When building the mainstream OpenWrt, the iptable_raw.ko
kernel installable module is not built and consequently the RAW table
is not available in iptables
.
How to enable the building of iptable_raw.ko
?
When building the mainstream OpenWrt, the iptable_raw.ko
kernel installable module is not built and consequently the RAW table
is not available in iptables
.
How to enable the building of iptable_raw.ko
?
Edit:
There is already a KernelPackage for iptable_raw, it´s called ipt-raw and can be installed with opkg update && opkg install kmod-ipt-raw
.
If you are building the image by yourself you have to enable PACKAGE_kmod-ipt-raw.
Old post:
You need to add the apropriate KernelPackage definition to:
Probably this helps you:
I did opkg update && opkg install kmod-ipt-raw
and indeed the iptable_raw.ko
was installed but its file version does not match my Linux version v4.14.151
.
How do I know? Because I disassembled it and the function iptable_raw_hook()
installed by opkg
looks like this:
static unsigned int
iptable_raw_hook(void *priv, struct sk_buff *skb,
const struct nf_hook_state *state)
{
return ipt_do_table(skb, state, state->net->ipv4.iptable_raw);
}
...see this source in iptable_raw.c
However, this function in v4.14.151
is supposed to look like this:
static unsigned int
iptable_raw_hook(void *priv, struct sk_buff *skb,
const struct nf_hook_state *state)
{
if (state->hook == NF_INET_LOCAL_OUT &&
(skb->len < sizeof(struct iphdr) ||
ip_hdrlen(skb) < sizeof(struct iphdr)))
/* root is playing with raw sockets. */
return NF_ACCEPT;
return ipt_do_table(skb, state, state->net->ipv4.iptable_raw);
}
...see this source in iptable_raw.c
Note that this change in source code has happened between v4.15.18 and v4.16-rc1
Q: Why did the opkg
install a version of this module that does not match my Linux version ?
P.S.
My cat /proc/version
reports:
Linux version 4.14.151 (buildbot@62f0e5d67d46) (gcc version 7.3.0 (OpenWrt GCC 7.3.0 r7897-9d401013fc)) #0 SMP Tue Nov 5 14:12:18 2019
You have really disassembled the module? Why?
Is that a problem for your use case? Does the module not work?
According to your kernel build tag i assume you are running an official build of OpenWRT, right?
What are your contents of /etc/opkg/distfeeds.conf
and /etc/os-release
?
Yes, it wasn't working as expected.
The function iptable_raw_hook()
disassembles to:
LDR R3, [R2,#0x14] ;R3 == state->net
MOV R0, R1 ;R0 == skb
MOV R1, R2 ;R1 == state
LDR R2, [R3,#0x2C8] ;R2 == state->net->ipv4.iptable_raw
B ipt_do_table
As you can see, it doesn't check for the size of IP header, as it should in v4.14.151:
Correct.
root@OpenWrt:~# cat /etc/opkg/distfeeds.conf
src/gz openwrt_core http://downloads.openwrt.org/releases/18.06.5/targets/ipq806x/generic/packages
src/gz openwrt_kmods http://downloads.openwrt.org/releases/18.06.5/targets/ipq806x/generic/kmods/4.14.151-1-e0e48e988f7369b5689954f7ddd801b1
src/gz openwrt_base http://downloads.openwrt.org/releases/18.06.5/packages/arm_cortex-a15_neon-vfpv4/base
src/gz openwrt_luci http://downloads.openwrt.org/releases/18.06.5/packages/arm_cortex-a15_neon-vfpv4/luci
src/gz openwrt_packages http://downloads.openwrt.org/releases/18.06.5/packages/arm_cortex-a15_neon-vfpv4/packages
src/gz openwrt_routing http://downloads.openwrt.org/releases/18.06.5/packages/arm_cortex-a15_neon-vfpv4/routing
src/gz openwrt_telephony http://downloads.openwrt.org/releases/18.06.5/packages/arm_cortex-a15_neon-vfpv4/telephony
root@OpenWrt:~# cat /etc/os-release
NAME="OpenWrt"
VERSION="18.06.5"
ID="openwrt"
ID_LIKE="lede openwrt"
PRETTY_NAME="OpenWrt 18.06.5"
VERSION_ID="18.06.5"
HOME_URL="http://openwrt.org/"
BUG_URL="http://bugs.openwrt.org/"
SUPPORT_URL="http://forum.lede-project.org/"
BUILD_ID="r7897-9d401013fc"
LEDE_BOARD="ipq806x/generic"
LEDE_ARCH="arm_cortex-a15_neon-vfpv4"
LEDE_TAINTS=""
LEDE_DEVICE_MANUFACTURER="OpenWrt"
LEDE_DEVICE_MANUFACTURER_URL="http://openwrt.org/"
LEDE_DEVICE_PRODUCT="Generic"
LEDE_DEVICE_REVISION="v0"
LEDE_RELEASE="OpenWrt 18.06.5 r7897-9d401013fc"
Ok i understand...
Your problem is related to the used netfilter backports used by OpenWRT.
Take a look here why you have the module code from a newer kernel version:
Probably you can fill a bug report on https://bugs.openwrt.org/ if you are convinced that the backport breaks the normal behavior.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.