ipt_connmark is broken

P.S. Feisty, server kernel

ok, in kernel config I found a line
# CONFIG_NETFILTER_XT_TARGET_CONNMARK is not set
I've changed it to
CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
and recompiled the kernel. For now 'iptables: No chain/target/match by that name' is not thrown, though I don't know yet whether connmark actually works ;).

Thanks for taking the time to report this bug and helping to make Ubuntu better. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find.

Is it possible to get this enabled in Gutsy Gibbon and future revisions of the kernel?
I am using xt_CONNMARK for a site that serves to two ADSL connections and xt_CONNMARK is the simplest way to keep route correct for the two connections.

re-targeting

So, is it going to get fixed for Gutsy?

I sold a load-balancing scheme to a client. When I moved my scripts over from my testing (SuSE with 2.6.16.13 kernel) to client production (Feisty, canned), this chomped at my posterior. Is -j CONNMARK considered unstable? There seems to be evidenced of topns of folks using it for quite a while now...

I'd consider this a regression, since i'm using it for several years on Debian, then switching my routers to Ubuntu last month, I felt a knife in my back....not as welcoming as I had hoped.

I've download last ubuntu kernel 2.6.20-29, modify the config and add this modules:
CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
CONFIG_NETFILTER_XT_MATCH_CONNMARK=m
recompile the kernel and now is working.

Should be added in the next kernel release.

Yes, that's a straightforward workaround.
Recompiling the kernel every time in order to enable a feature that should have been enabled by default sucks bad though.
Things remain the same in the latest Gutsy kernel.

So how do we go about getting this fixed then?
I can confirm that the above change mentioned by saresca is all that I need to do before compiling kernel modules to get the module I need. I do not know where to start in making a patch for the kernel package though.
The module is about 4.0k after compiling and striping and I know that I have seen stability issues in the past for this module, but that was a long time ago (couple of years). So I dont think size or stability are the issue. It's should now just be a matter of getting someone to accept a patch for the kernel.
I do sorely miss this module from Debian.

Still broken in the latest ubuntu kernel, release 2.6.22-11-generic.

As the Beta freeze is now on, and this bug is marked as wishlist, I guess this is not going to be fixed in Gutsy?

Looks like I'll have to use Debian Etch for any server deployments that require any clever firewalling or advanced routing rules for now.

Please enable *all* of the NetFilter modules in your kernel and iptables packages in future.

Ubuntu is currently unusable in advanced-routing deployments :(

Yeah, the attitude of Ubuntu maintainers plain sucks for this matter.
Having connmark enabled by default can't brake anything. I don't mind recompiling the kernel by hand, but this would break automatic kernel security updates and add more headache. Just don't get it.

Speaking of advanced routers, I'm setting up Quagga on Debian, and
looking to do the same on 2 Ubuntu routers. When configuring BGP
sessions to 1 upstream provider's Blackhole route server, Linux >
2.6.20.1 is required for TCP_MD5 passwords.

What's interesting, is the debate about the kernel side, and it's
bleeding edge status... and how I find it's in Ubuntu's kernel, Feisty
and Gutsy, but *not* in Debian etch or testing.

How would a conservative Ubuntu kernel have such a bleeding edge
feature, that's pretty deep in the network stack, but not something
that's been in Debian for *years*, which is an isolated module?

Jeremy

On Fri, 2007-09-21 at 13:16 +0000, GSMD wrote:
> Yeah, the attitude of Ubuntu maintainers plain sucks for this matter.
> Having connmark enabled by default can't brake anything. I don't mind recompiling the kernel by hand, but this would break automatic kernel security updates and add more headache. Just don't get it.
>
--
Jeremy Jackson
Coplanar Networks
(519)489-4903

Yip, I found Ubuntu's support for questionably bleeding edge software supprisingly good too. Just look at compiz and usplash when they first came to light.

I'd just put this one down to a bug.

Good to see it fixed in the current Gutsy kernel now.

Cheers guys.

I just found that xt_NOTRACK is also missing, as reported in Bug# 125512, I just thought I'd mention that here since they're basically the same issue, and maybe I can help expedite it's inclusion in Gutsy, same as this bug.