BPI-R2 Pro iptables: Could not load match "conntrack": No such file or directory

Hello all,

iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

Error: couldn’t load match `conntrack’:no such file or directory

I have CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y set in the .config during compiling, but iptables still doesn’t “know” about conntrack

Afair there were more conntrack options and ipt*

In linux kernel there wer iptables,xtables and nftables options over time…


I do have CONFIG_NF_CONNTRACK set. The bigger problem is that any -m module is not working. tcp, udp, conntrack, comment are all not working. I find the folder /lib/aarch64-linux-gnu/xtables, and all the relevant .so are in there, but the iptables is still reporting Couldn’t load match ‘tcp/udp/conntrack’:No such file or directory. Me: the file is right over there, and I don’t know where did iptables attempt to find the match files.

I also did export XTABLES_LIBDIR=/lib/aarch64-linux-gnu/xtables But iptables still can’t seem to read this environmental variable. I opened a thread on netfilter user list and nobody so far cared to respond.

Modules are in /lib/modules/$(uname -r)/kernel

Where uname -r has to match.

Which image do you use and how did you installed the kernel and modules.

You should separate kernel modules from application modules. The modules not found are kernel modules which have a fixed position in rootfs like eric wrote I’m sure the environment var you set is for application only

@frank-w, I am using your Ubuntu 22.04 image. Kernel wise, I compiled all as built-in modules.

-m meant extended matching modules for iptables, which it shouldn’t look in the userspace as I opted for compiling everything within the kernel.

Google is a good tool to find solutions too :wink:

iptables-legacy -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

With iptables being deprecated…

Better start using nftables.

Mine shows iptables (nf_tables 1.8.7). Why would I want to get iptables-legacy working? And it is also reporting the same problem.

Iptables-legay uses the old modules and syntax for cli tools. Iptables now uses nftables and tries to be a compatibility layer,but maybe not complete (i guess some nftables optiins missing here). I also suggest using nftables directly.

Indeed, use nftables directly.

See here as example:

Nice, you have an example file for nftables with combined ipv4/ipv6…maybe i take this for my images-repo. Is this ok? I leave a credit in my copy of the file

Btw. R3 has wan-port too :slight_smile:

You are welcome to use it, I grabbed most of it from somewhere.

I never tested the ipv6 part, but I’ll be happy to hear if it works :wink:

mhm, ok, i thought it is fully tested…have done not much with ipv6 yet…only registered/configured an ipv6 over ipv4 tunnel as i do not have native ipv6…but we are going offtopic…can discuss this separately

Thanks for both of your replies. I need to digest a bit.

I have native IPv6, in fact, I have multiple /56 blocks to play around.

If you want to join my pentose.net s2s IPsec ring (which I am currently building and hardening) for testing purposes, you are more than welcome to do so.

But iptables (nf_tables 1.8.7) is only using iptables as the syntax wrapper and using nf_tables in the backgroun? Unless I was very mistaken.

I have # CONFIG_NFT_COMPAT is not set

Maybe this is the culprit.

First time using real nftables instead of iptables with nftables backend. This was interesting because I could define reusable variables previously not found in iptables.

It saves me from re-compiling the kernel to get CONFIG_NFT_COMPAT=y. I guess it forced me to learn nftables, which is good. I am not going back to iptables.

Nftables is structured (tree instead of many lines and you can group things instead of having same rules for e.g. different interfaces. Annd only with nftables you will be able to use hw acceleration on mtk boards

Are you also saying hw NAT for Rockchip on R2-pro is not supported?