# iptables Couldn't load match `ipp2p'

## dj_farid

I can't get iptables to load ipp2p.

I have the same problem as this other thread where I participated https://forums.gentoo.org/viewtopic-t-514362-highlight-.html. The other thread got marked "SOLVED" by the original poster. I still have the problem though. No one seems to read the thread since it is solved. So I start my own...

I am running gentoo-sources 2.6.18-r3.

According to the ipp2p homepage install instructions this is the first thing to do in order to see if the files are installed where they are supposed to:

```

# iptables -m ipp2p --help

iptables v1.3.6: Couldn't load match `ipp2p'

Try `iptables -h' or 'iptables --help' for more information.

```

It should not give this error message.

Here you can see that the files are installed where they should be, but still iptables does not seem to understand that it is there:

```
# ls /lib/iptables

libipt_CLASSIFY.so    libipt_REDIRECT.so  libipt_connbytes.so  libipt_layer7.so     libipt_sctp.so

libipt_CLUSTERIP.so   libipt_REJECT.so    libipt_connlimit.so  libipt_length.so     libipt_standard.so

libipt_CONNMARK.so    libipt_SAME.so      libipt_connmark.so   libipt_limit.so      libipt_state.so

libipt_DNAT.so        libipt_SNAT.so      libipt_conntrack.so  libipt_mac.so        libipt_stealth.so

libipt_DSCP.so        libipt_TARPIT.so    libipt_dccp.so       libipt_mark.so       libipt_string.so

libipt_ECN.so         libipt_TCPMSS.so    libipt_dscp.so       libipt_multiport.so  libipt_tcp.so

libipt_LOG.so         libipt_TOS.so       libipt_ecn.so        libipt_owner.so      libipt_tcpmss.so

libipt_MARK.so        libipt_TRACE.so     libipt_esp.so        libipt_physdev.so    libipt_tos.so

libipt_MASQUERADE.so  libipt_TTL.so       libipt_hashlimit.so  libipt_pkttype.so    libipt_ttl.so

libipt_MIRROR.so      libipt_ULOG.so      libipt_helper.so     libipt_policy.so     libipt_udp.so

libipt_NETMAP.so      libipt_addrtype.so  libipt_icmp.so       libipt_realm.so      libipt_unclean.so

libipt_NFQUEUE.so     libipt_ah.so        libipt_ipp2p.so      libipt_recent.so

libipt_NOTRACK.so     libipt_comment.so   libipt_iprange.so    libipt_rpc.so

```

```

# ls /lib/modules/2.6.18-gentoo-r3/ipp2p/

ipt_ipp2p.ko

```

Latest iptables with extensions and l7filter USE flags is what I got now:

```
# emerge -vp iptables

These are the packages that would be merged, in order:

Calculating dependencies... done!

[ebuild   R   ] net-firewall/iptables-1.3.6-r1  USE="extensions l7filter -imq -ipv6 -static" 0 kB 

Total size of downloads: 0 kB

```

Latest ipp2p:

```
# emerge -pv ipp2p

These are the packages that would be merged, in order:

Calculating dependencies... done!

[ebuild   R   ] net-firewall/ipp2p-0.8.2  0 kB [1] 

Total size of downloads: 0 kB

Portage overlays:

 [1] /usr/local/portage

```

```
# modprobe ipt_ipp2p
```

dmesg shows this: "IPP2P v0.8.2 loading". But it does not work.

Any ideas?

----------

## dj_farid

Tried to re-emerge iptables without the "l7filter" and the "extensions" flag. Re-emerged the ipp2p package after that. No changes.

I have gotten the ipp2p sourcecode from their homepage and installed it manually. No changes.

I am running amd64. Since I don't get any errors during the compile, I guess that that is not the cause of the problem.

----------

## frostschutz

I don't have iptables here right now, but if I remember correctly, iptables --help (or one of the subpages if there are any) should show up the ipp2p syntax help if iptables is using the iptables-ipp2p extension properly. This is independent from the kernel module (if the kernel module is missing you'll probably get an error while talking to the kernel). So it sounds like in your case the iptables side of things is at fault, not the kernel module.

----------

## dj_farid

Yes this is what I think too.

I suspect iptables more and more.

Which verision of iptables do you use together with ipp2p?

----------

## gregf

I have not been able to get this going either. If anyone gets a working script going i would be very grateful to see it. Been playing with it for a few days now myself.

----------

## dj_farid

 *gregf wrote:*   

> I have not been able to get this going either. If anyone gets a working script going i would be very grateful to see it. Been playing with it for a few days now myself.

 

What happens if you do this:

```
iptables -m ipp2p --help 
```

 ?

It should not give you an error. If it gives you an error there is no need to try writing long scripts...

----------

## gregf

yeah does not load up properly. 

betsy ~ # iptables -m ipp2p --help

iptables v1.3.6: Couldn't load match `ipp2p'

I did get l7filter to load up but never got it working right so i was going to try ipp2p. Have no real big reason to use either one, just would like to get one working correctly. I had tried the following.

```
#!/bin/bash

# Zap the iptables mangle queue

iptables -t mangle -F

# Egress device

OUT=eth0

# Flow rates

MAX=700kbit 

BIT_MAX=40kbit

# Delete existing shaping

tc qdisc del dev $OUT root

# ===========

# Top

tc qdisc add dev $OUT root handle 1: htb default 30

tc class add dev $OUT parent 1: classid 1:1 htb rate $MAX

tc class add dev $OUT parent 1:1 classid 1:10 htb rate $MAX

tc class add dev $OUT parent 1:1 classid 1:20 htb rate $BT_MAX ceil $BT_MAX

tc class add dev $OUT parent 1:1 classid 1:30 htb rate $MAX ceil $MAX

# Rehashing

tc qdisc add dev $OUT parent 1:10 handle 10: sfq perturb 10

tc qdisc add dev $OUT parent 1:20 handle 20: sfq perturb 10

tc qdisc add dev $OUT parent 1:30 handle 30: sfq perturb 10

# ===================

# the magic begins...

# ===================

iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark

iptables -t mangle -A OUTPUT -m mark ! --mark 0 -j ACCEPT

iptables -t mangle -A OUTPUT -m layer7 --l7proto bittorrent -j MARK --set-mark 1 

iptables -t mangle -A OUTPUT -j CONNMARK --save-mark

```

I stoll this from another post and was attempting to make it work for me but have had no luck in it actually limiting my connection. After messing with this for a while i had decided to try ipp2p but the module does not load like showed above. Would be happy with either working. When i tried this my bittorrent traffic went above what i set the max limit so my bandwidth was still totally saturated stopping me from doing anything including browsing the internet.  My max upload bandwidth is 768kbit i set my CEIL as 700kbit because i read that it should be set below what your max truly is for performance reasons.  Anyways if someone can help get this working i would greatly appreciate it.

----------

## dj_farid

gregf, I think you stole my script  :Smile: 

You seem to be in the exact same position as I am in: https://forums.gentoo.org/viewtopic-t-514372-highlight-.html

----------

## boerKrelis

Say, have you guys made sure the ipt_ipp2p module is loaded? `lsmod`

----------

## gregf

 *boerKrelis wrote:*   

> Say, have you guys made sure the ipt_ipp2p module is loaded? `lsmod`

 

Yes it is loaded.

dj_farid: Yeah we talked in another post a few days back you recommended i looked for l7filter or ipp2p because -m owner was no longer being used. Now im in the same situation as i was with -m owner using ipp2p. I did get l7filter to load at least but was not limiting.

----------

## gregf

Someone here mentioned they thought it was iptables so i down graded to the latest stable version and then re emerged ipp2p and it loads up fine now. I have not got around to playing with it but if you downgrade iptables to 

```
Installed versions:  1.3.5-r4(15:30:12 11/29/06)(extensions -imq ipv6 -l7filter -static)
```

then iptables -m ipp2p --help should go fine. Don't forget to reinstall ipp2p after you install iptables and modprobe again. If you get a working script going before me please post.

----------

## gregf

Still do not think it works because as a quick test i did the following

```
iptables -A FORWARD -m ipp2p --edk --kazaa --gnu --bit --apple --dc --soul --winmx --ares -j DROP
```

and all the downloads/uploads were still going in bittorrent (which i did my test with) so still looking for ideas i guess.

----------

## dj_farid

 *gregf wrote:*   

> Still do not think it works because as a quick test i did the following
> 
> ```
> iptables -A FORWARD -m ipp2p --edk --kazaa --gnu --bit --apple --dc --soul --winmx --ares -j DROP
> ```
> ...

 

I did this exact same thing yesteday with l7-protocol. It worked really good. Stopped all my bittorrent traffic.

I think that it is time for a bugreport for iptables...

----------

## gregf

Do you have a working method using l7filter to limit your upload speed for bittorent in that case? Painful to use right now because its eating all my bandwidth. I'm not real picky one which i use as long as it works.

----------

## dj_farid

I only run rtorrent on my router, which is the same machine that does the shaping.

The limiting works for say maybe 10 minutes. Then all of a sudden rtorrent eats all my upload. See the other tread for details.

----------

## gregf

Well going to continue looking into this and i'll let you know if i figure anything out myself.

----------

## frostschutz

 *gregf wrote:*   

> Still do not think it works because as a quick test i did the following
> 
> ```
> iptables -A FORWARD -m ipp2p --edk --kazaa --gnu --bit --apple --dc --soul --winmx --ares -j DROP
> ```
> ...

 

This is normal for already existing/established P2P connections at the time the rule is added, as ipp2p detects only the opening of a connection (and dropping those packets prevents the communication from working in the first place). In other words, after adding an ipp2p rule, only connections that are created afterwards will be affected, not already established ones.

----------

## gregf

I understand that part i just worded that badly. Bittorrent was not opened before the rules were set in place.

I have made some progress though. layer7 seems to be working good on the other hand. I still have not got bittorrent to work with it but i have been able to limit other things like http/aim/dc++ just for tests. Anytime i try to do bittorrent i have no luck though. I did read the the bittorrent.pat file it could not limit encrypted streams which makes sense so i made sure i had encryption off. Still no luck but it seems to be only the bittorrent protocol i can't make work at this point.

----------

## gregf

Sorry to keep this going so long but I'm assuming others will be interested. I have l7filter working in full using the directconnect protocol. I still have had no luck with bittorrent, but I'm assuming thats due to the pat file. I plan on looking into ipp2p again though since my only plans for this are to limit p2p networks. So hopes are still high.

----------

## dj_farid

I was also able to limit dc++ without problems. I stopped using dc++ and went with bittorrent. That's why I want this working so bad.

Can't you see any effects of stopping bittorrent with l7? For me it works for a while.

Have you tried with different bittorrent clients? I have only tried rtorrent and transmission. I think that transmission could be stopped with l7 before when I tested it, but I never teseted it very hard. Rtorrent can't be stopped it seems.

If you test ipp2p and file a bug, let me know. I suspect that the devs have changed something in iptables that broke ipp2p. I know that they changed a lot in the latest version that had to do with l7-protocol.

----------

## NTPT

 *gregf wrote:*   

> yeah does not load up properly. 
> 
> betsy ~ # iptables -m ipp2p --help
> 
> iptables v1.3.6: Couldn't load match `ipp2p'
> ...

 

From my point of view the script you cite is nonsens and CAN NOT WORK and may be it is a source of your problems.

1:  It is a mess, misuse and misunderestand of rate and ceil parameters on HTB.  Read something about HTB and so on.  

I do not see a "tc filter" clausule enywhere in your script.  Please note that just a marking packets is not enough  to got shaping to work correctly. You MUST   assign or "filter" packet with mark 1 to correct class ! (with is NOT DONE in this script)

however this script is partially working, because all traffic is send to class 1:30 with "tc qdisc add dev $OUT root handle 1: htb default 30" command and it means limited to $MAX. But  NONE of the traffic is send to class 1:20 what is intended to shape bittorrent.

And last but not least,  chain OUTPUT in iptables  seen  only a packets that are OUTGOING FROM LOCAL PROCESSES (ie programs that are running on router only) and no packets that are  routed or  masqueraded (!) You MUST marking a packets in POSTROUTING chain instead to see ALLL traffic going TROUGH you router. 

this shoul be THIS WAY :

```
#!/bin/bash

# Zap the iptables mangle queue

iptables -t mangle -F

# Egress device

OUT=eth0

# Flow rates

MAX_RATE=700kbit 

BIT_MIN=40kbit

BIT_MAX=256kbit

# Delete existing shaping

tc qdisc del dev $OUT root

# ===========

# Top

#  htb root eth0 , all traffic  that is not filtered send to class 10 

tc qdisc add dev $OUT root handle 1: htb default 10 

tc class add dev $OUT parent 1: classid 1:1 htb rate $MAX_RATE burst 3kb cburst 6kb      

#  burst improve network latency

## please note that sum of rates for all child MUST NOT EXCEED the rate of the parent 

# and rate is what is guaranted,

# ceil is what class can get if there is available 

# ie if some other class does not use its rate. 

# class for ALL traffic

#  rate is 700kbit MINUS  40 kbit  minimally guaranted  for  bittorrent = rate 660kbit

# But when bittorrent does not run,  and not occupied any bandwidth

# use full    maximal rate = ceil $MAX_RATE

tc class add dev $OUT parent 1:1 classid 1:10 htb rate 660kbit ceil $MAX_RATE burst 3kb cburst 6kb 

# bittorrent have guaranted of BIT_MIN and can use line maximally at BIT_MAX rate 

tc class add dev $OUT parent 1:1 classid 1:20 htb rate $BIT_MIN ceil $BIT_MAX

# Rehashing

tc qdisc add dev $OUT parent 1:10 handle 10: sfq perturb 10

tc qdisc add dev $OUT parent 1:20 handle 20: sfq perturb 10

# ===================

# the magic begins...

# ===================

# not filter an allready marked connection  - so restore connmarck and accept all packets that are marked

iptables -t mangle -A POSTROUTING -j CONNMARK --restore-mark

iptables -t mangle -A POSTROUTING -m mark ! --mark 0 -j ACCEPT

# ipp2p filters

iptables -t mangle -A POSTROUTING -m ipp2p --ipp2p -j MARK --set-mark 1  # mark all p2p networks

iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark

iptables -t mangle -A POSTROUTING -m mark ! --mark 0 -j ACCEPT

# l7 filters are cpu intensive, fire it at last in chain so it does not need to work with all allready marked data. 

 

iptables -t mangle -A POSTROUTING -m layer7 --l7proto bittorrent -j MARK --set-mark 1 

iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark

# ===================

#And even more magic ...

# ===================

# now it is mandatory to send a marked packets to a proper HTB class !!

# this is done by tc filter command

tc filter add dev $OUT parent 1:0 protocol ip handle 1 fw flowid 1:20

# this filter all outgoing trafic on $OUT from qdisc node 1:0 (root class of the interface)

# with is marked with mark 1 to qdisc class 1:20 

# ie all p2p is end to htb class 1:20

#  and done.  

```

 PS: iptables -L -v (ie verbose listing) is your friend , because netfilter hold counter for each rule.

with iptables -t mangle -L POSTROUTING -v  you can see how many packets and bytes is matched by iptables rule and thus determining if l7filter and ipp2p work -ie matching some traffic .

PPS: tc -s class show dev somedevice  show what traffic is in what qdisc class  so zou can control if the traffic reallz got ot the right point in the qdisc 

please sorrz for mz horrible english and correct misspelling on the script .o]

----------

## gregf

NTPT: thanks a lot for clearing some stuff up. I have not tried this out  yet but i have plans to later, just getting home from out of town. I have reworked my script since reading some more of the l7filter manual and had already added a tc filter line in so i did have that much write but i see some stuff i may have done wrong still. Get back to you later today.

----------

## dj_farid

Sorry gregf for not reading your whole script before   :Embarassed: 

I only read the first part about "betsy ~ # iptables -m ipp2p --help". If that does not work, ipp2p does now work.

----------

## gregf

 *dj_farid wrote:*   

> iptables -m ipp2p --help". If that does not work, ipp2p does now work.

 

Lost me a bit on that one. Care to clear that part up.

----------

## gregf

Sorry i think i understand you now, going to play with this a bit more now. Get back to you soonish.

----------

## gregf

yeah still no luck loading ipp2p, installed it and modprobe ipt_ipp2p but when i run through the above script that was just posted i get the following.

```

betsy ~ # ./bw.sh

iptables v1.3.6: Couldn't load match `ipp2p'
```

I'll see if just using the l7filter for bittorrent has any different effect though.

----------

## gregf

l7proto still is not match ktorrent like before and i ipp2p does not seem to work still so this is still up in the air. Your script did explain sum but not sure prerouting is what i want. I do not want to limit my download speed in bittorrent only upload speed. Download speed is not stopping me from browsing pages at normal speeds only uploads. Not convinced the bittorrent.pat file that comes with the layer7 protocols package is matching things correctly. I tried playing with wireshark hoping i could create my own regex but honestly i'm abit confused on what part i need to match so i'm still just looking to try ipp2p right now.

----------

## gregf

Bah sure i'm being annoying now so last one for tonight but i miss read POSTROUTING for PREROUTING so ignore that comment. But any help i can get on the ipp2p would probably solve my issue. Sorry to be a pain in everyones butt.

----------

## dj_farid

I got l7-protocol working for my situation right now. It is just a workaround and only works for my situation, where I have control of rtorrent.

It won't work if you have users that might not obey your rules. See my problem, explanation and workaround in this thread: https://forums.gentoo.org/viewtopic-p-3756285.html#3756285

There is some really good documentation in http://www.ipp2p.org/ "Documentation". Example two should fit gregf, if pp2p works.

This is what I meant earlier:

 *Quote:*   

> Now test if iptables knows that IPP2P exists by entering "iptables -m ipp2p --help". If you get an error message check if you copied the file to the right destination. If iptables finds the new file you should see the help screen of IPP2P.

 

I can't get the help screen to appear for ipp2p. So there is something not working for me even though I can see the files in place. I suspect iptables.

----------

## NTPT

 *dj_farid wrote:*   

> I got l7-protocol working for my situation right now. It is just a workaround and only works for my situation, where I have control of rtorrent.
> 
> It won't work if you have users that might not obey your rules. See my problem, explanation and workaround in this thread: https://forums.gentoo.org/viewtopic-p-3756285.html#3756285
> 
> There is some really good documentation in http://www.ipp2p.org/ "Documentation". Example two should fit gregf, if pp2p works.
> ...

 

Please tell me more about your installed versions. And examine output of dmesg  and logs.it seems,  there is  probably a problem with mismatched versions of ipp2p, kernel and iptables (look at bugzilla). so you need to emerge cosreect version for you kernel .  and if not available, downgrading iptables and patching kernel with ipp2p and other ugly stuff is needed  :Sad: 

----------

## dj_farid

 *NTPT wrote:*   

>  *dj_farid wrote:*   I got l7-protocol working for my situation right now. It is just a workaround and only works for my situation, where I have control of rtorrent.
> 
> It won't work if you have users that might not obey your rules. See my problem, explanation and workaround in this thread: https://forums.gentoo.org/viewtopic-p-3756285.html#3756285
> 
> There is some really good documentation in http://www.ipp2p.org/ "Documentation". Example two should fit gregf, if pp2p works.
> ...

 

You can see my versions in the first post in this thread. I am quite sure that the problem is in iptables. I run the latest unstable iptables now, since it has a lot of fixes for l7-protocols. I had the stable one before. With that version I had this same problem with ipp2p.

EDIT:

Seems that there are other people out there with other distros that also has noticed this same problem. Found this with google: http://www.mail-archive.com/lartc@mailman.ds9a.nl/msg15768.html

Added this in bugzilla as Bug 157238. Don't know if gentoo's bugzilla is the right place to do it in. Hopefully it will get fixed in some future version of iptables...

----------

## dj_farid

Turned out that the problem was with the ebuild of ipp2p and not in iptables.

There is a new version out, which works now.

I did some testing to compare ipp2p and l7-protocol on my situation. L7-protocol is able to prioritize the traffic by rtorrent much better than ipp2p.

How is it going for you other people struggling with this?

----------

## kpi_producciones2

libipt_ipp2p.so: libipt_ipp2p.c ipt_ipp2p.h

$(CC) $(CFLAGS) $(IPTABLES_OPTION) $(IPTABLES_INCLUDE) -fPIC -c libipt_ipp2p.c

- ld -shared -o libipt_ipp2p.so libipt_ipp2p.o

+ $(CC) -shared -o libipt_ipp2p.so libipt_ipp2p.o

----------

