Bug 188873

Summary:	net-firewall/iptables-1.3.8 - iptables-restore couldn't load match `recent'
Product:	Gentoo Linux	Reporter:	Darren Dale <dsdale24>
Component:	Current packages	Assignee:	Gentoo's Team for Core System packages <base-system>
Status:	RESOLVED FIXED
Severity:	major	CC:	agm, jfmc2, toralf
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	build log for iptables kernel .config

Description Darren Dale 2007-08-14 18:12:27 UTC

I am following the iptables HOWTO at http://gentoo-wiki.com/HOWTO_Iptables_for_newbies. My iptables.bak has a line like:

-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 20 --name DEFAULT --rsource -j DROP


When I try to run the command:

# iptables-restore  /etc/iptables.bak

I get the following error:
iptables-restore v1.3.8: Couldn't load match `recent':/lib64/iptables/libipt_recent.so: cannot open shared object file: No such file or directory

Error occurred at line: 15

Based on the man page, I would expect that "-m recent" is still valid syntax.


Here is my emerge --info:

Portage 2.1.3.5 (default-linux/amd64/2007.0/desktop, gcc-4.2.0, glibc-2.6.1-r0, 2.6.22-gentoo-r3 x86_64)
=================================================================
System uname: 2.6.22-gentoo-r3 x86_64 Dual Core AMD Opteron(tm) Processor 275
Gentoo Base System release 1.12.10
Timestamp of tree: Tue, 14 Aug 2007 17:00:01 +0000
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python:     2.5.1-r2
dev-python/pycrypto: 2.0.1-r6
sys-apps/sandbox:    1.2.18.1
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.17, 2.17.50.0.17
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.22-r2
ACCEPT_KEYWORDS="amd64 ~amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -march=k8 -mtune=k8 -pipe -fomit-frame-pointer"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -march=k8 -mtune=k8 -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="distlocks fixpackages metadata-transfer sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LANG="en_US.UTF-8"
LC_ALL="en_US.UTF-8"
LINGUAS="en en_US"
MAKEOPTS="-j5"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="3dnow X aac acl acpi alsa amd64 apache2 arts atlas avahi bash-completion berkdb bitmap-fonts blas bookmarks branding bzip2 cairo cblas cdr cli cracklib crypt ctype cups dbus doc dri dvd dvdr dvdread eds emacs emboss encode epydoc esd evo examples f77 fam fftw firefox foomativdb fortran gdbm gif gimpprint gpm gstreamer gtk hal iconv imagemagick imap isdnlog ivman java jpeg jpeg2k kde kdeenablefinal kerberos lapack latex ldap mad mdnsresponder-compat midi mikmod mime mmap mmx mozbranding mozilla mozsvg mp3 mpeg mplayer mudflap multislot ncurses nptl nptlonly nsplugin ogg opengl openmp oss pam pcre pdf perl pic png ppds pppd python qt3 qt3support qt4 quicktime readline reflection rss samba sdl sensord session spell spl sse sse2 ssl subversion svg symlink tcltk tcpd tetex threads tiff tk truetype truetype-fonts type1-fonts umfpack unicode usb vorbis webdav winbind wxwindows xcomposite xfs xinerama xml xorg xv zeroconf zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en en_US" USERLAND="GNU" VIDEO_CARDS="ati vga fglrx"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OP

Reproducible: Always

Comment 1 Jakub Moc (RETIRED) gentoo-dev

2007-08-14 20:09:05 UTC

Maybe it will work better if you enable CONFIG_IP_NF_MATCH_RECENT

Networking options  --->
  Network packet filtering framework (Netfilter)  --->
    IP: Netfilter Configuration  --->
      <M> IP tables support (required for filtering/masq/NAT)
      <M>   recent match support

Comment 2 Darren Dale 2007-08-14 23:39:07 UTC

(In reply to comment #1)
> Maybe it will work better if you enable CONFIG_IP_NF_MATCH_RECENT
> 
> Networking options  --->
>   Network packet filtering framework (Netfilter)  --->
>     IP: Netfilter Configuration  --->
>       <M> IP tables support (required for filtering/masq/NAT)
>       <M>   recent match support 
> 

It was enabled as a module when I filed the bug.

Comment 3 Jakub Moc (RETIRED) gentoo-dev

2007-08-15 06:07:19 UTC

Recompile iptables and try again; if it still doesn't work, attach you kernel .config here.

Comment 4 Darren Dale 2007-08-15 12:27:52 UTC

Created attachment 128157 [details]
build log for iptables

build log for iptables

Comment 5 Darren Dale 2007-08-15 12:29:14 UTC

Created attachment 128159 [details]
kernel .config

Comment 6 Darren Dale 2007-08-15 12:36:25 UTC

Reopening. I'll apologize in advance if I have done something stupid, but I have had iptables working on this machine in the past, with the same rules and the same config settings. I dont know when the problem began occuring, maybe when I upgraded to 2.6.22?

Comment 7 SpanKY gentoo-dev

2007-08-25 16:25:09 UTC

should be fixed in 1.3.8-r2, thanks for the report !

Comment 8 Jakub Moc (RETIRED) gentoo-dev

2007-08-29 11:06:41 UTC

*** Bug 190611 has been marked as a duplicate of this bug. ***

Comment 9 Toralf Förster gentoo-dev

2007-08-30 15:07:51 UTC

What's about closing a bug report as "RESOLVED FIXED" not before the package is marked as stable ?

Comment 10 SpanKY gentoo-dev

2007-08-30 15:28:57 UTC

generally bug reports reflect latest in the tree, not stable

Comment 11 Jakub Moc (RETIRED) gentoo-dev

2007-09-27 21:49:51 UTC

*** Bug 194038 has been marked as a duplicate of this bug. ***

Comment 12 Jose Medellin 2007-09-29 14:53:16 UTC

Maybe I'm missing something here, but 1.3.8-r2 doesn't work either.  I saw this problem because I'm using shorewall.  Shorewall has a nice command:

shorewall show capabilities

which shows precisely which parts of iptables are enabled.  With 1.3.5-r4 this is shown:

Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Available
   Multi-port Match: Available
   Extended Multi-port Match: Available
   Connection Tracking Match: Available
   Packet Type Match: Available
   Policy Match: Available
   Physdev Match: Not available
   Packet length Match: Available
   IP range Match: Available
   Recent Match: Available
   Owner Match: Available
   Ipset Match: Not available
   CONNMARK Target: Available
   Extended CONNMARK Target: Available
   Connmark Match: Available
   Extended Connmark Match: Available
   Raw Table: Available
   IPP2P Match: Available
   CLASSIFY Target: Available
   Extended REJECT: Available
   Repeat match: Not available
   MARK Target: Available
   Extended MARK Target: Available
   Mangle FORWARD Chain: Available
   Comments: Available
   Address Type Match: Available
   TCPMSS Match: Available
   Hashlimit Match: Available

With exactly the same config in everything else, just compiling 1.3.8-r2 (as well as r1) shows this:

Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Available
   Multi-port Match: Available
   Extended Multi-port Match: Available
   Connection Tracking Match: Available
   Packet Type Match: Available
   Policy Match: Available
   Physdev Match: Not available
   Packet length Match: Available
   IP range Match: Available
   Recent Match: Available
   Owner Match: Available
   Ipset Match: Not available
   CONNMARK Target: Available
   Extended CONNMARK Target: Available
   Connmark Match: Available
   Extended Connmark Match: Available
   Raw Table: Available
   IPP2P Match: Available
   CLASSIFY Target: Available
   Extended REJECT: Available
   Repeat match: Not available
   MARK Target: Available
   Extended MARK Target: Available
   Mangle FORWARD Chain: Available
   Comments: Available
   Address Type Match: Available
   TCPMSS Match: Available
   Hashlimit Match: Available

As you can see, a lot of Not Available's that were available with 1.3.5-r4.  I saw on bug 194038 that maybe the extensions use-flag would fix this, but it didn't. Same problem.  Rolling back to 1.3.5-r4.  

My prognosis: 

>=1.3.8 doesn't load modules.  

I think a bug should be filed to unstabilize 1.3.8.  Should I do it?  Or can we use this bug?

Thanks!

Comment 13 Jose Medellin 2007-09-29 14:54:48 UTC

I must be just asleep today or something.  Pasted the same output of shorewall show capabilities twice...  Sorry for that.  The output of the command with 1.3.8-rX is:

Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Not available
   Multi-port Match: Available
   Extended Multi-port Match: Available
   Connection Tracking Match: Available
   Packet Type Match: Available
   Policy Match: Available
   Physdev Match: Not available
   Packet length Match: Available
   IP range Match: Available
   Recent Match: Available
   Owner Match: Available
   Ipset Match: Not available
   CONNMARK Target: Not available
   Connmark Match: Available
   Extended Connmark Match: Available
   Raw Table: Available
   IPP2P Match: Not available
   CLASSIFY Target: Not available
   Extended REJECT: Available
   Repeat match: Available
   MARK Target: Not available
   Mangle FORWARD Chain: Not available
   Comments: Available
   Address Type Match: Available
   TCPMSS Match: Available
   Hashlimit Match: Available

Comment 14 Jakub Moc (RETIRED) gentoo-dev

2007-10-24 17:42:40 UTC

*** Bug 196924 has been marked as a duplicate of this bug. ***