Available
Extended REJECT: Available
Repeat match: Not available
MARK Target: Available
Extended MARK Target: Available
Mangle FORWARD Chain: Available
Comments: Available
Address Type Match: Available
TCPMSS Match: Available
Hashlimit Match: Available
As you can see, a lot of Not Available's that were available with 1.3.5-r4. I
saw on bug 194038 that maybe the extensions use-flag would fix this, but it
didn't. Same problem. Rolling back to 1.3.5-r4.
My prognosis:
>=1.3.8 doesn't load modules.
I think a bug should be filed to unstabilize 1.3.8. Should I do it? Or can we
use this bug?
Thanks!
I must be just asleep today or something. Pasted the same output of shorewall
show capabilities twice... Sorry for that. The output of the command with
1.3.8-rX is:
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Not available
Multi-port Match: Available
Extended Multi-port Match: Available
Connection Tracking Match: Available
Packet Type Match: Available
Policy Match: Available
Physdev Match: Not available
Packet length Match: Available
IP range Match: Available
Recent Match: Available
Owner Match: Available
Ipset Match: Not available
CONNMARK Target: Not available
Connmark Match: Available
Extended Connmark Match: Available
Raw Table: Available
IPP2P Match: Not available
CLASSIFY Target: Not available
Extended REJECT: Available
Repeat match: Available
MARK Target: Not available
Mangle FORWARD Chain: Not available
Comments: Available
Address Type Match: Available
TCPMSS Match: Available
Hashlimit Match: Available
*** Bug 196924 has been marked as a duplicate of this bug. ***
