I’m trying to install an iptables firewall on my Vero 4K+ and I’m getting the following error when I try and use the owner module:
$ sudo iptables -m owner --help
iptables v1.8.2 (legacy): Couldn't load match `owner':No such file or directory
A little Googling says that the xt_owner module needs to be compiled into the kernel. Is it possible to request this to be added?
nftables think debain moved on to this instead of iptables.
Can you let me know the CONFIG_ option that needs to be enabled in the kernel and I will include it in the next build.
Cheers
Sam
I’m not 100% certain but here is what I came up with:
CONFIG_NETFILTER_XT_MATCH_OWNER
- CONFIG_IP_NF_MATCH_OWNER
- CONFIG_IP6_NF_MATCH_OWNER
- Might be deprecated
I have recompiled the lastest Vero364 kernel(4.9.113-66-osmc) and tested it with the following two CONFIG statements enabled:
+CONFIG_NETFILTER_XT_TARGET_LOG=m
+CONFIG_NETFILTER_XT_MATCH_OWNER=m
Target Log allows iptables to send comment/debug messages to the system log and Match Owner allows iptables to match based on userid. These are the only two that I currently need and I would appreciate if you can add these to your next build.
I’ll get this added with the next video stack. Thanks for confirming.
This is updated and included in the next video stack
@@ -738,6 +738,7 @@ CONFIG_NETFILTER_NETLINK=y
CONFIG_NETFILTER_NETLINK_QUEUE=y
CONFIG_NETFILTER_NETLINK_LOG=y
CONFIG_NF_CONNTRACK=y
+CONFIG_NF_LOG_COMMON=m
CONFIG_NF_CONNTRACK_MARK=y
CONFIG_NF_CONNTRACK_ZONES=y
CONFIG_NF_CONNTRACK_PROCFS=y
@@ -815,7 +816,7 @@ CONFIG_NETFILTER_XT_TARGET_CT=m
# CONFIG_NETFILTER_XT_TARGET_HMARK is not set
CONFIG_NETFILTER_XT_TARGET_IDLETIMER=m
# CONFIG_NETFILTER_XT_TARGET_LED is not set
-# CONFIG_NETFILTER_XT_TARGET_LOG is not set
+CONFIG_NETFILTER_XT_TARGET_LOG=m
CONFIG_NETFILTER_XT_TARGET_MARK=m
CONFIG_NETFILTER_XT_NAT=y
CONFIG_NETFILTER_XT_TARGET_NETMAP=y
@@ -863,7 +864,7 @@ CONFIG_NETFILTER_XT_MATCH_MARK=m
# CONFIG_NETFILTER_XT_MATCH_MULTIPORT is not set
# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set
# CONFIG_NETFILTER_XT_MATCH_OSF is not set
-# CONFIG_NETFILTER_XT_MATCH_OWNER is not set
+CONFIG_NETFILTER_XT_MATCH_OWNER=m
CONFIG_NETFILTER_XT_MATCH_POLICY=m
# CONFIG_NETFILTER_XT_MATCH_PHYSDEV is not set
CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m
@@ -936,7 +937,7 @@ CONFIG_NFT_DUP_IPV4=y
# CONFIG_NF_TABLES_ARP is not set
CONFIG_NF_DUP_IPV4=y
# CONFIG_NF_LOG_ARP is not set
-# CONFIG_NF_LOG_IPV4 is not set
+CONFIG_NF_LOG_IPV4=m
CONFIG_NF_REJECT_IPV4=y
CONFIG_NF_NAT_IPV4=y
# CONFIG_NFT_CHAIN_NAT_IPV4 is not set
@@ -979,7 +980,7 @@ CONFIG_NFT_REJECT_IPV6=y
CONFIG_NFT_DUP_IPV6=y
CONFIG_NF_DUP_IPV6=y
CONFIG_NF_REJECT_IPV6=y
-# CONFIG_NF_LOG_IPV6 is not set
+CONFIG_NF_LOG_IPV6=m
CONFIG_NF_NAT_IPV6=m
# CONFIG_NFT_CHAIN_NAT_IPV6 is not set
CONFIG_NF_NAT_MASQUERADE_IPV6=m
Thanks for letting me know which options to include.
Sam