Iptables and kernel modules

cloudboss · October 9, 2022, 7:30pm

Hi, I am getting the following error with ip6tables:

ip6tables-restore v1.8.7 (legacy): Couldn't load target `REJECT':No such file or directory

The kernel is compiled with CONFIG_NF_REJECT_IPV4=y but for IPv6 it is configured as a module:

# gunzip -c /proc/config.gz | grep CONFIG_NF_REJECT
CONFIG_NF_REJECT_IPV4=y
CONFIG_NF_REJECT_IPV6=m

I compiled the modules for 5.12.2 to match the kernel version, but alas, I got the error nf_reject_ipv6: disagrees about version of symbol module_layout. Further investigation revealed that I would also need the kernel’s Module.symvers.

Is there any way CONFIG_NF_REJECT_IPV6=y could be added to the kernel? Even better would be the option to mount kernel modules as a volume inside machines.

OJFord · March 7, 2023, 5:37pm

Same with CONNMARK, module xt_connmark I think.

Not possible to use Wireguard’s wg-quick as a result:

 2023-03-07T17:06:36.106 app[6e82920f7e7668] lhr [info] [#] ip6tables-restore -n

2023-03-07T17:06:36.109 app[6e82920f7e7668] lhr [info] Warning: Extension CONNMARK revision 0 not supported, missing kernel module?

2023-03-07T17:06:36.112 app[6e82920f7e7668] lhr [info] ip6tables-restore: line 6 failed

(and then exits 1 after some cleanup.)

Topic		Replies	Views
Nftables support in the kernel	3	1749	October 11, 2022
Kernel tree / config published someplace?	5	481	March 30, 2021
Kernel config to support iptables --notrack Questions / Help	5	986	January 2, 2023
Wireguard nodes (*.gateway.6pn.dev) unaccessible from IPv6 only	9	481	June 21, 2023
Deployment issue	4	619	November 13, 2020

Iptables and kernel modules

Related topics