Modify

Opened 9 years ago

Closed 9 years ago

#1772 closed defect (fixed)

brcm47xx-2.6 no NAT since .21

Reported by: tom Owned by: developers
Priority: high Milestone:
Component: kernel Version:
Keywords: Cc:

Description

Somehow the kmod-ipt-nathelper package does not get built for brcm47xx-2.6 in current revision with kernel 2.6.21.
This causes non working NAT:

root@OpenWrt:~# /etc/init.d/firewall reload
iptables v1.3.7: Unknown arg `--to'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.7: Unknown arg `--to'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.7: Unknown arg `--to'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.7: Unknown arg `--to'
Try `iptables -h' or 'iptables --help' for more information.

etc etc.. and ports are all stealthed.

I assume this is caused by kmo-ipt-nathelper as I compared the backuped package list from my old kamikaze install.

I remeber I had to install it manually too that time.
Why is that btw?

Attachments (1)

ipt-nat.patch (516 bytes) - added by jhansen@… 9 years ago.
Build nat modules into iptables for 2.6.21+

Download all attachments as: .zip

Change History (26)

comment:1 Changed 9 years ago by tom

hmm, seems this has actually nothing to do with kmod-ipt-nathelper at all, I'm not really sure about it. But why should it?

Also the kernel .config looks OK.

What else could be the reason for this?

Here follows some output:

tom@SiRiUS /backups/openwrt/kamikaze $ grep CONNTRACK build_mipsel/linux/.config
CONFIG_NF_CONNTRACK_ENABLED=y
CONFIG_NF_CONNTRACK_SUPPORT=y
# CONFIG_IP_NF_CONNTRACK_SUPPORT is not set
CONFIG_NF_CONNTRACK=y
CONFIG_NF_CONNTRACK_MARK=y
# CONFIG_NF_CONNTRACK_EVENTS is not set
# CONFIG_NF_CONNTRACK_AMANDA is not set
CONFIG_NF_CONNTRACK_FTP=m
CONFIG_NF_CONNTRACK_H323=m
CONFIG_NF_CONNTRACK_IRC=m
# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
# CONFIG_NF_CONNTRACK_PPTP is not set
# CONFIG_NF_CONNTRACK_SANE is not set
CONFIG_NF_CONNTRACK_SIP=m
# CONFIG_NF_CONNTRACK_TFTP is not set
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
CONFIG_NF_CONNTRACK_IPV4=y
CONFIG_NF_CONNTRACK_PROC_COMPAT=y
# CONFIG_NF_CONNTRACK_IPV6 is not set
tom@SiRiUS /backups/openwrt/kamikaze $ grep NAT build_mipsel/linux/.config
CONFIG_IPSEC_NAT_TRAVERSAL=y
CONFIG_NF_NAT=y
CONFIG_NF_NAT_NEEDED=y
# CONFIG_NF_NAT_SNMP_BASIC is not set
CONFIG_NF_NAT_FTP=m
CONFIG_NF_NAT_IRC=m
# CONFIG_NF_NAT_TFTP is not set
# CONFIG_NF_NAT_AMANDA is not set
# CONFIG_NF_NAT_PPTP is not set
CONFIG_NF_NAT_H323=m
CONFIG_NF_NAT_SIP=m
CONFIG_BRIDGE_EBT_T_NAT=m
CONFIG_BRIDGE_EBT_DNAT=m
CONFIG_BRIDGE_EBT_SNAT=m
# CONFIG_NATSEMI is not set

root@OpenWrt:~# lsmod|sort               
Module                  Size  Used by    Not tainted
cls_fw                  3264  8 
crc_ccitt               1024  1 ppp_async
diag                    7632  0 
imq                     2192  0 
ipt_ECN                 1472  0 
ipt_IMQ                  672  0 
ipt_LOG                 4992  0 
ipt_TOS                  864  0 
ipt_TTL                  928  0 
ipt_ecn                 1024  0 
ipt_ipp2p               6976  0 
ipt_owner                800  0 
ipt_recent              4992  0 
ipt_time                1536  0 
ipt_tos                  544  0 
ipt_ttl                  736  0 
iptable_raw              608  0 
lockd                  59056  1 nfs
nfs                   243744  1 
ppp_async               9664  0 
ppp_generic            19968  7 pppoe,pppox,ppp_async
pppoe                   9632  2 
pppox                   1328  1 pppoe
sch_hfsc               15296  2 
sch_red                 4128  4 
sch_sfq                 4288  4 
slhc                    5472  1 ppp_generic
sunrpc                152960  3 nfs,lockd
switch_core             5056  1 switch_robo
switch_robo             4048  0 
xt_CHAOS                1824  0 
xt_CLASSIFY              640  0 
xt_CONNMARK             1120  2 
xt_DELUDE               2592  0 
xt_MARK                  960  13 
xt_NOTRACK               832  0 
xt_connmark              832  0 
xt_helper               1024  0 
xt_length                736  5 
xt_mac                   736  0 
xt_mark                  640  13 
xt_portscan             1952  0 
xt_string                896  0


comment:2 Changed 9 years ago by tom

Okay..

/lib/iptables/libipt_DNAT.so

would be good to have, I guess.

Installed iptables packes:
root@OpenWrt:~# ipkg list_installed|grep iptables
iptables - 1.3.7-1 -
iptables-mod-conntrack - 1.3.7-1 -
iptables-mod-extra - 1.3.7-1 -
iptables-mod-filter - 1.3.7-1 -
iptables-mod-imq - 1.3.7-1 -
iptables-mod-ipopt - 1.3.7-1 -

On my desktop box, also running iptables 1.3.7, this lib is available.

As I haven't been logged in.. could someone please change the topic to something like "iptables 1.3.7 not installing DNAT module" :)

Also l7filters do not work yet.

Sorry if all this is just an 0 day bug.

comment:3 Changed 9 years ago by tom

Guys, sorry for all that noise.

After looking around in the build system it seems that I just jumped over to 2.6.21 too early.
It's just that kmod-ipt-nat is.. well obsolete now it seems, as all needed for NAT is built into the kernel, so iptables-mod-nat does not get built currently. I do not yet fully understand the kamikaze build system, otherwise I would come up with patches.

For now I simply copied the compiled libipt_DNAT.so onto the router, and all is working fine.

Sorry again.

comment:4 follow-up: Changed 9 years ago by florian

  • Resolution set to worksforme
  • Status changed from new to closed

comment:5 follow-up: Changed 9 years ago by acoul <alex@…>

I would like to confirm that uo to svn r7508, if iptables are compiled as module, the libipt_DNAT.so file is missing even when all iptable relative modules get installed. it looks like this library should be included on the kmod-ipt-nat package or similar.

comment:6 Changed 9 years ago by Poromenos

I would also like to confirm this, using r7505. iptables gives me the same error.

comment:7 in reply to: ↑ 4 Changed 9 years ago by Poromenos

Replying to florian:
Where did you copy this file? I copy it to /lib/modules/<kernelver>/ and it won't load. How did you get this to work?

comment:8 Changed 9 years ago by acoul <alex@…>

I put it under the /lib and it works ok for me.

comment:9 Changed 9 years ago by Poromenos

Yes, that works for me as well, thank you for the hint!

comment:10 in reply to: ↑ 5 Changed 9 years ago by ielbury@…

  • Resolution worksforme deleted
  • Status changed from closed to reopened

I don't believe that the ticket should be closed. Copying files in order to compensate for a broken build is not correcting the problem IMHO.

The basic iptables/firewall package is currently broken for all platforms where QOS and DNAT forwarding is required (Unless the lib discussed is copied).

comment:11 Changed 9 years ago by florian

  • Resolution set to fixed
  • Status changed from reopened to closed

It seems to working now :

root@OpenWrt:/# /etc/init.d/firewall reload
root@OpenWrt:/#

comment:12 Changed 9 years ago by gnida

  • Resolution fixed deleted
  • Status changed from closed to reopened

Can anybody give me libipt_DNAT.so for MIPS? :'(

comment:13 follow-up: Changed 9 years ago by ielbury@…

Looking at the log for the trunk and I am curious what changes were made to get the DNAT and level7 libraries installed on the system? There does not appear to be any changes in this area, the ticket just got closed.

I have tried selecting everything in iptables and netfilter drivers and none of the DNAT, SNAT or level7 libraries ever get copied to the system unless I manually copy them.

The problem may not be properly described but the Makefile compiles all the extension libraries but they never get installed into the root/lib/iptables folder. Once I manually copy the extension everything including /etc/init.d/firewall reload work. Note that in my configuration all Base system->iptables and Kernel->netfilter items are '*' and not 'M'.

I have only done cursory examination of the problem as there are more pressing problems with OpenWrt that need to be resolved (For my systems). I will look at it in more depth next week.

comment:14 in reply to: ↑ 13 Changed 9 years ago by anonymous

  1. if you need a stable release, use the release, not trunk
  2. trunk has 2.6.21 with the new layer 3 independent nat code - nat works fine, what you are missing is DNAT for port forwarding - eg. this ticket is invalid
  3. l7 filter doesn't work with the new nat code, esfq doesn't work with the old code
  4. long story short - stick to the release, or wait until everyone updates for the new nat code - this is not an OpenWrt problem, simply the way opensource works. you do have a stable release to use, so there is no reason to argue, specially if you didn't look after what the problem is for real

comment:15 follow-up: Changed 9 years ago by ielbury@…

There is no release that works on my platform (RB-1XX). I realize that this problem started with .21 but what I am saying is that the ticket should not be closed as there still is a problem.

All your points are taken and valid but there is still a problem with this area!

comment:16 in reply to: ↑ 15 Changed 9 years ago by clucas@…

Replying to ielbury@innomega.com:

There is no release that works on my platform (RB-1XX). I realize that this problem started with .21 but what I am saying is that the ticket should not be closed as there still is a problem.

All your points are taken and valid but there is still a problem with this area!

Have you compiled it with 140-cmdline-hack.patch ? arch/mips/kernel/head.S has changed a lot (such as use of .fill 400, ...). I tried now to adapt it and compile one version.

  • Christophe -

comment:17 Changed 9 years ago by zaebali idioty

Can anybody give me libipt_DNAT.so for MIPS? :'(

comment:18 Changed 9 years ago by florian

Could you please stick to the subject ?

libipt_DNAT.so is there :

find build_mipsel/linux-2.6-brcm47xx/iptables-1.3.7 -name '*DNAT.so'
build_mipsel/linux-2.6-brcm47xx/iptables-1.3.7/extensions/libipt_DNAT.so
build_mipsel/linux-2.6-brcm47xx/iptables-1.3.7/ipkg-install/usr/lib/iptables/libipt_DNAT.so

Now, why it is not copied, because it depends on the flag $(NF_KMOD) equal to 1 in include/netfilter.mk at line 62.

comment:19 Changed 9 years ago by gnida

Great, florian, so in addition, it's ticket useful not only for brcm47xx devices, but and for Texas Instruments AR7 based devices too :-)

comment:20 Changed 9 years ago by jhansen@…

Just wanted to confirm that it is broken here, too. It seems that you only have to configure qos-scripts as module, and many of the iptables/kmods to get firewall and qos working are not built, including "filter" and "nat" (crucial).

comment:21 Changed 9 years ago by jhansen@…

I'm attaching a patch that gets DNAT, SNAT, MASQUERADE, and REDIRECT built into iptables itself (not iptables-mod-nat), but it seems to do the trick anyway.

Changed 9 years ago by jhansen@…

Build nat modules into iptables for 2.6.21+

comment:22 Changed 9 years ago by jhansen@…

Scratch that last patch, the iptables package needs to be revamped for the layer3-independent netfilter. Hopefully someone is working on this.

comment:23 Changed 9 years ago by nbd

The patch seems fine to me and I committed it in [7727]. What other things need to be fixed?

comment:24 Changed 9 years ago by jhansen@…

The main thing that doesn't get copied now is the layer7 iptables module (and the kernel module, too, I believe), so layer7 prioritizing in qos doesn't work.

comment:25 Changed 9 years ago by nbd

  • Resolution set to fixed
  • Status changed from reopened to closed

layer7 is currently broken with 2.6.22-rc. I'm thinking about getting rid of the l7 rules in qos-scripts anyway, since layer7 itself is not that reliable...
The l7 breakage should be discussed in a separate ticket, so i'll close this one now.

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.