counterpoint Posted July 11, 2020 Posted July 11, 2020 I am setting up a new Odroid HC1 and have installed Armbian Buster from https://www.armbian.com/odroid-hc1/. Attempting to run iptables, I first had the problem: iptables/1.8.2 Failed to initialize nft: Protocol not supported Attempting to use legacy, I used the command: update-alternatives --set iptables /usr/sbin/iptables-legacy But then had the error: modprobe: ERROR: ../libkmod/libkmod.c:586 kmod_search_moddep() could not open moddep file '/lib/modules/4.14.180-odroidxu4/modules.dep.bin' modprobe: FATAL: Module ip_tables not found in directory /lib/modules/4.14.180-odroidxu4 iptables v1.8.2 (legacy): can't initialize iptables table `filter': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. This leaves me rather stuck! In my firewall, I make extensive use of ipset. But that also seems to have a problem: ipset v6.38: Cannot open session to kernel. Are these problems soluble?
lanefu Posted July 12, 2020 Posted July 12, 2020 This is odd.. as whenlooking at the kernel config used iptables modules are there. Debian buster does use nftables, so there most be some underlying issues. maybee reinstall iptables-legacy package and reboot before setting alternative? what does this command return? find /lib/modules/|fgrep -i tables also please run and share link for sudo armbianmonitor -u
counterpoint Posted July 12, 2020 Author Posted July 12, 2020 Thanks very much. Sorry for the slow response - I'm only allowed one post per 24 hours. I seem to have a solution. As mentioned above, I took the image from https://www.armbian.com/odroid-hc1/ To be more specific, I used the one with the large image at the right hand side of the page, just below the picture of an HC1. Looking more carefully, it uses kernel 4.14.y. Not being knowledgeable about kernel versions, I assumed that the highlighted image was the best to use. However, I later looked down the page, and tried using the download link https://dl.armbian.com/odroidxu4/Buster_current_minimal which uses kernel 5.4. Why would people prefer an old kernel? Anyway, everything seems to work as I would expect with no need for selecting legacy elements or anything unusual. With the other image, I was not able to find a package called iptables-legacy, only one called iptables. Reinstalling it and rebooting didn't make a difference. In case they are still of interest, the answers to your questions are: root@backup:~# find /lib/modules/|fgrep -i tables /lib/modules/4.14.187-odroidxu4/kernel/net/ipv6/netfilter/nf_tables_ipv6.ko /lib/modules/4.14.187-odroidxu4/kernel/net/ipv6/netfilter/ip6_tables.ko /lib/modules/4.14.187-odroidxu4/kernel/net/ipv4/netfilter/nf_tables_ipv4.ko /lib/modules/4.14.187-odroidxu4/kernel/net/ipv4/netfilter/ip_tables.ko /lib/modules/4.14.187-odroidxu4/kernel/net/ipv4/netfilter/arp_tables.ko /lib/modules/4.14.187-odroidxu4/kernel/net/ipv4/netfilter/nf_tables_arp.ko /lib/modules/4.14.187-odroidxu4/kernel/net/netfilter/nf_tables_netdev.ko /lib/modules/4.14.187-odroidxu4/kernel/net/netfilter/nf_tables.ko /lib/modules/4.14.187-odroidxu4/kernel/net/netfilter/nf_tables_inet.ko /lib/modules/4.14.187-odroidxu4/kernel/net/bridge/netfilter/ebtables.ko /lib/modules/4.14.187-odroidxu4/kernel/net/bridge/netfilter/nf_tables_bridge.ko root@backup:~# armbianmonitor -u System diagnosis information will now be uploaded to http://ix.io/2rqQ 1
sfx2000 Posted July 13, 2020 Posted July 13, 2020 root@mips24k:~# find /lib/modules/|fgrep -i tables /lib/modules/5.4.51/ip6_tables.ko /lib/modules/5.4.51/ip_tables.ko /lib/modules/5.4.51/nf_tables.ko /lib/modules/5.4.51/nf_tables_set.ko /lib/modules/5.4.51/x_tables.ko everything here seems to be fine...
counterpoint Posted July 14, 2020 Author Posted July 14, 2020 Thanks, yes. It appears you are using a 5.4.51 kernel. I don't have a problem with that image. The thing that has left me puzzled is why the most prominently featured Buster image has a 4.14.187 kernel. (Page at https://www.armbian.com/odroid-hc1/)
Werner Posted July 15, 2020 Posted July 15, 2020 7 hours ago, counterpoint said: Thanks, yes. It appears you are using a 5.4.51 kernel. I don't have a problem with that image. The thing that has left me puzzled is why the most prominently featured Buster image has a 4.14.187 kernel. (Page at https://www.armbian.com/odroid-hc1/) At the time the page was adjusted last time the unmodified kernel directly from Odroid did the best for this board. Maybe this has changed meanwhile, maybe not. Newer kernels have other issues that might be more severe than missing a few iptables modules. Also there might be a chance to adjust the 4.14 kernel via the build-system as well and add those modules by yourself. Anyway I do not think that this will be fixed by Armbian since it would be no real "stock" kernel anymore
counterpoint Posted July 15, 2020 Author Posted July 15, 2020 Thanks, Werner. My original problem was more severe than just a missing iptables module. So far as I could tell, iptables was completely unusable. And so was ipset. Since those are essential to the way I set up servers, I just couldn't use that version unless those problems could be solved. Unfortunately, I've not seen anything that solves either problem. This is my second Odroid HC1 and the first one was built with the recommended Debian 9 image. That didn't have any of these problems and has been in use for some while. But Debian 9 is getting old now, and didn't seem a sensible choice for a new server. Thanks also to xwiggen. I'm not clear what exactly that would achieve. I'd try it, but right now I don't have a test machine, as the new HC1 is running a live system and the old one has Debian Bullseye installed as an experiment.
Werner Posted July 16, 2020 Posted July 16, 2020 8 hours ago, counterpoint said: But Debian 9 is getting old now, and didn't seem a sensible choice for a new server. Depends on how you use it. If you keep it that way you will have peace for the next two years since Stretch is in LTS stated and will be supported until June 30, 2022.
xwiggen Posted July 16, 2020 Posted July 16, 2020 13 hours ago, counterpoint said: Thanks, Werner. My original problem was more severe than just a missing iptables module. So far as I could tell, iptables was completely unusable. And so was ipset. Since those are essential to the way I set up servers, I just couldn't use that version unless those problems could be solved. Unfortunately, I've not seen anything that solves either problem. This is my second Odroid HC1 and the first one was built with the recommended Debian 9 image. That didn't have any of these problems and has been in use for some while. But Debian 9 is getting old now, and didn't seem a sensible choice for a new server. Thanks also to xwiggen. I'm not clear what exactly that would achieve. I'd try it, but right now I don't have a test machine, as the new HC1 is running a live system and the old one has Debian Bullseye installed as an experiment. nfnetlink is the comms between userspace iptables/ipset and kernel
counterpoint Posted July 27, 2020 Author Posted July 27, 2020 Thanks for the various suggestions. I now have the solution to the problem. Perhaps my original question misled. I was creating a server that was new in the sense of being freshly created from scratch. The hardware was an HC1 that had been in use for a while for a slightly different purpose. The SSD was new, as was the SD card and the Buster image. I have also created a Debian 10 server for another purpose on a brand new HC1. It surprised me to find that I could install the Buster image prominently displayed on https://www.armbian.com/odroid-hc1/ and have ipset and iptables work without issues. Eventually it dawned on me that there must be a difference in the hardware. Updating the firmware of the older HC1 changed the situation. The Buster image with the 4.14.y kernel then worked with no issues for ipset or iptables. Evidently the older HC1 was not immediately compatible with Debian 10 Buster.
Recommended Posts