Iptables xt_owner module missing

founder · 2 May 2022 23:50

I’m trying to install an iptables firewall on my Vero 4K+ and I’m getting the following error when I try and use the owner module:

$ sudo iptables -m owner --help
iptables v1.8.2 (legacy): Couldn't load match `owner':No such file or directory

A little Googling says that the xt_owner module needs to be compiled into the kernel. Is it possible to request this to be added?

Toast · 4 May 2022 17:50

nftables think debain moved on to this instead of iptables.

sam_nazarko · 4 May 2022 19:14

Can you let me know the CONFIG_ option that needs to be enabled in the kernel and I will include it in the next build.

Cheers

Sam

founder · 5 May 2022 13:07

I’m not 100% certain but here is what I came up with:

CONFIG_NETFILTER_XT_MATCH_OWNER

CONFIG_IP_NF_MATCH_OWNER
CONFIG_IP6_NF_MATCH_OWNER
Might be deprecated

founder · 9 May 2022 04:01

I have recompiled the lastest Vero364 kernel(4.9.113-66-osmc) and tested it with the following two CONFIG statements enabled:
+CONFIG_NETFILTER_XT_TARGET_LOG=m
+CONFIG_NETFILTER_XT_MATCH_OWNER=m

Target Log allows iptables to send comment/debug messages to the system log and Match Owner allows iptables to match based on userid. These are the only two that I currently need and I would appreciate if you can add these to your next build.

sam_nazarko · 11 May 2022 20:00

I’ll get this added with the next video stack. Thanks for confirming.

sam_nazarko · 13 May 2022 00:36

This is updated and included in the next video stack

@@ -738,6 +738,7 @@ CONFIG_NETFILTER_NETLINK=y
 CONFIG_NETFILTER_NETLINK_QUEUE=y
 CONFIG_NETFILTER_NETLINK_LOG=y
 CONFIG_NF_CONNTRACK=y
+CONFIG_NF_LOG_COMMON=m
 CONFIG_NF_CONNTRACK_MARK=y
 CONFIG_NF_CONNTRACK_ZONES=y
 CONFIG_NF_CONNTRACK_PROCFS=y
@@ -815,7 +816,7 @@ CONFIG_NETFILTER_XT_TARGET_CT=m
 # CONFIG_NETFILTER_XT_TARGET_HMARK is not set
 CONFIG_NETFILTER_XT_TARGET_IDLETIMER=m
 # CONFIG_NETFILTER_XT_TARGET_LED is not set
-# CONFIG_NETFILTER_XT_TARGET_LOG is not set
+CONFIG_NETFILTER_XT_TARGET_LOG=m
 CONFIG_NETFILTER_XT_TARGET_MARK=m
 CONFIG_NETFILTER_XT_NAT=y
 CONFIG_NETFILTER_XT_TARGET_NETMAP=y
@@ -863,7 +864,7 @@ CONFIG_NETFILTER_XT_MATCH_MARK=m
 # CONFIG_NETFILTER_XT_MATCH_MULTIPORT is not set
 # CONFIG_NETFILTER_XT_MATCH_NFACCT is not set
 # CONFIG_NETFILTER_XT_MATCH_OSF is not set
-# CONFIG_NETFILTER_XT_MATCH_OWNER is not set
+CONFIG_NETFILTER_XT_MATCH_OWNER=m
 CONFIG_NETFILTER_XT_MATCH_POLICY=m
 # CONFIG_NETFILTER_XT_MATCH_PHYSDEV is not set
 CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m
@@ -936,7 +937,7 @@ CONFIG_NFT_DUP_IPV4=y
 # CONFIG_NF_TABLES_ARP is not set
 CONFIG_NF_DUP_IPV4=y
 # CONFIG_NF_LOG_ARP is not set
-# CONFIG_NF_LOG_IPV4 is not set
+CONFIG_NF_LOG_IPV4=m
 CONFIG_NF_REJECT_IPV4=y
 CONFIG_NF_NAT_IPV4=y
 # CONFIG_NFT_CHAIN_NAT_IPV4 is not set
@@ -979,7 +980,7 @@ CONFIG_NFT_REJECT_IPV6=y
 CONFIG_NFT_DUP_IPV6=y
 CONFIG_NF_DUP_IPV6=y
 CONFIG_NF_REJECT_IPV6=y
-# CONFIG_NF_LOG_IPV6 is not set
+CONFIG_NF_LOG_IPV6=m
 CONFIG_NF_NAT_IPV6=m
 # CONFIG_NFT_CHAIN_NAT_IPV6 is not set
 CONFIG_NF_NAT_MASQUERADE_IPV6=m

Thanks for letting me know which options to include.

Sam