Since upgrading sys-kernel/gentoo-sources from gentoo-sources-2.6.19-r1 to gentoo-sources-2.6.19-r2 and net-firewall/iptables from iptables-1.3.6 to iptables-1.3.7 I'm getting this error message three times when running my firewall script: "FATAL: Module ip_tables not found." Every netfilter/iptables related module is statically compiled into the kernel, so the functionality exists but of course no module. And I haven't changed anything at the kernel configuration. My script doesn't run the command modprobe and the firewall rules seem to correctly be created. So I think that the new iptables somewhere tries to load a module without checking whether this module is really compiled as a module or statically into the kernel. And I don't like to compile such security related things as modules. So it would be nice if someone could have a look at this. emerge --info: Portage 2.1.2_rc3-r5 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.5-r0, 2.6.19-gentoo-r2 i686) ================================================================= System uname: 2.6.19-gentoo-r2 i686 AMD Athlon(tm) XP 1600+ Gentoo Base System version 1.12.6 Last Sync: Thu, 14 Dec 2006 15:30:01 +0000 dev-java/java-config: 1.3.7, 2.0.30 dev-lang/python: 2.4.4 dev-python/pycrypto: 2.0.1-r5 sys-apps/sandbox: 1.2.18.1 sys-devel/autoconf: 2.13, 2.60 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.17 sys-devel/gcc-config: 1.3.14 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r1 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=athlon-xp -O2 -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-march=athlon-xp -O2 -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks metadata-transfer sandbox sfperms strict" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LANG="de_DE.UTF-8" LINGUAS="de" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/usr/var" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 3dnow 3dnowext X a52 aac aalib accessibility acpi alsa alsa_cards_emu10k1 apache2 apm arts asf audiofile avi berkdb bitmap-fonts bluetooth bzip2 cairo cdda cddb cdparanoia cdr chardet chipcard cli cracklib crypt cups curl dga directfb divx dlloader doc dri dv dvb dvd dvdr dvdread eds effects elibc_glibc emacs emboss encode expat extrafilters fam fame fbcon ffmpeg firefox flac foomaticdb fortran ftp gcc-libffi gcj gd gdbm geldkarte gif gimp glib glitz gmedia gmp gnutls gpm graphviz gs gstreamer gtk gtk2 gtkhtml hbci iconv idn ilbc imagemagick imlib inkjar input_devices_evdev input_devices_keyboard input_devices_mouse ipv6 irmc isdnlog jce jpeg kde kernel_linux lcms ldap leim libg++ libnotify linguas_de lirc lirc_devices_devinput live lm_sensors mad mailwrapper mbox mbrola mikmod mjpeg mmx mmx2 mmxext mng modplug motif mozbranding mozilla mp3 mp4 mpeg mplayer mysql mysqli nas ncurses network nls noamazon nptl nptlonly nsplugin ntfs nvidia objc objc++ objc-gc odbc offensive ofx ogg oggvorbis opengl oss pam pcre pdf perl php plugin png ppds pppd print python qt qt3 qt3support qt4 quicktime quotes readline real realmedia reflection reiserfs rtc rtsp scanner sdl session slang slideshow smime speex spell spl sqlite sse sse-filters ssl svg svga tcl tcltk tcpd tetex theora threads tidy tiff tk tokenizer tools truetype truetype-fonts type1-fonts udev unicode usb userland_GNU utempter v4l v4l2 vdr video_cards_nvidia video_cards_v4l vidix visualization vlm vorbis win32codecs wma wmf wmp xcomposite xine xml xml2 xorg xpm xv xvid yv12 zip zlib zrtp" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LDFLAGS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS
post the actual commands that are causing the messages to show up in `dmesg` also, try downgrading just iptables to 1.3.6 and see if the error goes away
I have the same problem with kernel 2.6.19.1 and iptables-1.3.7. iptables-1.3.6 works but doesn't compile on kernel >2.6.19. It only happens with some iptables invocations. Most of them work.
Created attachment 104194 [details, diff] This patch seems to fix the problem
going by upstream logs, this change was on purpose ... simply reverting it is not correct
I too have this problem. Is this something that should/will be taken upstream?
*** Bug 158436 has been marked as a duplicate of this bug. ***
Created attachment 104281 [details, diff] _fix_ the problem pretty simple but helps
I guess I've found out by chance which iptables rules/commands are causing the error message "FATAL: Module ip_tables not found.": /sbin/iptables -A tcp_packets_out -p TCP -m multiport -d 111.222.333.444 --dports 110,25 -j ACCEPT When I filed this bug report I had this command three times in my firewall script and I got the error message also three times. In the meantime I changed my provider and added this rule a fourth time to my firewall script. Since then I'm getting the error message four times. So I guess the error messages are caused by the -m multiport and --dports parameters. Maybe this helps.
(In reply to comment #8) > I guess I've found out by chance which iptables rules/commands are causing the > error message "FATAL: Module ip_tables not found.": Nope, the problem is not in any rule. Multiport module just opens the bug. It's ok itself. The problem is in modules initialization function. 517-bytes size patch does _fix_ the problem. It's also posted to netfilter team. Thanks
thanks for posting this upstream Nick
I am having this same problem. I know that it is my l7-protocol command that causes this: "iptables -t mangle -A OUTPUT -m layer7 --l7proto bittorrent -j MARK --set-mark 2" this command works nicely with iptables-1.3.6.
(In reply to comment #11) > I am having this same problem. I know that it is my l7-protocol command that > causes this: > "iptables -t mangle -A OUTPUT -m layer7 --l7proto bittorrent -j MARK --set-mark > 2" > > this command works nicely with iptables-1.3.6. if you are using static 1.3.7 - then patch from 2006-12-18 04:59 PST - is your cure :)
The real fix doesn't work for me, i had to use the bad fix.
http://patchwork.netfilter.org/netfilter-devel/patch.pl?id=196
I emerged iptables at: Wed Feb 28 00:39:47 2007 >>> net-firewall/iptables-1.3.7 here, the error did not show up Fri Apr 13 01:38:22 2007 >>> net-firewall/iptables-1.3.7 error-message: FATAL: Module ip_tables not found. Please, to prevent such confusion in the future: DO NOT CHANGE AN EBUILD ALREADY LISTED IN PORTAGE TREE! i.e. add -r1, -r2 ...
Update: /etc/init.d/iptables save * Saving iptables state ... FATAL: Module ip_tables not found. [ ok ]
iptables 1.3.8 includes the fix
