How to enable building of iptable_raw.ko

Goerge255 · November 27, 2019, 10:38am

When building the mainstream OpenWrt, the iptable_raw.ko kernel installable module is not built and consequently the RAW table is not available in iptables.

How to enable the building of iptable_raw.ko ?

juppin · November 27, 2019, 11:43am

Edit:
There is already a KernelPackage for iptable_raw, it´s called ipt-raw and can be installed with opkg update && opkg install kmod-ipt-raw.

github.com

openwrt/openwrt/blob/master/package/kernel/linux/modules/netfilter.mk#L461


      
          	CONFIG_IP_VS_SH_TAB_BITS=8 \
          	CONFIG_IP_VS_NFCT=y \
          	CONFIG_NETFILTER_XT_MATCH_IPVS
            FILES:=$(foreach mod,$(IPVS_MODULES),$(LINUX_DIR)/net/netfilter/$(mod).ko)
            $(call AddDepends/ipt,+kmod-ipt-conntrack,+kmod-nf-conntrack)
          endef
          
          define KernelPackage/nf-ipvs/description
           IPVS (IP Virtual Server) implements transport-layer load balancing inside
           the Linux kernel so called Layer-4 switching.
          endef
          
          $(eval $(call KernelPackage,nf-ipvs))
          
          
          define KernelPackage/nf-ipvs-ftp
            SUBMENU:=$(NF_MENU)
            TITLE:=Virtual Server FTP protocol support
            KCONFIG:=CONFIG_IP_VS_FTP
            DEPENDS:=kmod-nf-ipvs +kmod-nf-nat +kmod-nf-nathelper
            FILES:=$(LINUX_DIR)/net/netfilter/ipvs/ip_vs_ftp.ko

If you are building the image by yourself you have to enable PACKAGE_kmod-ipt-raw.

Old post:
You need to add the apropriate KernelPackage definition to:

github.com

openwrt/openwrt/blob/master/package/kernel/linux/modules/netfilter.mk


#
# Copyright (C) 2006-2023 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
#

NF_MENU:=Netfilter Extensions
NF_KMOD:=1
include $(INCLUDE_DIR)/netfilter.mk


define KernelPackage/nf-reject
  SUBMENU:=$(NF_MENU)
  TITLE:=Netfilter IPv4 reject support
  KCONFIG:= \
	CONFIG_NETFILTER=y \
	CONFIG_NETFILTER_ADVANCED=y \
	$(KCONFIG_NF_REJECT)

This file has been truncated. show original

Probably this helps you:

Goerge255 · November 27, 2019, 11:33pm

I did opkg update && opkg install kmod-ipt-raw and indeed the iptable_raw.ko was installed but its file version does not match my Linux version v4.14.151.

How do I know? Because I disassembled it and the function iptable_raw_hook() installed by opkg looks like this:

static unsigned int
iptable_raw_hook(void *priv, struct sk_buff *skb,
		 const struct nf_hook_state *state)
{
	return ipt_do_table(skb, state, state->net->ipv4.iptable_raw);
}

...see this source in iptable_raw.c

However, this function in v4.14.151 is supposed to look like this:

static unsigned int
iptable_raw_hook(void *priv, struct sk_buff *skb,
		 const struct nf_hook_state *state)
{
	if (state->hook == NF_INET_LOCAL_OUT &&
	    (skb->len < sizeof(struct iphdr) ||
	     ip_hdrlen(skb) < sizeof(struct iphdr)))
		/* root is playing with raw sockets. */
		return NF_ACCEPT;

	return ipt_do_table(skb, state, state->net->ipv4.iptable_raw);
}

...see this source in iptable_raw.c

Note that this change in source code has happened between v4.15.18 and v4.16-rc1

Q: Why did the opkg install a version of this module that does not match my Linux version ?

P.S.
My cat /proc/version reports:
Linux version 4.14.151 (buildbot@62f0e5d67d46) (gcc version 7.3.0 (OpenWrt GCC 7.3.0 r7897-9d401013fc)) #0 SMP Tue Nov 5 14:12:18 2019

juppin · November 28, 2019, 9:10am

You have really disassembled the module? Why?

Is that a problem for your use case? Does the module not work?

According to your kernel build tag i assume you are running an official build of OpenWRT, right?
What are your contents of /etc/opkg/distfeeds.conf and /etc/os-release?

Goerge255 · November 28, 2019, 11:39am

Yes, it wasn't working as expected.

The function iptable_raw_hook() disassembles to:

LDR             R3, [R2,#0x14]      ;R3 == state->net
MOV             R0, R1              ;R0 == skb
MOV             R1, R2              ;R1 == state
LDR             R2, [R3,#0x2C8]     ;R2 == state->net->ipv4.iptable_raw
B               ipt_do_table

As you can see, it doesn't check for the size of IP header, as it should in v4.14.151:

Correct.

root@OpenWrt:~# cat /etc/opkg/distfeeds.conf

src/gz openwrt_core http://downloads.openwrt.org/releases/18.06.5/targets/ipq806x/generic/packages
src/gz openwrt_kmods http://downloads.openwrt.org/releases/18.06.5/targets/ipq806x/generic/kmods/4.14.151-1-e0e48e988f7369b5689954f7ddd801b1
src/gz openwrt_base http://downloads.openwrt.org/releases/18.06.5/packages/arm_cortex-a15_neon-vfpv4/base
src/gz openwrt_luci http://downloads.openwrt.org/releases/18.06.5/packages/arm_cortex-a15_neon-vfpv4/luci
src/gz openwrt_packages http://downloads.openwrt.org/releases/18.06.5/packages/arm_cortex-a15_neon-vfpv4/packages
src/gz openwrt_routing http://downloads.openwrt.org/releases/18.06.5/packages/arm_cortex-a15_neon-vfpv4/routing
src/gz openwrt_telephony http://downloads.openwrt.org/releases/18.06.5/packages/arm_cortex-a15_neon-vfpv4/telephony

root@OpenWrt:~# cat /etc/os-release

NAME="OpenWrt"
VERSION="18.06.5"
ID="openwrt"
ID_LIKE="lede openwrt"
PRETTY_NAME="OpenWrt 18.06.5"
VERSION_ID="18.06.5"
HOME_URL="http://openwrt.org/"
BUG_URL="http://bugs.openwrt.org/"
SUPPORT_URL="http://forum.lede-project.org/"
BUILD_ID="r7897-9d401013fc"
LEDE_BOARD="ipq806x/generic"
LEDE_ARCH="arm_cortex-a15_neon-vfpv4"
LEDE_TAINTS=""
LEDE_DEVICE_MANUFACTURER="OpenWrt"
LEDE_DEVICE_MANUFACTURER_URL="http://openwrt.org/"
LEDE_DEVICE_PRODUCT="Generic"
LEDE_DEVICE_REVISION="v0"
LEDE_RELEASE="OpenWrt 18.06.5 r7897-9d401013fc"

juppin · November 28, 2019, 12:03pm

Ok i understand...

Your problem is related to the used netfilter backports used by OpenWRT.

Take a look here why you have the module code from a newer kernel version:

github.com

openwrt/openwrt/blob/openwrt-18.06/target/linux/generic/backport-4.14/313-v4.16-netfilter-remove-defensive-check-on-malformed-packet.patch#L52


-	if (skb->len < sizeof(struct iphdr) ||
-	    ip_hdrlen(skb) < sizeof(struct iphdr))
-		return NF_ACCEPT;
-
 	/* Save things which could affect route */
 	mark = skb->mark;
 	iph = ip_hdr(skb);
--- a/net/ipv4/netfilter/iptable_raw.c
+++ b/net/ipv4/netfilter/iptable_raw.c
@@ -26,12 +26,6 @@ static unsigned int
 iptable_raw_hook(void *priv, struct sk_buff *skb,
 		 const struct nf_hook_state *state)
 {
-	if (state->hook == NF_INET_LOCAL_OUT &&
-	    (skb->len < sizeof(struct iphdr) ||
-	     ip_hdrlen(skb) < sizeof(struct iphdr)))
-		/* root is playing with raw sockets. */
-		return NF_ACCEPT;
-
 	return ipt_do_table(skb, state, state->net->ipv4.iptable_raw);
 }

Probably you can fill a bug report on https://bugs.openwrt.org/ if you are convinced that the backport breaks the normal behavior.

system · December 8, 2019, 12:03pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.