Home » Linux OS and Software » Security » GENTOO iptables: pkttype kernel built-in modules broken
Tue, 08 June 2010 11:56 Go to next message
z0th  is currently offline z0th
Registered: May 2010
Messages: 8
Hi Guys...

I've been working on my firewall today and have run into an interesting little hitch trying to block broadcast packets using the 'pkttype' module.

 # iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP
iptables: No chain/target/match by that name.


now, ive tried several other NON-VIRTUAL gentoo systems running 2.6.30 or later, with a more recent version of iptables - and this rule is executed without error.

ive checked man, the pkttype module is in the documentation, and it doesnt seem to be a syntax problem (if anyone knows, please post!), and its not possible to load the "xt_pkttype" iptables module. ive been trying to figure out exactly what the problem is, this is what ive come up with so far.

  • the "xt_pkttype" module is not enabled in the kernel config.
  • the "xt_pkttype" module was not fully implemented in that kernel version.

out of habit, iptables was one of the first things i installed when i first got the virutal gentoo box. as a result, my iptables command sets are likely clobbered. after speaking with a contact, the default for this kernel version is net-firewall/iptables-1.4.3.2. ive rolled the version back, but still no joy.

since gentoo is a source distribution, and not binary, you can upgrade the iptables version to take advantage of new features, and squashed bugs - but in this case, since the iptables modules are built into the kernel itself, no upgrades are possible.

is there any possibility of getting a gentoo kernel with the iptables sources built as modules and not right into the kernel binary?




[Updated on: Tue, 08 June 2010 14:05]

Thu, 10 June 2010 18:00 Go to previous messageGo to next message
Registered: June 2010
Messages: 4
Just commenting that I have observed this behaviour as well. My best guess is that the kernel as provided lacks the required module to support this type of traffic classification... I am also interested in having this fixed. Whether the module is built into the kernel or can be dynamically loaded doesn't matter so much to me, but it would be nice to have either way.
Fri, 11 June 2010 14:37 Go to previous messageGo to next message
z0th  is currently offline z0th
Registered: May 2010
Messages: 8
sorry, crazy busy. i hassled support about it. here is the response from yesterday.

VPSVille Support


xt_pkttype
is not enabled in the virtual kernel, and hasn't been virtualized yet.
Its enabled on the hardware node already so if you can't see it, its
not going to work inside a VPS. Sad


that said, theres still the issue of net-firewall/iptables coming in and clobbering thing during an 'emerge world'. the only way around that is to mask them in /etc/portage/package.mask -- but then you are stuck with an older version of iptables (no bugfixes, no new features).

going to ask about other modules that would be treated in this manner as well.
Fri, 11 June 2010 16:07 Go to previous message
z0th  is currently offline z0th
Registered: May 2010
Messages: 8
so i asked about the virtualized iptables modules. heres a slightly amended list (there were dupes).

VPSVille Support

The following modules are supported:

ip_conntrack
ip_conntrack_ftp
ip_conntrack_irc
ip_nat_ftp
ip_nat_ftp
ip_nat_irc
ipt_LOG
ipt_REDIRECT
ipt_REJECT
ipt_TCPMSS
ipt_TOS
ipt_conntrack
ipt_helper
ipt_length
ipt_limit
ipt_multiport
ipt_owner
ipt_recent
ipt_state
ipt_tcpmss
ipt_tos
ipt_ttl
iptable_filter
iptable_mangle
iptable_nat

Other modules may or may not be usable, depending on whether they have been virtualized yet. But the above ones will work for sure.


note the last comment that its NOT an exhaustive list.

it does seem to be quite a few LESS than my home file server running 2.6.31-gentoo-r10 kernel on my file server here at home. granted, there have been quite a few kernel revisions and quite a few changes to iptables between the two kernels.
Previous Topic:Basic Firewall Script
Next Topic:Kloxo vps Firewall
Goto Forum:
  


Current Time: Mon Nov 20 21:37:21 EST 2017
.:: Contact :: Home ::.

Powered by: FUDforum 2.7.7.
Copyright ©2001-2006 FUD Forum Bulletin Board Software