# iptables and the account module

## jkroon

Right,

I'm pretty sure the support is in the kernel.  I'm running a vanilla kernel (2.6.15.4) and I've tried userspace iptables versions 1.3.4 and 1.3.5 (which is the latest in portage).

but iptables just seems unable to load this module, even though it is listed in the man page:

```
xacatecas ~ # iptables -m account

iptables v1.3.5: Couldn't load match `account':/lib/iptables/libipt_account.so: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

xacatecas ~ # 
```

I really, really want to get this module working in order to perform some packet accounting for a firewall I'm administring.  The rest of the system contains about a hundred rules (thank goodness for conntrack or this really would have been way more).

My other alternative is to queue all the packets to userspace via ulog (or whatever it has been replaced with recently, queue iirc) and to perform my own accounting.  I'd prefer to not go this route though as it would involve actually having to write quite a bit of code compared to a few lines of bash script if iptables can just perform the accounting for me.

----------

## unclecharlie

jkroon,

The modules are in the kernel sources...

You need to goto your kernel source directory and do make menuconfig.

The netfilter modules are found at-

networking-->networking options->Network Packet Filtering(replaces ipchains)->IP: Netfilter Configuration

select the modules you need and then do make modules and make modules_install

hope this helps,

Charlie

----------

## jkroon

The kernel-space is there.  Please note the error I'm getting, iptables is complaining even before it's actually connecting to the kernel to do anything.  It fails to load the _userspace_ account module.

----------

## unclecharlie

jkroon,

Sorry   :Embarassed: 

You may need to do a manual build of iptables (and possibly make install-devel. )

Charlie

[edit] I think there's a use flag (undocumented?) called extensions that you could try first. But it warns of a kernel patch you may need... [/edit]

----------

## jkroon

I saw that extensions thing and was hessitant.  I did read the ebuild at some point and iirc I came to the conclusion that that won't actually solve my problem (and in fact, iirc it never even compiled, and I really don't need - nor want - those kernel patches).

----------

## unclecharlie

jkroon,

o.k.- I just built iptables manually and that module is NOT built at all. Looking at the Makefiles I saw that modules will only be built if the appropriate include file (in this case ipt_account.h) is in either the kernel source or iptables source under the ./include/linux/netfilter_ipv4 directory... I found no such include file on my system in either place. 

But I did find this page-

www.netfilter.org/projects/patch-o-matic/pom-extra.html

on the netfilter website. And this one-

http://www.intra2net.com/opensource/ipt_account

with the actual kernel patch you need.

Hope this helps,

Charlie

----------

## jkroon

Which brings me back to patch-o-matic.  I was so hoping to avoid that.

My main concern with manual building is breaking package management.  Under circumstances I feel the best solution would be something like this:

1.  Have an ebuild for patch-o-matic

2.  Have a patch-o-matic IUSE for iptables

3.  if patch-o-matic is set then:

3.1.  iptables DEPENDS patch-o-matic.

3.2.  read the "extensions" to be patched in from a config file (/etc/iptables.patch-o-matic?).

In that setup one could add "account" to /etc/iptables.patch-o-matic, enable the use flag and emerge.

As it stands, I reckon I'll build an iptables in root's homedirectory and run that from there.  Untill I can confirm this actually does what I want.  If it does, then it's time to add some package management so that I don't have to manually upgrade iptables every time a new version is released.

----------

## unclecharlie

jkroon,

USE="extensions" does not build the account module. I think patching is the only way to get this up. (aside from writing an ebuild for net-misc/account-filter and adding support to the extensions USE flag within the iptables package.) If you do get this running definitely post. I'd be interested to add support like this to the firewalls I'm running. 

Charlie

----------

## jkroon

Well, it'll hopefully be less bothersome than figuring this one out:  http://bugs.mysql.com/bug.php?id=13385

client phones me up - there is a problem with your code ... i think you can guess the rest of the story.

Anyhow, real reason I post now is cause I'm not going to have time to get patch-o-matic up this week, probably not the next either, so if you remember just remind me in two weeks or so.

----------

## Bash[DevNull]

hey, take a look at this post "[HOWTO] iptables patch-o-matic-ng extensions" https://forums.gentoo.org/viewtopic-t-348043.html

----------

## jkroon

Awesome.  Yet another reason I need to get my autopatcher thingy working.  That solution will work.  The problem is however that from that point onward iptables is a manual upgrade.  And manually upgrading my kernel sources is a mission enough already.

Thanks for the feedback though ... it's going to have to wait though.  Unfortunately.

----------

## Bash[DevNull]

Yep, agree with you.... Manual upgrading is sux, especially when you frequently upgrade system :/

----------

