OpenWrt Forum Archive

Topic: iptables TRACE problems

The content of this topic has been archived on 26 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hi all,

I'm running OpenWRT 10.3 and trying to track an issue with my firewall using the TRACE target with iptables.  However I am having a few troubles inserting the rules:

root@OpenWrt:~# iptables -t raw -I PREROUTING -p tcp -j TRACE
iptables v1.4.6: Couldn't load target `TRACE':File not found

If I run the same command with strace I can see I'm missing some libraries (this is just the relevant bit of the strace output):
en("\1", O_RDONLY)                    = -1 ENOENT (No such file or directory)
open("", O_RDONLY)                      = -1 ENOENT (No such file or directory)
open("\260\260\312\177\352\6", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/lib/libxt_TRACE.so", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64(0x7fcaba70, 0x7fcab930)          = -1 ENOENT (No such file or directory)
open("/usr/lib/iptables/libxt_TRACE.soo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/libxt_TRACE.so", O_RDONLY)       = -1 ENOENT (No such file or directory)
open("/lib/lib/lib/libE.so", O_RDONLY)  = -1 ENOENT (No such file or directory)
open("/lib/libipt_TRACE.so", O_RDONLY)  = -1 ENOENT (No such file or directory)
stat64(0x7fcaba70, 0x7fcab930)          = -1 ENOENT (No such file or directory)
socket(PF_INET, SOCK_RAW, IPPROTO_RAW)  = 3
getsockopt(3, SOL_IP, 0x40 /* IP_??? */, 0x7fcabb38, 0) = 0
getsockopt(3, SOL_IP, 0x41 /* IP_??? */, "raw\0ew protocols will be added o"..., [84]) = 0
open("\3", O_RDONLY)                    = -1 ENOENT (No such file or directory)
open("/libipt_TRACE.so", O_RDONLY)      = -1 ENOENT (No such file or directory)
open("\260\260\312\177/lib/lib/libxt_TRACE.so", O_RDONLY) = -1 ENOENT (No such file or directory)
open("\260\260\312\177/libxt_TRACE.so", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64(0x7fcaba70, 0x7fcab930)          = -1 ENOENT (No such file or directory)
open("/usr/lib/iptables/libxt_TRACE.so", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/libxt_TRACE.so", O_RDONLY)       = -1 ENOENT (No such file or directory)
open("\260\260\312\177/lib/lib/libipt_TRACE.so", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/lib/libipt_TRACE.so", O_RDONLY)  = -1 ENOENT (No such file or directory)
stat64(0x7fcaba70, 0x7fcab930)          = -1 ENOENT (No such file or directory)

I tried looking through the packages to see what provides libxt_TRACE.so or libipt_TRACE.so but couldn't see anything.  Am I overlooking some package that provides this or is the iptables TRACE target not supported at the moment on openwrt?

Thanks in advance.

The modules needed for IPTABLES matches/Targets are splitted into different packages in the OpenWrt Repos. They all should have names like kmod-ipt-xxx. Since documentation is shit, you got to find out, where you module is in. For ar71xx Targets and RC4 look at:

http://downloads.openwrt.org/backfire/1 … s/Packages

and search for TRACE or TTL or TOS or whatever. Also there are some ugly bugs. In the last two releases I installed, modules were missing in the packages.

Is there any other (comfortable) way to check out, what a package contains? I mean above way, only shows you the info about a package, but not the real ingredient.

I think opkg list '*grepstring*' will effectively be the same as looking through that package text file.

I still can't find the iptables trace libraries so will give up on it.  I must admit to really missing something like apt-file search to locate the appropriate package.

Thanks for your help anyway.

profile21 wrote:

I think opkg list '*grepstring*' will effectively be the same as looking through that package text file.

No, it will be much slower :-P

profile21 wrote:

I still can't find the iptables trace libraries so will give up on it.  I must admit to really missing something like apt-file search to locate the appropriate package.

Maybe there isn't one, IF there is, the question is how to find it. Both above mentioned methods only check text strings explicitly specified by the packet builder. Some of them are quite short and cryptic. Try to find all packets related to traffic shaping... I know three: dsl-qos-queue, wshaper and qos-scripts. Yeah, again I did put them here http://wiki.openwrt.org/doc/uci/qos  But maybe there are more, who knows...


profile21 wrote:

Thanks for your help anyway.

Well I didn't really help you, did I? Your problem stays unsolved. Maybe check the source-code? But how?

Apologies for bumping an old thread but I was looking for the same information and perhaps others would like it too. Here is what I did to get TRACE:

To determine if TRACE was in a package, I downloaded one of the OpenWrt ImageBuilders. By using a script (which I have since deleted, sorry), I extracted all of the packages. I could then do a normal file search for 'TRACE', 'libxt_TRACE', etc. I couldn't find it, so to the best of my knowledge no package provides it....

In order to get TRACE functionality, you need to compile the library yourself, as well as the TRACE target kernel module. The best way to do this is to do an svn checkout of the distribution of OpenWrt you are using. Find your kernel version:

uname -a

Browse to your relevant changelog (e.g. for Backfire - https://dev.openwrt.org/log/branches/ba … llow_copy) and do a search for your kernel version. I found this:

[24490]: kernel: update from version 2.6.32.25 to 2.6.32.27

So I know that any revision prior to 24490 will build the right kernel for me as I am using 2.6.32.25. I then checked out the right revisionl by running the following, where 24489 was the revision I needed:

svn co svn://svn.openwrt.org/openwrt/branches/backfire@24489

Do not update the feeds! Copy and paste the following into the end of package/kernel/modules/netfilter.mk:

define KernelPackage/ipt-trace
$(call KernelPackage/ipt/Depends,)
  TITLE:=Module for TRACE target
  KCONFIG:=$(KCONFIG_IPT_TRACE) \
    CONFIG_NETFILTER_XT_TARGET_TRACE
  FILES:=$(LINUX_DIR)/net/netfilter/xt_TRACE.ko
  AUTOLOAD:=$(call AutoLoad,45,$(notdir $(IPT_TRACE-m)))
endef

define KernelPackage/ipt-trace/description
 Netfilter (IPv4) module for TRACE target
 Includes:
 - TRACE

endef

$(eval $(call KernelPackage,ipt-trace))

cd into the new OpenWrt source directory and run

make menuconfig

. Select your target system and target profile. Then go to Kernel Modules --> Netfilter Extensions --> kmod-ipt-trace and change it to 'M'. Next, exit, save the config and run

make

. After some time you will be able to find in build_dir/linux-TARGET_SYSTEM/iptables-VERSION/extensions the file 'libxt_TRACE.so' scp this across to the /usr/lib/iptables dir on OpenWrt. You will also find 'xt_TRACE.ko' in build_dir/linux-TARGET_SYSTEM/linux-VERSION/net/netfilter. scp this across to /root(?) on your device. Now you should be able to do

insmod ./xt_TRACE.ko

and finally use the TRACE target in iptables.

Hope this helps somebody!

Ash

Ash,

Ok, so for, all is mostly well.  Followed your directions and now my "raw" table is showing an increasing
packet count for all packets which match my "TRACE" rule.

However, I am not seeing any logged messages using logread or on the gui (syslog or kernel log).

Before I dump a bunch of configs here, do you know of a good reference so I can lookup my syslog/klog
config, to ensure that it is correct.

Either way, thanks for the detailed setup on getting iptable's tracking setup. 

Paul

Hmm, don't know. I figured out my problem before I needed TRACE and looking at it now I see no iptables output on the kernel log - indeed all that seems to be there is dmesg stuff. Did you ever get this working?

opkg update && grep "Package: iptables-mod-" /var/opkg-lists/packages | awk -F ': ' '{print $2}' | xargs opkg install && grep "Package: kmod-ipt-" /var/opkg-lists/packages | awk -F ': ' '{print $2}' | xargs opkg install


Backfire (10.03.1-RC5, r27608)

# uname -a
Linux ********** 2.6.32.27 #7 Fri Jul 15 02:43:34 CEST 2011 mips GNU/Linux

iptables -t raw -A PREROUTING -p icmp -j TRACE

iptables v1.4.6: Couldn't load target `TRACE':File not found

Should I open a ticket for this?

Trace isnt available in Backfire. It is available in trunk under the iptables-debug package. May be best to look at how that package is built to see how to build it for backfire.

ash87 wrote:

Hope this helps somebody!

Ash

Thanks, it is working fine.

For Backfire 10.03.1-RC5:

svn co svn://svn.openwrt.org/openwrt/branches/backfire@27793

(Last edited by dash17291 on 29 Nov 2011, 13:58)

Module is loaded, but typing

logread

doesn't show any line containing TRACE:

(Last edited by dash17291 on 29 Nov 2011, 16:04)

adam2104 wrote:

Trace isnt available in Backfire. It is available in trunk under the iptables-debug package. May be best to look at how that package is built to see how to build it for backfire.

# cat /etc/banner
  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 ATTITUDE ADJUSTMENT (bleeding edge, r29557) ----------
  * 1/4 oz Vodka      Pour all ingredients into mixing
  * 1/4 oz Gin        tin with ice, strain into glass.
  * 1/4 oz Amaretto
  * 1/4 oz Triple sec
  * 1/4 oz Peach schnapps
  * 1/4 oz Sour mix
  * 1 splash Cranberry juice
 -----------------------------------------------------



Using EXTROOT

| Atheros AR9132 rev 2 | TP-LINK TL-WR1043ND | MIPS 24Kc V7.4 | 265.42 |



# opkg update && opkg install iptables-debug
Downloading http://downloads.openwrt.org/snapshots/trunk/ar71xx/packages/Packages.gz.
Inflating http://downloads.openwrt.org/snapshots/trunk/ar71xx/packages/Packages.gz.
Updated list of available packages in /var/opkg-lists/snapshots.
Unknown package 'iptables-debug'.
Collected errors:
 * opkg_install_cmd: Cannot install package iptables-debug.

The iptables-debug is not available in binary builds as enabling it slows down all iptables operations, even if not used. Similar case to ebtables and bridge firewalling. You must compile yourself.

Why is this thread dead? TRACE still doesn't work!

<*> kmod-ipt-debug.......................... Module for debugging/development

Doesn't fix it!

root@router:~# iptables -t raw -I OUTPUT -p icmp -j TRACE
iptables v1.4.21: Couldn't load target `TRACE':No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
root@router:~#

The discussion might have continued from here.