Ubuntu
linux package

No IPv4 iptable kernel module can be loaded

Bug #1891020 reported by jean-christophe manciot
28
This bug affects 3 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Ubuntu groovy
linux-modules-5.8.0-12-generic 5.8.0-12.13

# uname -r
5.8.0-12-generic

After reboot,
1) no IPv4 iptable kernel module are loaded:
# lsmod|grep iptable
#

2) all IPv4 iptable kernel modules are present:
# find /lib/modules/5.8.0-12-generic/kernel/net/ipv4/netfilter -name "iptable_*"
/lib/modules/5.8.0-12-generic/kernel/net/ipv4/netfilter/iptable_filter.ko
/lib/modules/5.8.0-12-generic/kernel/net/ipv4/netfilter/iptable_nat.ko
/lib/modules/5.8.0-12-generic/kernel/net/ipv4/netfilter/iptable_mangle.ko
/lib/modules/5.8.0-12-generic/kernel/net/ipv4/netfilter/iptable_raw.ko
/lib/modules/5.8.0-12-generic/kernel/net/ipv4/netfilter/iptable_security.ko

3) No IPv4 iptable kernel modules can be loaded:
# for module in iptable_filter iptable_nat iptable_mangle; do modprobe /lib/modules/5.8.0-12-generic/kernel/net/ipv4/netfilter/${module}.ko; done
modprobe: FATAL: Module /lib/modules/5.8.0-12-generic/kernel/net/ipv4/netfilter/iptable_filter.ko not found in directory /lib/modules/5.8.0-12-generic
modprobe: FATAL: Module /lib/modules/5.8.0-12-generic/kernel/net/ipv4/netfilter/iptable_nat.ko not found in directory /lib/modules/5.8.0-12-generic
modprobe: FATAL: Module /lib/modules/5.8.0-12-generic/kernel/net/ipv4/netfilter/iptable_mangle.ko not found in directory /lib/modules/5.8.0-12-generic

4) Same issue after re-creating the module dependency:
# depmod
# for module in iptable_filter iptable_nat iptable_mangle; do modprobe /lib/modules/5.8.0-12-generic/kernel/net/ipv4/netfilter/${module}.ko; done
modprobe: FATAL: Module /lib/modules/5.8.0-12-generic/kernel/net/ipv4/netfilter/iptable_filter.ko not found in directory /lib/modules/5.8.0-12-generic
modprobe: FATAL: Module /lib/modules/5.8.0-12-generic/kernel/net/ipv4/netfilter/iptable_nat.ko not found in directory /lib/modules/5.8.0-12-generic
modprobe: FATAL: Module /lib/modules/5.8.0-12-generic/kernel/net/ipv4/netfilter/iptable_mangle.ko not found in directory /lib/modules/5.8.0-12-generic

No such issue with linux-modules-5.4.0-42-generic.

Revision history for this message
jean-christophe manciot (manciot-jeanchristophe) wrote :

In syslog, I get:
...
systemd-modules-load[542]: Inserted module 'drbd'
systemd-modules-load[542]: Failed to find module 'iptable_filter.ko'
systemd-modules-load[542]: Failed to find module 'iptable_nat.ko'
systemd-modules-load[542]: Failed to find module 'iptable_mangle.ko'
systemd-modules-load[542]: Inserted module 'btcoexist'
...

Jamie Strandboge (jdstrand)
information type: Private Security → Public
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in linux (Ubuntu):
status: New → Confirmed
Jamie Strandboge (jdstrand)
summary: - No IPv4 iptable kernel module can be loaded
+ iptable_filter and ip6table_filter cannot be loaded with 5.8 kernel
Revision history for this message
Jamie Strandboge (jdstrand) wrote : Re: iptable_filter and ip6table_filter cannot be loaded with 5.8 kernel

I cannot confirm this with the 5.8.0-12 kernel. Eg, with the 5.4 kernel in groovy, things work fine:

$ cat /proc/version_signature
Ubuntu 5.4.0-42.46-generic 5.4.44

$ sudo modprobe iptable_filter
$ sudo modprobe ip6table_filter
$ lsmod|grep table_filter
ip6table_filter 16384 0
ip6_tables 32768 1 ip6table_filter
iptable_filter 16384 0
ip_tables 32768 1 iptable_filter
x_tables 40960 4 ip6table_filter,iptable_filter,ip6_tables,ip_tables

and booting into the current 5.8 kernel in groovy-proposed, it still works ok:

$ cat /proc/version_signature
Ubuntu 5.8.0-12.13-generic 5.8.0-rc7

$ lsmod|grep table_filter
$ sudo modprobe iptable_filter
$ sudo modprobe ip6table_filter
$ lsmod|grep table_filter
ip6table_filter 16384 0
ip6_tables 32768 1 ip6table_filter
iptable_filter 16384 0
ip_tables 32768 1 iptable_filter
x_tables 45056 4 ip6table_filter,iptable_filter,ip6_tables,ip_tables

I upgraded to this kernel by using 'sudo apt-get install linux-generic'. Did you fetch all the necessary packages?

Eg, in my non-secure-boot VM:

ii linux-generic 5.8.0.12.14 amd64 Complete Generic Linux kernel and headers
ii linux-headers-5.8.0-12 5.8.0-12.13 all Header files related to Linux kernel version 5.8.0
ii linux-headers-5.8.0-12-generic 5.8.0-12.13 amd64 Linux kernel headers for version 5.8.0 on 64 bit x86 SMP
ii linux-headers-generic 5.8.0.12.14 amd64 Generic Linux kernel headers
ii linux-image-5.8.0-12-generic 5.8.0-12.13 amd64 Signed kernel image generic
ii linux-image-generic 5.8.0.12.14 amd64 Generic Linux kernel image
ii linux-modules-5.8.0-12-generic 5.8.0-12.13 amd64 Linux kernel extra modules for version 5.8.0 on 64 bit x86 SMP
ii linux-modules-extra-5.8.0-12-generic 5.8.0-12.13 amd64 Linux kernel extra modules for version 5.8.0 on 64 bit x86 SMP

Changed in linux (Ubuntu):
status: Confirmed → Incomplete
Revision history for this message
Seth Forshee (sforshee) wrote :

Can you load the modules using insmod? E.g. 'insmod /lib/modules/5.8.0-12-generic/kernel/net/ipv4/netfilter/iptable_filter.ko'

jean-christophe manciot (manciot-jeanchristophe)
summary: - iptable_filter and ip6table_filter cannot be loaded with 5.8 kernel
+ No IPv4 iptable kernel module can be loaded
Revision history for this message
jean-christophe manciot (manciot-jeanchristophe) wrote :
Download full text (5.0 KiB)

Something has changed since my first post: now, right after boot, iptable_filter is loaded, but not the other IPv4 iptable kernel modules:
# lsmod | grep iptable_
iptable_filter 16384 0
ip_tables 32768 1 iptable_filter
x_tables 45056 14 ebtables,ip6table_filter,xt_conntrack,iptable_filter,xt_NFLOG,xt_tcpudp,ip6t_rt,xt_geoip,ip6_tables,ip_tables,xt_limit,xt_hl,ip6table_mangle,ip6t_REJECT

# systemctl status netfilter-persistent
● netfilter-persistent.service - netfilter persistent configuration
     Loaded: loaded (/lib/systemd/system/netfilter-persistent.service; enabled; vendor preset: enabled)
    Drop-In: /etc/systemd/system/netfilter-persistent.service.d
             └─iptables.conf
     Active: failed (Result: exit-code) since Wed 2020-08-12 10:09:33 CEST; 5min ago
       Docs: man:netfilter-persistent(8)
    Process: 1108 ExecStart=/usr/sbin/netfilter-persistent start (code=exited, status=1/FAILURE)
   Main PID: 1108 (code=exited, status=1/FAILURE)

Aug 12 10:09:32 samsung5-ubuntu systemd[1]: Starting netfilter persistent configuration...
Aug 12 10:09:33 samsung5-ubuntu netfilter-persistent[1113]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables start
Aug 12 10:09:33 samsung5-ubuntu netfilter-persistent[1126]: iptables-restore v1.8.5 (legacy): iptables-restore: unable to initialize table 'mangle'
Aug 12 10:09:33 samsung5-ubuntu netfilter-persistent[1126]: Error occurred at line: 2
Aug 12 10:09:33 samsung5-ubuntu netfilter-persistent[1126]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Aug 12 10:09:33 samsung5-ubuntu netfilter-persistent[1113]: run-parts: /usr/share/netfilter-persistent/plugins.d/15-ip4tables exited with return code 2
Aug 12 10:09:33 samsung5-ubuntu netfilter-persistent[1113]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables start
Aug 12 10:09:33 samsung5-ubuntu systemd[1]: netfilter-persistent.service: Main process exited, code=exited, status=1/FAILURE
Aug 12 10:09:33 samsung5-ubuntu systemd[1]: netfilter-persistent.service: Failed with result 'exit-code'.
Aug 12 10:09:33 samsung5-ubuntu systemd[1]: Failed to start netfilter persistent configuration.

It is possible to load the other IPv4 iptable kernel modules, but it seems useless since the iptables cannot be loaded:
# for module in iptable_nat iptable_mangle
> do
> insmod /lib/modules/5.8.0-12-generic/kernel/net/ipv4/netfilter/${module}.ko
> done

# lsmod | grep iptable_
iptable_mangle 16384 0
iptable_nat 16384 0
iptable_filter 16384 0
nf_nat 49152 2 ip6table_nat,iptable_nat
ip_tables 32768 3 iptable_filter,iptable_nat,iptable_mangle
x_tables 45056 15 ebtables,ip6table_filter,xt_conntrack,iptable_filter,xt_NFLOG,xt_tcpudp,ip6t_rt,xt_geoip,ip6_tables,ip_tables,xt_limit,xt_hl,ip6table_mangle,ip6t_REJECT,iptable_mangle

# systemctl restart netfilter-persistent
Job for netfilter-persistent.service failed because the control process exited with error code.
See "systemctl status netfilter-persistent.service" and "journalctl -xe" for details.

# systemctl status netfilt...

Read more...

Revision history for this message
Seth Forshee (sforshee) wrote :

I saw the "Bad address" errors yesterday too, this problem should be fixed by the 5.8.0-16 kernel which will appear in groovy-proposed very soon.

jean-christophe manciot (manciot-jeanchristophe)
Changed in linux (Ubuntu):
status: Incomplete → Confirmed
Revision history for this message
Seth Forshee (sforshee) wrote :

5.8.0-16 is in groovy-proposed, please test and see if this fixes your issues.

Revision history for this message
jean-christophe manciot (manciot-jeanchristophe) wrote :

Yes, the issue is solved:
# uname -r
5.8.0-16-generic

# lsmod | grep iptable_
iptable_filter 16384 1
iptable_nat 16384 1
nf_nat 49152 3 ip6table_nat,iptable_nat,xt_MASQUERADE
iptable_mangle 16384 1
ip_tables 32768 13 iptable_filter,iptable_nat,iptable_mangle
x_tables 45056 19 ebtables,ip6table_filter,xt_conntrack,iptable_filter,xt_NFLOG,xt_tcpudp,xt_addrtype,xt_CHECKSUM,ip6t_rt,xt_geoip,ip6_tables,ipt_REJECT,ip_tables,xt_limit,xt_hl,ip6table_mangle,xt_MASQUERADE,ip6t_REJECT,iptable_mangle

# systemctl status netfilter-persistent
● netfilter-persistent.service - netfilter persistent configuration
     Loaded: loaded (/lib/systemd/system/netfilter-persistent.service; enabled; vendor preset: enabled)
    Drop-In: /etc/systemd/system/netfilter-persistent.service.d
             └─iptables.conf
     Active: active (exited) since Thu 2020-08-13 00:45:54 CEST; 6min ago
       Docs: man:netfilter-persistent(8)
   Main PID: 1073 (code=exited, status=0/SUCCESS)
      Tasks: 0 (limit: 18998)
     Memory: 0B
     CGroup: /system.slice/netfilter-persistent.service

Aug 13 00:45:53 samsung5-ubuntu systemd[1]: Starting netfilter persistent configuration...
Aug 13 00:45:53 samsung5-ubuntu netfilter-persistent[1084]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables start
Aug 13 00:45:54 samsung5-ubuntu netfilter-persistent[1084]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables start
Aug 13 00:45:54 samsung5-ubuntu systemd[1]: Finished netfilter persistent configuration.

Changed in linux (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.