iptables on kernel 2.6.5

Hello,

since I upgraded my kernel from 2.4.25 to 2.6.5 I am unable to
use iptables. My `active' file looks like this:

| *filter
| :INPUT ACCEPT [914:4990788]
| :FORWARD ACCEPT [0:0]
| :OUTPUT ACCEPT [932:159581]
| :ilocal - [0:0]
| local - [0:0]
| [82:666001] -A INPUT -i eth0 -j ilocal
| [82:15600] -A OUTPUT -o eth0 -j olocal
| [81:665724] -A ilocal -m state --state RELATED,ESTABLISHED -j
| ACCEPT
| [0:0] -A ilocal -p tcp -m tcp --dport 22 -j ACCEPT
| [0:0] -A ilocal -p tcp -m tcp --dport 20 -j ACCEPT
| [0:0] -A ilocal -p tcp -m tcp --sport 20 -j ACCEPT
| [0:0] -A ilocal -p tcp -m tcp --dport 6346 -j ACCEPT
| [0:0] -A ilocal -p icmp -j ACCEPT
| [0:0] -A ilocal -m state --state INVALID -j DROP
| [1:277] -A ilocal -j DROP
| [0:0] -A ilocal -p tcp -m tcp --dport 25 -j DROP
| [0:0] -A ilocal -p tcp -m tcp --dport 80 -j DROP
| [82:15600] -A olocal -j ACCEPT
| COMMIT

Trying to load the ruleset I get this:

| Paulina:/etc/iptables# /etc/init.d/iptables start
| Loading iptables ruleset: load "active"iptables-restore: line 21 failed

The offending line is `COMMIT'. An `strace' reveals this:

| setsockopt(3, SOL_IP, 0x40 /* IP_??? */, "filter\0@\6\0\0\0$\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\ 0\0\0"..., 3620) = -1 ENOENT (No such file or directory)
| write(2, "iptables-restore: line 21 failed"..., 33) = 33
| exit_group(1) = ?

....which indicates that the desired functionality is
unavailable [?].

I have these modules loaded:

| Paulina:~# lsmod
| Module Size Used by
| nvidia 2069256 0
| nfsd 87496 1
| exportfs 4864 1 nfsd
| iptable_filter 2496 0
| ohci_hcd 16064 0
| nls_cp437 5600 6
| vfat 12064 3
| fat 37728 1 vfat
| af_packet 12612 0
| unix 22380 26

My `iptables' version is `1.2.9'. Any idea which module is
missing? Or anything else? Maybe a clash with the IPv6 stuff
which is enabled in my kernel (I disabled all ipv6-filtering
stuff, no effect)?

Cheers,

Martin

--
Arthur: "It's at times like this I wish I'd listened to my mother"
Ford : "Why, what did she say?"
Arthur: "I don't know, I never listened"
-=-=- -=-=-=-=-
Dipl.Ing. Martin "Herbert" Dietze -=-=- Fachhochschule Wedel -=-=-

Martin Herbert Dietze <(E-Mail Removed)> wrote:

> since I upgraded my kernel from 2.4.25 to 2.6.5 I am unable to
> use iptables. My `active' file looks like this:

<snip>

> I have these modules loaded:

> | Paulina:~# lsmod
> | Module Size Used by
> | nvidia 2069256 0
> | nfsd 87496 1
> | exportfs 4864 1 nfsd
> | iptable_filter 2496 0
> | ohci_hcd 16064 0
> | nls_cp437 5600 6
> | vfat 12064 3
> | fat 37728 1 vfat
> | af_packet 12612 0
> | unix 22380 26

> My `iptables' version is `1.2.9'. Any idea which module is
> missing? Or anything else? Maybe a clash with the IPv6 stuff
> which is enabled in my kernel (I disabled all ipv6-filtering
> stuff, no effect)?

No idea about what modules might be missing, except that it's doubtful
that just iptable_filter, af_packet, and unix are enough. Actually I'm
guessing that the last two are iptables modules; I don't use them and
have only vague recollection that they are. The modules needed by a
particular firewall can vary widely.

Dunno about IPv6 stuff, but I don't recall iptables v1.2.9 being much
of a problem with just IPv4. However, modprobe and friends did give
me trouble.

Going to module-init-tools-3.0 improved things considerably, although
there are still some flaws. Rmmod requires using the .ko extension with
the module basename and scripting for tuning module insertion/removal
using modprobe with modules.conf is broken. In addition, module
insertion/removal might well require a different module ordering from
what was used by previous modprobe versions and 2.4.x kernels.

--
Clifford Kite Email: "echo xvgr_yvahk-(E-Mail Removed)|rot13"
PPP-Q&A links, downloads: http://ckite.no-ip.net/