[SOLVED] IPTABLES failed after kernel upgrade

[smokyrun]

Hello All,

Yesterday I updated my kernel from the 6.12.58 release to the 6.18.12 but after that my VPN did'nt work because some kernel modules does'nt exist in the new kernel release :

I get this error message when I would want to use IPTABLES :

Code: Select all

modprobe: FATAL: Module ip_tables not found in directory /lib/modules/6.18.12-gentoo
iptables v1.8.11 (legacy): can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

Below the different between the 2 kernel version about iptables modules :

root@himalaya /boot # grep -i IPTABLES /boot/config-6.18.12-gentoo
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP6_NF_IPTABLES=y
# iptables trigger is under Netfilter config (LED target)

root@himalaya /boot # grep -i IPTABLES /boot/config-6.12.58-gentoo
CONFIG_IP_NF_IPTABLES_LEGACY=y
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP6_NF_IPTABLES_LEGACY=y
CONFIG_IP6_NF_IPTABLES=y
# iptables trigger is under Netfilter config (LED target)

Do you if there is an issue to fix this problem ?

Thank you so much for your help.

smokyrun

[NeddySeagoon]

smokyrun,

You are missing the _LEGACY optins.
Go into menuconfig.
Press the 'z' key.
Search for the option.
Read it's help.
The Depends on: boolean must be true befbre the optioneis visible.
Fix that, then select the _LEGACY option.

'z' toggles the display of hidden options and allows search to find them.

[grknight]

Alternatively, enable the nftables USE on net-firewall/iptables and rebuild with --oneshot (or a world update).
Then, use eselect iptables to choose the non-legacy option.

This is the best way to not chase kernel options going forward.

[NeddySeagoon]

To add to what grknight said,

iptables will go away one day, so you will be forced to move.
You can pick your day at the moment.

[pietinger]

smokyrun,

CONFIG_NETFILTER_XTABLES_LEGACY was created with 6.17:
https://wiki.gentoo.org/wiki/User:Pieti ... 16_to_6.17

[smokyrun]

Thank you so much for all these precious information and your help, I learned many things today about kernel.
Now I understand why the "_LEGACY" options didn't appear in the new kernel configuration in despite of the using the directive "make oldefconfig" before to compile the new kernel.
I fixed my problem by activating the LEGACY option in the kernel but I think I'm going to use solution recommends by grknight.

Have a nice day.

Kind regards

smokyrun

[gtwrek]

I just ran into this exact same issue. Funny my google searching with added tag site:gentoo.org never found this thread.
I struggles with a lot of non-gentoo search responses, before I figured things out. Came here to add a post to try and help others, and found this thread.

Adding some more details here (+maybe improve search results):
The errors you may get involve failure to insert some kernel modules, or similar

"ip_tables not found in directory /lib/modules/..."
iptables vN.P.Q: can't initialize iptables table `nat': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded.

I had to take at attempt or two to get the kernel configuration correct. I think these were the key ones that needed to be enabled, that were missing after 6.18.12:

CONFIG_NETFILTER_XTABLES_LEGACY=y
CONFIG_NETFILTER_XT_TARGET_NETMAP=m
CONFIG_NETFILTER_XT_TARGET_REDIRECT=m
CONFIG_IP_NF_IPTABLES_LEGACY=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP6_NF_IPTABLES_LEGACY=m
CONFIG_IP6_NF_MANGLE=m

(My entire kernel .config diff is a little larger - I've tried to snip out irrelevant stuff that I may have added in my fumbling around trying to resolve the issue)

The gentoo wiki probably needs to add a few new requirements under https://wiki.gentoo.org/wiki/Iptables now that it appears the kernel is moving more aggressively away from this legacy method.