After a long time away from the BPi R2 I’m trying to replace my R1 with the R2 and it lacks a lot of iptables/x-tables modules in the kernel.
On the R1:
# uname -a
Linux eddie 4.4.66-bananian #2 SMP Sat May 6 19:26:50 UTC 2017 armv7l GNU/Linux
# lsmod | grep table
ip6table_filter 1221 1
ip6_tables 11381 1 ip6table_filter
iptable_mangle 1326 1
iptable_nat 1469 1
nf_nat_ipv4 4480 1 iptable_nat
iptable_filter 1281 1
ip_tables 11125 3 iptable_filter,iptable_mangle,iptable_nat
x_tables 11316 16 ip6table_filter,ipt_SYNPROXY,ip_tables,xt_tcpmss,xt_tcpudp,xt_limit,xt_connlimit,xt_conntrack,xt_LOG,xt_mac,xt_nat,xt_multiport,iptable_filter,ipt_REJECT,iptable_mangle,ip6_tables
On the R2:
# uname -a
Linux eddie2 4.14.46-bpi-r2-hdmi #229 SMP Thu May 31 16:00:42 CEST 2018 armv7l GNU/Linux
# lsmod | grep table
ip6table_filter 16384 1
ip6_tables 24576 1 ip6table_filter
iptable_mangle 16384 1
iptable_nat 16384 1
nf_nat_ipv4 16384 1 iptable_nat
iptable_filter 16384 1
ip_tables 24576 3 iptable_mangle,iptable_filter,iptable_nat
x_tables 28672 7 xt_nat,iptable_mangle,ip_tables,iptable_filter,xt_tcpudp,ip6table_filter,ip6_tables
Could it be possible to have the complete set of ip/x table options enabled as module in the kernel sources?
I expect a lot of people wanting to replace their R1 with an R2, now bananian support has stopped…
if you use a newer kernel you get more xtables…have added some in 4.14.5x
in current version (4.14.62) i have this xtables activated:
root@bpi-r2-ubuntu:~# find /lib/modules/$(uname -r) -name '*xt_*'
which do you need?
you can clone my repo and activate the modules you need after importconfig
Do you have a kernel pre-build?
At the moment I’m also developing LineageOS and both seems to be picky in the build environment. (and not liking each others)
Are these options enough? Then i can upload my current package…
Or do you need more? I have actually only these options enabled needed by me and others
Connmark and contrack are the most important. Thanks.
Thanks, got almost all working again. Can you add xt_connlimit and nf_synproxy_core?
Both are for some extra safety, to limit incomming traffic (prevent flodd) or drop out-of-sync packages (something really nasty, almost never seen, but just in case)
added them, see github…
uploaded binary to same location…
Great, thanks, I was busy yesterday, just placed the kernel and it works like a charm. I was surprised that power-off is already working. (probably was for some time)
Will start using the R2 ASAP. (keeping the R1 as temp spare for when a kernel update is needed)
why should it work no more?
if you have serial-cable (debug-uart) you can flash my uboot to have multiple kernel-support…then you can test new kernel and keep your old
With the very old kernel I started this thread with, shutdown didn’t power-off the device. (kept showing ‘shutdown’ in console), with the last 2 it just powers-off.
No serial cable here. Need to find me a way to update the kernel without having to remove the sdcard.
4.4 does not support poweroff…i had only patched 4.14 with the necessary changes
with my debian and ubuntu-image you can use deb-package, with all other systems you can use the packed version (unpack in running system), but if it does not boot, you have to remove the card (or boot another kernel => here you need a usb2serial-cable)
When I remember correctly, I have your debian image. will have to check.
should be debian 9 (official is 8=jessie, if you have not upgraded)…
ok, you have running already 4.14…4.4 was from bananian (your old r1 i guess)
Yep, thanks, finally had time to continue with the R2 and it runs nicely as firewall. I’ve added a vlan supporting switch in front of the firewall to split-off the TV vlan, so I can at least have updates for all Debian packages.
Would there be a chance that you’d supply the kernel package as .deb? I saw you already have a .80 version.
Also, small tip, in buster uses nftables as firewall management and the iptable package (1.8) has been rewritten to use the nft command. This gives an issue, as the nft setup required another set of modules, nft*. I’ve just been battling with the firewall after an upgrade and reverted the iptables to stretch-backports.
Deb for all kernel versions are on releases-page on github. Look at branch-name (4.14-main vs any other) before downloading. And do not use 4.14.92-97. Imho also 4.19 should have this issue,so make sure usimg last version
For nftables tell me the options you need
No clue at the moment… will dive into it, iptables nags ‘nft: protocol not supported’. Will check which there are.
The 4.14.98 is safe or is .91 the last known good?
98 should fix it,have it currently runnimg for near 2 hours without crash
Nice, will test.
BTW I checked in /lib/modules/4.19.0-2-amd64/kernel/net/netfilter on my debian workstation and this is a part of the list of modules that Debian ships with their kernel, Looks like iptables 1.8 expects the nft_* modules
It’s running and without issues here, thanks, the .98 works nicely. Is it possible for you to supply a matching linux-headers deb as well? I’d like to use xtables-addons-dkms xtables-addons-common for the geoip module and it suggests to include a linux-headers package. I have no clue how much extra work it is when building the package.
BTW what is the main difference between the 4.14 and 4.19 kernel? HDMI doesn’t seem to work on the 4.14 kernel, is that fixed in 4.19? (or should it work and was I to slow with plugging in the monitor)
currently adding nftables to 4.19…
you can download sourcepackage from releases and unpack it to your system…need to know where to unpack it for creating a deb
hdmi should work on 4.14 and 4.19…imho monitor needs to plugged into at boottime
4.19 is a year newer…support for 4.14 is only this year…support-end for 4.19 is one year later
4.19.20 with nftables release was uploaded by travis-ci
please try it out, test nftables and give me a feedback