How to enable building of iptable_raw.ko

When building the mainstream OpenWrt, the iptable_raw.ko kernel installable module is not built and consequently the RAW table is not available in iptables.

How to enable the building of iptable_raw.ko ?

Edit:
There is already a KernelPackage for iptable_raw, it´s called ipt-raw and can be installed with opkg update && opkg install kmod-ipt-raw.

If you are building the image by yourself you have to enable PACKAGE_kmod-ipt-raw.

Old post:
You need to add the apropriate KernelPackage definition to:

Probably this helps you:


3 Likes

I did opkg update && opkg install kmod-ipt-raw and indeed the iptable_raw.ko was installed but its file version does not match my Linux version v4.14.151.

How do I know? Because I disassembled it and the function iptable_raw_hook() installed by opkg looks like this:

static unsigned int
iptable_raw_hook(void *priv, struct sk_buff *skb,
		 const struct nf_hook_state *state)
{
	return ipt_do_table(skb, state, state->net->ipv4.iptable_raw);
}

...see this source in iptable_raw.c

However, this function in v4.14.151 is supposed to look like this:

static unsigned int
iptable_raw_hook(void *priv, struct sk_buff *skb,
		 const struct nf_hook_state *state)
{
	if (state->hook == NF_INET_LOCAL_OUT &&
	    (skb->len < sizeof(struct iphdr) ||
	     ip_hdrlen(skb) < sizeof(struct iphdr)))
		/* root is playing with raw sockets. */
		return NF_ACCEPT;

	return ipt_do_table(skb, state, state->net->ipv4.iptable_raw);
}

...see this source in iptable_raw.c

Note that this change in source code has happened between v4.15.18 and v4.16-rc1

Q: Why did the opkg install a version of this module that does not match my Linux version ?

P.S.
My cat /proc/version reports:
Linux version 4.14.151 (buildbot@62f0e5d67d46) (gcc version 7.3.0 (OpenWrt GCC 7.3.0 r7897-9d401013fc)) #0 SMP Tue Nov 5 14:12:18 2019

You have really disassembled the module? Why?

Is that a problem for your use case? Does the module not work?

According to your kernel build tag i assume you are running an official build of OpenWRT, right?
What are your contents of /etc/opkg/distfeeds.conf and /etc/os-release?

Yes, it wasn't working as expected.

The function iptable_raw_hook() disassembles to:

LDR             R3, [R2,#0x14]      ;R3 == state->net
MOV             R0, R1              ;R0 == skb
MOV             R1, R2              ;R1 == state
LDR             R2, [R3,#0x2C8]     ;R2 == state->net->ipv4.iptable_raw
B               ipt_do_table

As you can see, it doesn't check for the size of IP header, as it should in v4.14.151:

Correct.

root@OpenWrt:~# cat /etc/opkg/distfeeds.conf

src/gz openwrt_core http://downloads.openwrt.org/releases/18.06.5/targets/ipq806x/generic/packages
src/gz openwrt_kmods http://downloads.openwrt.org/releases/18.06.5/targets/ipq806x/generic/kmods/4.14.151-1-e0e48e988f7369b5689954f7ddd801b1
src/gz openwrt_base http://downloads.openwrt.org/releases/18.06.5/packages/arm_cortex-a15_neon-vfpv4/base
src/gz openwrt_luci http://downloads.openwrt.org/releases/18.06.5/packages/arm_cortex-a15_neon-vfpv4/luci
src/gz openwrt_packages http://downloads.openwrt.org/releases/18.06.5/packages/arm_cortex-a15_neon-vfpv4/packages
src/gz openwrt_routing http://downloads.openwrt.org/releases/18.06.5/packages/arm_cortex-a15_neon-vfpv4/routing
src/gz openwrt_telephony http://downloads.openwrt.org/releases/18.06.5/packages/arm_cortex-a15_neon-vfpv4/telephony
root@OpenWrt:~# cat /etc/os-release

NAME="OpenWrt"
VERSION="18.06.5"
ID="openwrt"
ID_LIKE="lede openwrt"
PRETTY_NAME="OpenWrt 18.06.5"
VERSION_ID="18.06.5"
HOME_URL="http://openwrt.org/"
BUG_URL="http://bugs.openwrt.org/"
SUPPORT_URL="http://forum.lede-project.org/"
BUILD_ID="r7897-9d401013fc"
LEDE_BOARD="ipq806x/generic"
LEDE_ARCH="arm_cortex-a15_neon-vfpv4"
LEDE_TAINTS=""
LEDE_DEVICE_MANUFACTURER="OpenWrt"
LEDE_DEVICE_MANUFACTURER_URL="http://openwrt.org/"
LEDE_DEVICE_PRODUCT="Generic"
LEDE_DEVICE_REVISION="v0"
LEDE_RELEASE="OpenWrt 18.06.5 r7897-9d401013fc"

Ok i understand...

Your problem is related to the used netfilter backports used by OpenWRT.

Take a look here why you have the module code from a newer kernel version:

Probably you can fill a bug report on https://bugs.openwrt.org/ if you are convinced that the backport breaks the normal behavior.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.