| View previous topic :: View next topic |
| Author |
Message |
samuelbernardo
n00b
Joined: 30 Jan 2016
Posts: 31
|
 Posted: Sun Apr 07, 2019 4:28 pm Post subject: iptables v1.8.2 (legacy): can't initialize iptables table |
 |
|
Hi,
Today after gentoo upgrade I realize that libvirt have an error in the startup. Iptables are not working as expected and because of that libvirt can't set the forward rules for nat bridges.
The related ebuilds I've installed are:
net-firewall/iptables-1.8.2-r2 conntrack ipv6 netlink pcap -nftables
net-firewall/nftables-0.9.0-r4 gmp json modern_kernel readline
net-firewall/ebtables-2.0.10.4 +perl
app-emulation/libvirt-5.1.0 caps dbus fuse libvirtd lvm lxc macvtap nfs nls parted policykit qemu sasl udev vepa virt-network wireshark-plugins zfs
sys-kernel/gentoo-sources-4.19.34 experimental
I've iptables enabled with almost all other options:
grep NF_IPTABLES /boot/config-$(uname -r)
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP6_NF_IPTABLES=y
I've also enable ebtables and nftables related options in kernel.
nft commands work without any problem, such as ebtables. Only iptables have this error.
I can't enable use flag nftables in iptables ebuild because libvirt requires iptables with nftables flag disabled.
Does anyone have an hint for the reason why the following error happens?
| Code: |
# iptables -nvL
iptables v1.8.2 (legacy): can't initialize iptables table `filter': No child processes
Perhaps iptables or your kernel needs to be upgraded.
|
Conplete kernel configuration: https://pastebin.com/TDpwKij0
| Code: |
# cat /proc/net/ip_tables_names
security
raw
nat
mangle
filter
|
Thanks |
|
| Back to top |
|
 |
deagol
n00b
Joined: 12 Jul 2014
Posts: 62
|
| Posted: Sat Apr 13, 2019 8:56 pm Post subject: |
|
|
You probably missing some kernel module(s)
I had the exactly same error message today after updating my kernel. I used the old kernel config as base and with the new kernel I got the same error.
If I'm right booting your old kernel will allow iptables to work again.
You then have to figure out exactly what's missing... In my case MASQUERADE target was missing. A master option was off, MASQUERADE was one of selectable targets.
Doesn't look like that's your problem, though...
But when you can confirm that it's still working with the old kernel something next to sure is... |
|
| Back to top |
|
|
samuelbernardo
n00b
Joined: 30 Jan 2016
Posts: 31
|
| Posted: Sun Apr 14, 2019 12:27 am Post subject: |
|
|
| deagol wrote: | You probably missing some kernel module(s)
I had the exactly same error message today after updating my kernel. I used the old kernel config as base and with the new kernel I got the same error.
If I'm right booting your old kernel will allow iptables to work again.
You then have to figure out exactly what's missing... In my case MASQUERADE target was missing. A master option was off, MASQUERADE was one of selectable targets.
Doesn't look like that's your problem, though...
But when you can confirm that it's still working with the old kernel something next to sure is... |
Thanks for your feedback.
Unfortunately I have already MASQUERADE target enabled.
I have an hint that the problem maybe related to iptables nftables flag that I can't activate because libvirt and lxd still depend on ebtables that brings a conflict to iptables with nftables.
So my firewall now is being configured by nft that is working as expected. libvirtd gives warnings when starting because of iptables command errors, but is still working.
My hope now is libvirt and lxd start to support nftables. |
|
| Back to top |
|
|
samuelbernardo
n00b
Joined: 30 Jan 2016
Posts: 31
|
| Posted: Sun Apr 28, 2019 8:39 am Post subject: [SOLVED] iptables v1.8.2: can't initialize iptables table |
|
|
| Installing net-firewall/ebtables-2.0.10.4-r2 allows to install iptables with nftables use flag. With this is possible to have linux kernel with nftables enabled. |
|
| Back to top |
|
|
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3950
|
| Posted: Tue Jun 04, 2019 9:08 pm Post subject: |
|
|
Then ditch nftables and use iptables instead.
Not only libvirt,even firewalld,docker etc do not work properly with nftables yet.
Firewalld gives you the option to choose iptables or nftables backend in firewalld.conf file.
It will take time so just stick with iptables instead.
Use these flags for them to be fully functional:
First remove anything "netfilter" from your kernel .config file thus:
| Code: |
sed -i '/NETFILTER/d' /usr/src/linux/.config
|
and then you need to append the following and recompile:
| Code: |
CONFIG_NETFILTER=y
CONFIG_NETFILTER_ADVANCED=y
CONFIG_BRIDGE_NETFILTER=y
# Core Netfilter Configuration
CONFIG_NETFILTER_INGRESS=y
CONFIG_NETFILTER_NETLINK=m
CONFIG_NETFILTER_FAMILY_BRIDGE=y
CONFIG_NETFILTER_FAMILY_ARP=y
CONFIG_NETFILTER_NETLINK_ACCT=m
CONFIG_NETFILTER_NETLINK_QUEUE=m
CONFIG_NETFILTER_NETLINK_LOG=m
CONFIG_NETFILTER_NETLINK_OSF=m
CONFIG_NETFILTER_CONNCOUNT=m
CONFIG_NETFILTER_NETLINK_GLUE_CT=y
CONFIG_NETFILTER_SYNPROXY=m
CONFIG_NETFILTER_XTABLES=y
CONFIG_NETFILTER_XT_MARK=m
CONFIG_NETFILTER_XT_CONNMARK=m
CONFIG_NETFILTER_XT_SET=m
CONFIG_NETFILTER_XT_TARGET_AUDIT=m
CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m
CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m
CONFIG_NETFILTER_XT_TARGET_CT=m
CONFIG_NETFILTER_XT_TARGET_DSCP=m
CONFIG_NETFILTER_XT_TARGET_HL=m
CONFIG_NETFILTER_XT_TARGET_HMARK=m
CONFIG_NETFILTER_XT_TARGET_IDLETIMER=m
CONFIG_NETFILTER_XT_TARGET_LED=m
CONFIG_NETFILTER_XT_TARGET_LOG=m
CONFIG_NETFILTER_XT_TARGET_MARK=m
CONFIG_NETFILTER_XT_NAT=m
CONFIG_NETFILTER_XT_TARGET_NETMAP=m
CONFIG_NETFILTER_XT_TARGET_NFLOG=m
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
CONFIG_NETFILTER_XT_TARGET_NOTRACK=m
CONFIG_NETFILTER_XT_TARGET_RATEEST=m
CONFIG_NETFILTER_XT_TARGET_REDIRECT=m
CONFIG_NETFILTER_XT_TARGET_TEE=m
CONFIG_NETFILTER_XT_TARGET_TPROXY=m
CONFIG_NETFILTER_XT_TARGET_TRACE=m
CONFIG_NETFILTER_XT_TARGET_SECMARK=m
CONFIG_NETFILTER_XT_TARGET_TCPMSS=m
CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m
CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m
CONFIG_NETFILTER_XT_MATCH_BPF=m
CONFIG_NETFILTER_XT_MATCH_CGROUP=m
CONFIG_NETFILTER_XT_MATCH_CLUSTER=m
CONFIG_NETFILTER_XT_MATCH_COMMENT=m
CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m
CONFIG_NETFILTER_XT_MATCH_CONNLABEL=m
CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m
CONFIG_NETFILTER_XT_MATCH_CONNMARK=m
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
CONFIG_NETFILTER_XT_MATCH_CPU=m
CONFIG_NETFILTER_XT_MATCH_DCCP=m
CONFIG_NETFILTER_XT_MATCH_DEVGROUP=m
CONFIG_NETFILTER_XT_MATCH_DSCP=m
CONFIG_NETFILTER_XT_MATCH_ECN=m
CONFIG_NETFILTER_XT_MATCH_ESP=m
CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m
CONFIG_NETFILTER_XT_MATCH_HELPER=m
CONFIG_NETFILTER_XT_MATCH_HL=m
CONFIG_NETFILTER_XT_MATCH_IPCOMP=m
CONFIG_NETFILTER_XT_MATCH_IPRANGE=m
CONFIG_NETFILTER_XT_MATCH_IPVS=m
CONFIG_NETFILTER_XT_MATCH_L2TP=m
CONFIG_NETFILTER_XT_MATCH_LENGTH=m
CONFIG_NETFILTER_XT_MATCH_LIMIT=m
CONFIG_NETFILTER_XT_MATCH_MAC=m
CONFIG_NETFILTER_XT_MATCH_MARK=m
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
CONFIG_NETFILTER_XT_MATCH_NFACCT=m
CONFIG_NETFILTER_XT_MATCH_OSF=m
CONFIG_NETFILTER_XT_MATCH_OWNER=m
CONFIG_NETFILTER_XT_MATCH_POLICY=m
CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m
CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m
CONFIG_NETFILTER_XT_MATCH_QUOTA=m
CONFIG_NETFILTER_XT_MATCH_RATEEST=m
CONFIG_NETFILTER_XT_MATCH_REALM=m
CONFIG_NETFILTER_XT_MATCH_RECENT=m
CONFIG_NETFILTER_XT_MATCH_SCTP=m
CONFIG_NETFILTER_XT_MATCH_SOCKET=m
CONFIG_NETFILTER_XT_MATCH_STATE=m
CONFIG_NETFILTER_XT_MATCH_STATISTIC=m
CONFIG_NETFILTER_XT_MATCH_STRING=m
CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
CONFIG_NETFILTER_XT_MATCH_TIME=m
CONFIG_NETFILTER_XT_MATCH_U32=m
|
 |
|
| Back to top |
|
|
samuelbernardo
n00b
Joined: 30 Jan 2016
Posts: 31
|
| Posted: Thu Jun 06, 2019 6:22 pm Post subject: |
|
|
Thanks alamahant for your post.
It's working now with your proposed configurations. |
|
| Back to top |
|
|
|
Networking & Security
