iptables: "Extension state is not supported"

redblade7 · Tux's lil' helper Joined: 11 Jan 2018 Posts: 106

I ran iptables -L the other day and noticed that some of my rules using -m state suddenly give this warning message after the rule is listed:

"Warning: Extension state is not supported, missing kernel module?"

The state module (actually it's not a module but compiled in) was never disabled in the kernel, I enabled the "conntrack" USE flag too and its required CONFIG_NF_CT_NETLINK, and it's still showing this message. I'm not sure if the rules are working or not, and "-m state -h" shows the correct syntax of the state module.

Anyone know more?

alamahant · Advocate Joined: 23 Mar 2019 Posts: 3950

Plz see
[url]
https://wiki.gentoo.org/wiki/Iptables#Kernel
[/url]
It is missing the state functionality.
Plz add it

redblade7 · Tux's lil' helper Joined: 11 Jan 2018 Posts: 106

It already is enabled in the kernel.

alamahant · Advocate Joined: 23 Mar 2019 Posts: 3950

Do you have

pietinger · Posted: Fri May 05, 2023 12:11 pm Post subject:

redblade7,

my suggestion is the same as I always say: Enable ALL netfilter modules as <M>odule in your kernel configuration (and enable also "Advanced netfilter configuration"). As soon as your firewall starts (independent if "iptables" or "nftables") all needed modules will be loaded automatically and you can see with "lsmod" which of them you really need. Afterwards you can disable all modules again which you dont need.

(see also here: https://wiki.gentoo.org/wiki/User:Pietinger/Tutorials/Manual_Configuring_Kernel_Version_6.1#Part_2_-_Slim_kernel )

P.S.: Dont forget netfilter-modules for IPv6 ... ;-)

(If you use it)

r_pns · n00b Joined: 02 Jul 2006 Posts: 33

Apparently, I've found the root cause for this issue (which I've faced too). I've set:

redblade7 · Tux's lil' helper Joined: 11 Jan 2018 Posts: 106