Forums

Skip to content

Advanced search
  • Quick links
    • Unanswered topics
    • Active topics
    • Search
  • FAQ
  • Login
  • Register
  • Board index Assistance Networking & Security
  • Search

iptables v1.8.2 (legacy): can't initialize iptables table

Having problems getting connected to the internet or running a server? Wondering about securing your box? Ask here.
Post Reply
Advanced search
6 posts • Page 1 of 1
Author
Message
samuelbernardo
n00b
n00b
Posts: 31
Joined: Sat Jan 30, 2016 6:20 pm

iptables v1.8.2 (legacy): can't initialize iptables table

  • Quote

Post by samuelbernardo » Sun Apr 07, 2019 4:28 pm

Hi,

Today after gentoo upgrade I realize that libvirt have an error in the startup. Iptables are not working as expected and because of that libvirt can't set the forward rules for nat bridges.

The related ebuilds I've installed are:
net-firewall/iptables-1.8.2-r2 conntrack ipv6 netlink pcap -nftables
net-firewall/nftables-0.9.0-r4 gmp json modern_kernel readline
net-firewall/ebtables-2.0.10.4 +perl
app-emulation/libvirt-5.1.0 caps dbus fuse libvirtd lvm lxc macvtap nfs nls parted policykit qemu sasl udev vepa virt-network wireshark-plugins zfs
sys-kernel/gentoo-sources-4.19.34 experimental

I've iptables enabled with almost all other options:
grep NF_IPTABLES /boot/config-$(uname -r)
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP6_NF_IPTABLES=y

I've also enable ebtables and nftables related options in kernel.
nft commands work without any problem, such as ebtables. Only iptables have this error.
I can't enable use flag nftables in iptables ebuild because libvirt requires iptables with nftables flag disabled.

Does anyone have an hint for the reason why the following error happens?

Code: Select all

# iptables -nvL
iptables v1.8.2 (legacy): can't initialize iptables table `filter': No child processes                                                 
Perhaps iptables or your kernel needs to be upgraded.
Conplete kernel configuration: https://pastebin.com/TDpwKij0

Code: Select all

# cat /proc/net/ip_tables_names
security
raw
nat
mangle
filter
Thanks
Top
deagol
n00b
n00b
Posts: 62
Joined: Sat Jul 12, 2014 12:03 pm

  • Quote

Post by deagol » Sat Apr 13, 2019 8:56 pm

You probably missing some kernel module(s)

I had the exactly same error message today after updating my kernel. I used the old kernel config as base and with the new kernel I got the same error.
If I'm right booting your old kernel will allow iptables to work again.
You then have to figure out exactly what's missing... In my case MASQUERADE target was missing. A master option was off, MASQUERADE was one of selectable targets.
Doesn't look like that's your problem, though...
But when you can confirm that it's still working with the old kernel something next to sure is...
Top
samuelbernardo
n00b
n00b
Posts: 31
Joined: Sat Jan 30, 2016 6:20 pm

  • Quote

Post by samuelbernardo » Sun Apr 14, 2019 12:27 am

deagol wrote:You probably missing some kernel module(s)

I had the exactly same error message today after updating my kernel. I used the old kernel config as base and with the new kernel I got the same error.
If I'm right booting your old kernel will allow iptables to work again.
You then have to figure out exactly what's missing... In my case MASQUERADE target was missing. A master option was off, MASQUERADE was one of selectable targets.
Doesn't look like that's your problem, though...
But when you can confirm that it's still working with the old kernel something next to sure is...
Thanks for your feedback.
Unfortunately I have already MASQUERADE target enabled.
I have an hint that the problem maybe related to iptables nftables flag that I can't activate because libvirt and lxd still depend on ebtables that brings a conflict to iptables with nftables.
So my firewall now is being configured by nft that is working as expected. libvirtd gives warnings when starting because of iptables command errors, but is still working.
My hope now is libvirt and lxd start to support nftables.
Top
samuelbernardo
n00b
n00b
Posts: 31
Joined: Sat Jan 30, 2016 6:20 pm

[SOLVED] iptables v1.8.2: can't initialize iptables table

  • Quote

Post by samuelbernardo » Sun Apr 28, 2019 8:39 am

Installing net-firewall/ebtables-2.0.10.4-r2 allows to install iptables with nftables use flag. With this is possible to have linux kernel with nftables enabled.
Top
alamahant
Advocate
Advocate
Posts: 4034
Joined: Sat Mar 23, 2019 12:12 pm

  • Quote

Post by alamahant » Tue Jun 04, 2019 9:08 pm

Then ditch nftables and use iptables instead.
Not only libvirt,even firewalld,docker etc do not work properly with nftables yet.
Firewalld gives you the option to choose iptables or nftables backend in firewalld.conf file.
It will take time so just stick with iptables instead.
Use these flags for them to be fully functional:

First remove anything "netfilter" from your kernel .config file thus:

Code: Select all

sed -i '/NETFILTER/d' /usr/src/linux/.config
and then you need to append the following and recompile:

Code: Select all

CONFIG_NETFILTER=y
CONFIG_NETFILTER_ADVANCED=y
CONFIG_BRIDGE_NETFILTER=y
# Core Netfilter Configuration
CONFIG_NETFILTER_INGRESS=y
CONFIG_NETFILTER_NETLINK=m
CONFIG_NETFILTER_FAMILY_BRIDGE=y
CONFIG_NETFILTER_FAMILY_ARP=y
CONFIG_NETFILTER_NETLINK_ACCT=m
CONFIG_NETFILTER_NETLINK_QUEUE=m
CONFIG_NETFILTER_NETLINK_LOG=m
CONFIG_NETFILTER_NETLINK_OSF=m
CONFIG_NETFILTER_CONNCOUNT=m
CONFIG_NETFILTER_NETLINK_GLUE_CT=y
CONFIG_NETFILTER_SYNPROXY=m
CONFIG_NETFILTER_XTABLES=y
CONFIG_NETFILTER_XT_MARK=m
CONFIG_NETFILTER_XT_CONNMARK=m
CONFIG_NETFILTER_XT_SET=m
CONFIG_NETFILTER_XT_TARGET_AUDIT=m
CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m
CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m
CONFIG_NETFILTER_XT_TARGET_CT=m
CONFIG_NETFILTER_XT_TARGET_DSCP=m
CONFIG_NETFILTER_XT_TARGET_HL=m
CONFIG_NETFILTER_XT_TARGET_HMARK=m
CONFIG_NETFILTER_XT_TARGET_IDLETIMER=m
CONFIG_NETFILTER_XT_TARGET_LED=m
CONFIG_NETFILTER_XT_TARGET_LOG=m
CONFIG_NETFILTER_XT_TARGET_MARK=m
CONFIG_NETFILTER_XT_NAT=m
CONFIG_NETFILTER_XT_TARGET_NETMAP=m
CONFIG_NETFILTER_XT_TARGET_NFLOG=m
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
CONFIG_NETFILTER_XT_TARGET_NOTRACK=m
CONFIG_NETFILTER_XT_TARGET_RATEEST=m
CONFIG_NETFILTER_XT_TARGET_REDIRECT=m
CONFIG_NETFILTER_XT_TARGET_TEE=m
CONFIG_NETFILTER_XT_TARGET_TPROXY=m
CONFIG_NETFILTER_XT_TARGET_TRACE=m
CONFIG_NETFILTER_XT_TARGET_SECMARK=m
CONFIG_NETFILTER_XT_TARGET_TCPMSS=m
CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m
CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m
CONFIG_NETFILTER_XT_MATCH_BPF=m
CONFIG_NETFILTER_XT_MATCH_CGROUP=m
CONFIG_NETFILTER_XT_MATCH_CLUSTER=m
CONFIG_NETFILTER_XT_MATCH_COMMENT=m
CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m
CONFIG_NETFILTER_XT_MATCH_CONNLABEL=m
CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m
CONFIG_NETFILTER_XT_MATCH_CONNMARK=m
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
CONFIG_NETFILTER_XT_MATCH_CPU=m
CONFIG_NETFILTER_XT_MATCH_DCCP=m
CONFIG_NETFILTER_XT_MATCH_DEVGROUP=m
CONFIG_NETFILTER_XT_MATCH_DSCP=m
CONFIG_NETFILTER_XT_MATCH_ECN=m
CONFIG_NETFILTER_XT_MATCH_ESP=m
CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m
CONFIG_NETFILTER_XT_MATCH_HELPER=m
CONFIG_NETFILTER_XT_MATCH_HL=m
CONFIG_NETFILTER_XT_MATCH_IPCOMP=m
CONFIG_NETFILTER_XT_MATCH_IPRANGE=m
CONFIG_NETFILTER_XT_MATCH_IPVS=m
CONFIG_NETFILTER_XT_MATCH_L2TP=m
CONFIG_NETFILTER_XT_MATCH_LENGTH=m
CONFIG_NETFILTER_XT_MATCH_LIMIT=m
CONFIG_NETFILTER_XT_MATCH_MAC=m
CONFIG_NETFILTER_XT_MATCH_MARK=m
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
CONFIG_NETFILTER_XT_MATCH_NFACCT=m
CONFIG_NETFILTER_XT_MATCH_OSF=m
CONFIG_NETFILTER_XT_MATCH_OWNER=m
CONFIG_NETFILTER_XT_MATCH_POLICY=m
CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m
CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m
CONFIG_NETFILTER_XT_MATCH_QUOTA=m
CONFIG_NETFILTER_XT_MATCH_RATEEST=m
CONFIG_NETFILTER_XT_MATCH_REALM=m
CONFIG_NETFILTER_XT_MATCH_RECENT=m
CONFIG_NETFILTER_XT_MATCH_SCTP=m
CONFIG_NETFILTER_XT_MATCH_SOCKET=m
CONFIG_NETFILTER_XT_MATCH_STATE=m
CONFIG_NETFILTER_XT_MATCH_STATISTIC=m
CONFIG_NETFILTER_XT_MATCH_STRING=m
CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
CONFIG_NETFILTER_XT_MATCH_TIME=m
CONFIG_NETFILTER_XT_MATCH_U32=m
:D
Top
samuelbernardo
n00b
n00b
Posts: 31
Joined: Sat Jan 30, 2016 6:20 pm

  • Quote

Post by samuelbernardo » Thu Jun 06, 2019 6:22 pm

Thanks alamahant for your post.
It's working now with your proposed configurations.
Top
Post Reply
6 posts • Page 1 of 1

Return to “Networking & Security”

Jump to
  • Assistance
  • ↳   News & Announcements
  • ↳   Frequently Asked Questions
  • ↳   Installing Gentoo
  • ↳   Multimedia
  • ↳   Desktop Environments
  • ↳   Networking & Security
  • ↳   Kernel & Hardware
  • ↳   Portage & Programming
  • ↳   Gamers & Players
  • ↳   Other Things Gentoo
  • ↳   Unsupported Software
  • Discussion & Documentation
  • ↳   Documentation, Tips & Tricks
  • ↳   Gentoo Chat
  • ↳   Gentoo Forums Feedback
  • ↳   Duplicate Threads
  • International Gentoo Users
  • ↳   中文 (Chinese)
  • ↳   Dutch
  • ↳   Finnish
  • ↳   French
  • ↳   Deutsches Forum (German)
  • ↳   Diskussionsforum
  • ↳   Deutsche Dokumentation
  • ↳   Greek
  • ↳   Forum italiano (Italian)
  • ↳   Forum di discussione italiano
  • ↳   Risorse italiane (documentazione e tools)
  • ↳   Polskie forum (Polish)
  • ↳   Instalacja i sprzęt
  • ↳   Polish OTW
  • ↳   Portuguese
  • ↳   Documentação, Ferramentas e Dicas
  • ↳   Russian
  • ↳   Scandinavian
  • ↳   Spanish
  • ↳   Other Languages
  • Architectures & Platforms
  • ↳   Gentoo on ARM
  • ↳   Gentoo on PPC
  • ↳   Gentoo on Sparc
  • ↳   Gentoo on Alternative Architectures
  • ↳   Gentoo on AMD64
  • ↳   Gentoo for Mac OS X (Portage for Mac OS X)
  • Board index
  • All times are UTC
  • Delete cookies

© 2001–2026 Gentoo Foundation, Inc.

Powered by phpBB® Forum Software © phpBB Limited

Privacy Policy

 

 

magic