I ran iptables -L the other day and noticed that some of my rules using -m state suddenly give this warning message after the rule is listed:
"Warning: Extension state is not supported, missing kernel module?"
The state module (actually it's not a module but compiled in) was never disabled in the kernel, I enabled the "conntrack" USE flag too and its required CONFIG_NF_CT_NETLINK, and it's still showing this message. I'm not sure if the rules are working or not, and "-m state -h" shows the correct syntax of the state module.
Anyone know more?
iptables: "Extension state is not supported"
Message
Plz see
https://wiki.gentoo.org/wiki/Iptables#Kernel
It is missing the state functionality.
Plz add it
recompile and reinstall kernel and modules.
https://wiki.gentoo.org/wiki/Iptables#Kernel
It is missing the state functionality.
Plz add it
Code: Select all
[*] Network packet filtering framework (Netfilter) --->
--- Network packet filtering framework (Netfilter)
[ ] Network packet filtering debugging
[ ] Advanced netfilter configuration
Core Netfilter Configuration --->
<M> Netfilter LOG over NFNETLINK interface
<*> Netfilter connection tracking support
[ ] Supply CT list in procfs (OBSOLETE)
< > FTP protocol support
< > IRC protocol support
< > NetBIOS name service protocol support
< > SIP protocol support
< > Connection tracking netlink interface
< > Netfilter nf_tables support
-*- Netfilter Xtables support (required for ip_tables)
*** Xtables combined modules ***
< > nfmark target and match support
*** Xtables targets ***
< > LOG target support
< > "NFLOG" target support
< > "TCPMSS" target support
*** Xtables matches ***
<*> "conntrack" connection tracking match support
< > IPsec "policy" match support
<*> "state" match support ########HERE
Do you have
in your .config?
Can you plz double check?
Code: Select all
CONFIG_NETFILTER_XT_MATCH_STATECan you plz double check?
redblade7,
my suggestion is the same as I always say: Enable ALL netfilter modules as <M>odule in your kernel configuration (and enable also "Advanced netfilter configuration"). As soon as your firewall starts (independent if "iptables" or "nftables") all needed modules will be loaded automatically and you can see with "lsmod" which of them you really need. Afterwards you can disable all modules again which you dont need.
(see also here: https://wiki.gentoo.org/wiki/User:Pieti ... lim_kernel )
P.S.: Dont forget netfilter-modules for IPv6 ...
(If you use it)
my suggestion is the same as I always say: Enable ALL netfilter modules as <M>odule in your kernel configuration (and enable also "Advanced netfilter configuration"). As soon as your firewall starts (independent if "iptables" or "nftables") all needed modules will be loaded automatically and you can see with "lsmod" which of them you really need. Afterwards you can disable all modules again which you dont need.
(see also here: https://wiki.gentoo.org/wiki/User:Pieti ... lim_kernel )
P.S.: Dont forget netfilter-modules for IPv6 ...
(If you use it)
Apparently, I've found the root cause for this issue (which I've faced too). I've set:
And now, my configuration like
works without a warning. According to the docs, the former module supersedes the latter one.
Code: Select all
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
# CONFIG_NETFILTER_XT_MATCH_STATE is not set
Code: Select all
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
That works for me. Thank you!r_pns wrote:Apparently, I've found the root cause for this issue (which I've faced too). I've set:And now, my configuration likeCode: Select all
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m # CONFIG_NETFILTER_XT_MATCH_STATE is not setworks without a warning. According to the docs, the former module supersedes the latter one.Code: Select all
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT