Kernel very limited x-table support?

T_I · August 13, 2018, 12:57pm

Hi,

After a long time away from the BPi R2 I’m trying to replace my R1 with the R2 and it lacks a lot of iptables/x-tables modules in the kernel.

On the R1:

# uname -a
Linux eddie 4.4.66-bananian #2 SMP Sat May 6 19:26:50 UTC 2017 armv7l GNU/Linux
# lsmod | grep table
ip6table_filter         1221  1
ip6_tables             11381  1 ip6table_filter
iptable_mangle          1326  1
iptable_nat             1469  1
nf_nat_ipv4             4480  1 iptable_nat
iptable_filter          1281  1
ip_tables              11125  3 iptable_filter,iptable_mangle,iptable_nat
x_tables               11316  16 ip6table_filter,ipt_SYNPROXY,ip_tables,xt_tcpmss,xt_tcpudp,xt_limit,xt_connlimit,xt_conntrack,xt_LOG,xt_mac,xt_nat,xt_multiport,iptable_filter,ipt_REJECT,iptable_mangle,ip6_tables

On the R2:

# uname -a
Linux eddie2 4.14.46-bpi-r2-hdmi #229 SMP Thu May 31 16:00:42 CEST 2018 armv7l GNU/Linux
# lsmod | grep table
ip6table_filter        16384  1
ip6_tables             24576  1 ip6table_filter
iptable_mangle         16384  1
iptable_nat            16384  1
nf_nat_ipv4            16384  1 iptable_nat
iptable_filter         16384  1
ip_tables              24576  3 iptable_mangle,iptable_filter,iptable_nat
x_tables               28672  7 xt_nat,iptable_mangle,ip_tables,iptable_filter,xt_tcpudp,ip6table_filter,ip6_tables

Could it be possible to have the complete set of ip/x table options enabled as module in the kernel sources? I expect a lot of people wanting to replace their R1 with an R2, now bananian support has stopped…

T_I

frank-w · August 13, 2018, 1:21pm

if you use a newer kernel you get more xtables…have added some in 4.14.5x

in current version (4.14.62) i have this xtables activated:

root@bpi-r2-ubuntu:~# find /lib/modules/$(uname -r) -name '*xt_*'                                                                                                    
/lib/modules/4.14.62-bpi-r2-main/kernel/net/netfilter/xt_nat.ko                                                                                                      
/lib/modules/4.14.62-bpi-r2-main/kernel/net/netfilter/xt_mark.ko                                                                                                     
/lib/modules/4.14.62-bpi-r2-main/kernel/net/netfilter/xt_ipvs.ko                                                                                                     
/lib/modules/4.14.62-bpi-r2-main/kernel/net/netfilter/xt_tcpudp.ko                                                                                                   
/lib/modules/4.14.62-bpi-r2-main/kernel/net/netfilter/xt_LOG.ko                                                                                                      
/lib/modules/4.14.62-bpi-r2-main/kernel/net/netfilter/xt_mac.ko                                                                                                      
/lib/modules/4.14.62-bpi-r2-main/kernel/net/netfilter/xt_connmark.ko                                                                                                 
/lib/modules/4.14.62-bpi-r2-main/kernel/net/netfilter/xt_state.ko                                                                                                    
/lib/modules/4.14.62-bpi-r2-main/kernel/net/netfilter/xt_iprange.ko                                                                                                  
/lib/modules/4.14.62-bpi-r2-main/kernel/net/netfilter/xt_limit.ko                                                                                                    
/lib/modules/4.14.62-bpi-r2-main/kernel/net/netfilter/xt_CHECKSUM.ko                                                                                                 
/lib/modules/4.14.62-bpi-r2-main/kernel/net/netfilter/xt_recent.ko                                                                                                   
/lib/modules/4.14.62-bpi-r2-main/kernel/net/netfilter/xt_addrtype.ko                                                                                                 
/lib/modules/4.14.62-bpi-r2-main/kernel/net/netfilter/xt_conntrack.ko                                                                                                
/lib/modules/4.14.62-bpi-r2-main/kernel/net/netfilter/xt_TCPOPTSTRIP.ko

which do you need?

you can clone my repo and activate the modules you need after importconfig

T_I · August 13, 2018, 3:08pm

Do you have a kernel pre-build?

At the moment I’m also developing LineageOS and both seems to be picky in the build environment. (and not liking each others)

frank-w · August 13, 2018, 3:26pm

Are these options enough? Then i can upload my current package…

Or do you need more? I have actually only these options enabled needed by me and others

T_I · August 13, 2018, 4:28pm

Connmark and contrack are the most important. Thanks.

frank-w · August 13, 2018, 4:48pm

4.14.62 is uploaded here: https://drive.google.com/open?id=1EGN1TvqCpDHdOAS-mjRg9ipi0kahnOUV

T_I · August 14, 2018, 5:37am

Thanks, got almost all working again. Can you add xt_connlimit and nf_synproxy_core?

Both are for some extra safety, to limit incomming traffic (prevent flodd) or drop out-of-sync packages (something really nasty, almost never seen, but just in case)

frank-w · August 14, 2018, 6:02am

added them, see github…

uploaded binary to same location…

T_I · August 15, 2018, 7:55am

Great, thanks, I was busy yesterday, just placed the kernel and it works like a charm. I was surprised that power-off is already working. (probably was for some time)

Will start using the R2 ASAP. (keeping the R1 as temp spare for when a kernel update is needed)

frank-w · August 15, 2018, 8:14am

why should it work no more?

if you have serial-cable (debug-uart) you can flash my uboot to have multiple kernel-support…then you can test new kernel and keep your old

T_I · August 15, 2018, 8:17am

With the very old kernel I started this thread with, shutdown didn’t power-off the device. (kept showing ‘shutdown’ in console), with the last 2 it just powers-off.

No serial cable here. Need to find me a way to update the kernel without having to remove the sdcard.

frank-w · August 15, 2018, 8:20am

4.4 does not support poweroff…i had only patched 4.14 with the necessary changes

with my debian and ubuntu-image you can use deb-package, with all other systems you can use the packed version (unpack in running system), but if it does not boot, you have to remove the card (or boot another kernel => here you need a usb2serial-cable)

T_I · August 15, 2018, 9:12am

When I remember correctly, I have your debian image. will have to check.

frank-w · August 15, 2018, 9:15am

cat /proc/issue

should be debian 9 (official is 8=jessie, if you have not upgraded)…

ok, you have running already 4.14…4.4 was from bananian (your old r1 i guess)

T_I · February 8, 2019, 2:22pm

Yep, thanks, finally had time to continue with the R2 and it runs nicely as firewall. I’ve added a vlan supporting switch in front of the firewall to split-off the TV vlan, so I can at least have updates for all Debian packages.

Would there be a chance that you’d supply the kernel package as .deb? I saw you already have a .80 version.

Also, small tip, in buster uses nftables as firewall management and the iptable package (1.8) has been rewritten to use the nft command. This gives an issue, as the nft setup required another set of modules, nft*. I’ve just been battling with the firewall after an upgrade and reverted the iptables to stretch-backports.

frank-w · February 8, 2019, 2:26pm

Deb for all kernel versions are on releases-page on github. Look at branch-name (4.14-main vs any other) before downloading. And do not use 4.14.92-97. Imho also 4.19 should have this issue,so make sure usimg last version

For nftables tell me the options you need

T_I · February 8, 2019, 2:37pm

No clue at the moment… will dive into it, iptables nags ‘nft: protocol not supported’. Will check which there are.

The 4.14.98 is safe or is .91 the last known good?

frank-w · February 8, 2019, 2:41pm

98 should fix it,have it currently runnimg for near 2 hours without crash

T_I · February 8, 2019, 2:48pm

Nice, will test.

BTW I checked in /lib/modules/4.19.0-2-amd64/kernel/net/netfilter on my debian workstation and this is a part of the list of modules that Debian ships with their kernel, Looks like iptables 1.8 expects the nft_* modules

nft_compat.ko
nft_connlimit.ko
nft_counter.ko
nft_ct.ko
nft_dup_netdev.ko
nft_fib_inet.ko
nft_fib.ko
nft_fib_netdev.ko
nft_flow_offload.ko
nft_fwd_netdev.ko
nft_hash.ko
nft_limit.ko
nft_log.ko
nft_masq.ko
nft_nat.ko
nft_numgen.ko
nft_objref.ko
nft_osf.ko
nft_queue.ko
nft_quota.ko
nft_redir.ko
nft_reject_inet.ko
nft_reject.ko
nft_socket.ko
nft_tproxy.ko
nft_tunnel.ko

It’s running and without issues here, thanks, the .98 works nicely. Is it possible for you to supply a matching linux-headers deb as well? I’d like to use xtables-addons-dkms xtables-addons-common for the geoip module and it suggests to include a linux-headers package. I have no clue how much extra work it is when building the package.

BTW what is the main difference between the 4.14 and 4.19 kernel? HDMI doesn’t seem to work on the 4.14 kernel, is that fixed in 4.19? (or should it work and was I to slow with plugging in the monitor)

frank-w · February 8, 2019, 3:36pm

currently adding nftables to 4.19…

you can download sourcepackage from releases and unpack it to your system…need to know where to unpack it for creating a deb

hdmi should work on 4.14 and 4.19…imho monitor needs to plugged into at boottime

4.19 is a year newer…support for 4.14 is only this year…support-end for 4.19 is one year later

4.19.20 with nftables release was uploaded by travis-ci

please try it out, test nftables and give me a feedback