# iptables -m state option c gentoo-sources-2.6.22-gentoo-r8

## ZMaroti

I tried to update to the new kernel 2.6.22-r8 and it seems that the ipfilter team reorganized the ipfilter part of the kernel.

I had some options in my firewall like:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

First it just said that there is no such chain to add.  Can't give the exact msg since I recompiled the kernel since with the connection tracking state enabled. Anyway now since I anabled connection tracking and state match as well I get a message:

iptables: Invalid argument

If I change the command to

iptables -A INPUT -m state --state BLABLA -j ACCEPT

I get:

iptables v1.3.8: Bad state `BLABLA'

Try `iptables -h' or 'iptables --help' for more information.

The help is bad, the man page does not help. This stuff worked/works on kernel 2.6.18 now it is fu**ed up.

I googled around found someone reporting this under ubuntu as well, but I saw no solution. If anyone knows a solution I'd be glad for the help!

My relevant kernel config is here:

# CONFIG_NETFILTER_DEBUG is not set

#

# Core Netfilter Configuration

#

# CONFIG_NETFILTER_NETLINK is not set

CONFIG_NF_CONNTRACK_ENABLED=y

CONFIG_NF_CONNTRACK=y

# CONFIG_NF_CT_ACCT is not set

# CONFIG_NF_CONNTRACK_MARK is not set

# CONFIG_NF_CONNTRACK_EVENTS is not set

# CONFIG_NF_CT_PROTO_SCTP is not set

# CONFIG_NF_CONNTRACK_AMANDA is not set

# CONFIG_NF_CONNTRACK_FTP is not set

# CONFIG_NF_CONNTRACK_H323 is not set

# CONFIG_NF_CONNTRACK_IRC is not set

# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set

# CONFIG_NF_CONNTRACK_PPTP is not set

# CONFIG_NF_CONNTRACK_SANE is not set

# CONFIG_NF_CONNTRACK_SIP is not set

# CONFIG_NF_CONNTRACK_TFTP is not set

CONFIG_NETFILTER_XTABLES=y

# CONFIG_NETFILTER_XT_TARGET_CLASSIFY is not set

# CONFIG_NETFILTER_XT_TARGET_MARK is not set

# CONFIG_NETFILTER_XT_TARGET_NFQUEUE is not set

# CONFIG_NETFILTER_XT_TARGET_NFLOG is not set

# CONFIG_NETFILTER_XT_TARGET_TCPMSS is not set

CONFIG_NETFILTER_XT_MATCH_COMMENT=y

# CONFIG_NETFILTER_XT_MATCH_CONNBYTES is not set

# CONFIG_NETFILTER_XT_MATCH_CONNMARK is not set

# CONFIG_NETFILTER_XT_MATCH_CONNTRACK is not set

CONFIG_NETFILTER_XT_MATCH_DCCP=y

# CONFIG_NETFILTER_XT_MATCH_DSCP is not set

# CONFIG_NETFILTER_XT_MATCH_ESP is not set

# CONFIG_NETFILTER_XT_MATCH_HELPER is not set

CONFIG_NETFILTER_XT_MATCH_LENGTH=y

CONFIG_NETFILTER_XT_MATCH_LIMIT=y

CONFIG_NETFILTER_XT_MATCH_MAC=y

# CONFIG_NETFILTER_XT_MATCH_MARK is not set

# CONFIG_NETFILTER_XT_MATCH_POLICY is not set

# CONFIG_NETFILTER_XT_MATCH_MULTIPORT is not set

CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y

# CONFIG_NETFILTER_XT_MATCH_QUOTA is not set

# CONFIG_NETFILTER_XT_MATCH_REALM is not set

CONFIG_NETFILTER_XT_MATCH_SCTP=y

CONFIG_NETFILTER_XT_MATCH_STATE=y

# CONFIG_NETFILTER_XT_MATCH_STATISTIC is not set

CONFIG_NETFILTER_XT_MATCH_STRING=y

CONFIG_NETFILTER_XT_MATCH_TCPMSS=y

# CONFIG_NETFILTER_XT_MATCH_HASHLIMIT is not set

#

# IP: Netfilter Configuration

#

# CONFIG_NF_CONNTRACK_IPV4 is not set

# CONFIG_IP_NF_QUEUE is not set

CONFIG_IP_NF_IPTABLES=y

# CONFIG_IP_NF_MATCH_IPRANGE is not set

CONFIG_IP_NF_MATCH_TOS=y

CONFIG_IP_NF_MATCH_RECENT=y

# CONFIG_IP_NF_MATCH_ECN is not set

# CONFIG_IP_NF_MATCH_AH is not set

# CONFIG_IP_NF_MATCH_TTL is not set

CONFIG_IP_NF_MATCH_OWNER=y

CONFIG_IP_NF_MATCH_ADDRTYPE=y

CONFIG_IP_NF_FILTER=y

CONFIG_IP_NF_TARGET_REJECT=y

CONFIG_IP_NF_TARGET_LOG=y

# CONFIG_IP_NF_TARGET_ULOG is not set

# CONFIG_IP_NF_MANGLE is not set

# CONFIG_IP_NF_RAW is not set

# CONFIG_IP_NF_ARPTABLES is not set

# CONFIG_IP_DCCP is not set

# CONFIG_IP_SCTP is not set

# CONFIG_TIPC is not set

# CONFIG_ATM is not set

# CONFIG_BRIDGE is not set

# CONFIG_VLAN_8021Q is not set

# CONFIG_DECNET is not set

# CONFIG_LLC2 is not set

# CONFIG_IPX is not set

# CONFIG_ATALK is not set

# CONFIG_X25 is not set

# CONFIG_LAPB is not set

# CONFIG_ECONET is not set

# CONFIG_WAN_ROUTER is not set

----------

## lmmsci

When I'm compiling kernel, usually I wish to make ALL netfilter supports as modules. It's very comfortable and I don't need to remember which module is responsible for what.

I think you should add conntrack module. It may be good idea.

```
# CONFIG_NF_CONNTRACK_IPV4=y
```

in kernel configuration file or (better I think)

```
# CONFIG_NF_CONNTRACK_IPV4=m
```

- you don't need to reboot system, just load compiled and installed module and try again!

----------

## ZMaroti

I tried to compile as a module, but as expected it did not help at all. It helps to have the same kernel and experiment with modules but EVEN I had the conntrack module compiled as a module or in the kernel iptables command was giving me error to -m state --state ANYVALIDOTION_ALONE_OR_IN_COMMA_SEPARATED_LIST

Also I have to note that iptables -m state -h gave me the correct help, and those parameters I used and still using now with the older kernel was there. When the kernel was compiled without conntrack the help was not avail. So there is something f...ed up in the newer kernel.

----------

## HomeUser

 *ZMaroti wrote:*   

> ...new kernel 2.6.22-r8 ...
> 
> I had some options in my firewall like:
> 
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> ...

 

For some time the same problem by me. Still running kernel version 2.6.19. Tried a few times to find a solution with a different versions of the kernel. Many posts, also solved ones, giving very similar symptons, but noting worked for me. I did play with the options in "Core Netfilter Configuration" and "IP: Netfilter Configuration" putting them all at least in Module.

Hoped an update of the command or the kernel would solve the issue but...

For 2.6.22-r8 I first forgot to install the modules. I got the same message "Invalid argument" (with some modules build in the kernel) but with "can't load conntrack support for proto=2" in the messages logfile. But after installing the modules I only got the "Invalid argument" reply at the iptable command. If I put an "M" to everything in Netfilter (without IPV6) it seems that a module conntrack is loaded, after I loaded by hand a filter module, but still the same message was returned. 

If anyone has an idee?

----------

## HomeUser

 *HomeUser wrote:*   

> 
> 
> If anyone has an idee?

 

I think I found a solution for me. Putting everything of the netfilter as module. After some testing it seemed I needed (for -m state and LOG) these modules

- ipt_LOG                

- xt_state               

- nf_conntrack_ipv4      

- nf_conntrack           

- nfnetlink        

- iptable_filter 

- ip_tables

from /lib/modules/2.6.22-gentoo-r8/kernel/net/

Apparently I had to load some modules with modprobe (and try to remove them with rmmod) while I was convinced iptables did that himself.

I tried to map them to find the correct name in the .config file by changing the suspected one as "y" and after restart doing a modprobe again. If he succeeded I had the wrong one. (There must be an easyser way.) This should be the ones

ipt_LOG                   -> CONFIG_IP_NF_TARGET_LOG

xt_state                   -> CONFIG_NETFILTER_XT_MATCH_STATE + higher level NF_CONNTRACK_ENABLED

nf_conntrack_ipv4    -> CONFIG_NF_CONNTRACK_IPV4  could only set it with "make menuconfig"

nf_conntrack            -> CONFIG_NF_CONNTRACK 

nfnetlink                   -> CONFIG_NETFILTER_NETLINK 

iptable_filter             -> CONFIG_IP_NF_FILTER

ip_tables                   -> CONFIG_IP_NF_IPTABLES   iptable_filter

Not all could be set from the configfile or where still easy to find for me in the menuconfig of xconfig menu's.

Comparing my old and new configfile it seems that CONFIG_NETFILTER_NETLINK was not set (didn't I tried everything?) and CONFIG_NF_CONNTRACK_IPV4 was set as a module that I should have loaded.(probably the real problem)

Hope somebody can find some help in this for solving problems. Perhaps someone can add the place where a table with the name of the module, the name in the configfile and the place in the config menu's can be found.

----------

## piewie

@ZMaroti: you need module XT_STATE

not all features are really necessary, but this works  :Smile: 

```
#

# Core Netfilter Configuration

#

CONFIG_NETFILTER_NETLINK=y

# CONFIG_NETFILTER_NETLINK_QUEUE is not set

# CONFIG_NETFILTER_NETLINK_LOG is not set

CONFIG_NF_CONNTRACK_ENABLED=y

# CONFIG_NF_CONNTRACK_SUPPORT is not set

CONFIG_IP_NF_CONNTRACK_SUPPORT=y

CONFIG_IP_NF_CONNTRACK=y

CONFIG_NETFILTER_XTABLES=y

CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m

CONFIG_NETFILTER_XT_TARGET_MARK=m

CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m

CONFIG_NETFILTER_XT_TARGET_NFLOG=m

CONFIG_NETFILTER_XT_MATCH_COMMENT=m

CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m

CONFIG_NETFILTER_XT_MATCH_DCCP=m

CONFIG_NETFILTER_XT_MATCH_DSCP=m

CONFIG_NETFILTER_XT_MATCH_ESP=m

CONFIG_NETFILTER_XT_MATCH_HELPER=m

CONFIG_NETFILTER_XT_MATCH_LENGTH=m

CONFIG_NETFILTER_XT_MATCH_LIMIT=m

CONFIG_NETFILTER_XT_MATCH_MAC=m

CONFIG_NETFILTER_XT_MATCH_MARK=m

CONFIG_NETFILTER_XT_MATCH_POLICY=m

CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m

CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m

CONFIG_NETFILTER_XT_MATCH_QUOTA=m

CONFIG_NETFILTER_XT_MATCH_REALM=m

CONFIG_NETFILTER_XT_MATCH_SCTP=m

CONFIG_NETFILTER_XT_MATCH_STATE=m

CONFIG_NETFILTER_XT_MATCH_STATISTIC=m

CONFIG_NETFILTER_XT_MATCH_STRING=m

CONFIG_NETFILTER_XT_MATCH_TCPMSS=m

CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m

# IP: Netfilter Configuration

#

# CONFIG_IP_NF_CT_ACCT is not set

# CONFIG_IP_NF_CONNTRACK_MARK is not set

# CONFIG_IP_NF_CONNTRACK_EVENTS is not set

# CONFIG_IP_NF_CONNTRACK_NETLINK is not set

# CONFIG_IP_NF_CT_PROTO_SCTP is not set

# CONFIG_IP_NF_FTP is not set

# CONFIG_IP_NF_IRC is not set

# CONFIG_IP_NF_NETBIOS_NS is not set

# CONFIG_IP_NF_TFTP is not set

# CONFIG_IP_NF_AMANDA is not set

# CONFIG_IP_NF_PPTP is not set

# CONFIG_IP_NF_H323 is not set

# CONFIG_IP_NF_SIP is not set

# CONFIG_IP_NF_QUEUE is not set

CONFIG_IP_NF_IPTABLES=y

CONFIG_IP_NF_MATCH_IPRANGE=y

CONFIG_IP_NF_MATCH_TOS=y

CONFIG_IP_NF_MATCH_RECENT=y

CONFIG_IP_NF_MATCH_ECN=y

CONFIG_IP_NF_MATCH_AH=y

CONFIG_IP_NF_MATCH_TTL=y

CONFIG_IP_NF_MATCH_OWNER=y

CONFIG_IP_NF_MATCH_ADDRTYPE=y

CONFIG_IP_NF_MATCH_STEALTH=y

CONFIG_IP_NF_FILTER=y

CONFIG_IP_NF_TARGET_REJECT=y

CONFIG_IP_NF_TARGET_LOG=y

CONFIG_IP_NF_TARGET_ULOG=y

CONFIG_IP_NF_TARGET_TCPMSS=y

CONFIG_IP_NF_NAT=y

CONFIG_IP_NF_NAT_NEEDED=y

CONFIG_IP_NF_TARGET_MASQUERADE=y

CONFIG_IP_NF_TARGET_REDIRECT=y

CONFIG_IP_NF_TARGET_NETMAP=y

CONFIG_IP_NF_TARGET_SAME=y

# CONFIG_IP_NF_NAT_SNMP_BASIC is not set

# CONFIG_IP_NF_NAT_FTP is not set

# CONFIG_IP_NF_MANGLE is not set

# CONFIG_IP_NF_RAW is not set

# CONFIG_IP_NF_ARPTABLES is not set

```

----------

## ZMaroti

For me, I set CONFIG_NETFILTER_XT_MATCH_STATE=y

My config is here (skipped the unset part):

```

#

# Automatically generated make config: don't edit

# Linux kernel version: 2.6.22-gentoo-r9

# Mon Nov 26 11:41:37 2007

 ... SKIPPED ALL THE IRRELEVANT STUFF

#

# Networking

#

CONFIG_NET=y

#

# Networking options

#

CONFIG_PACKET=y

CONFIG_UNIX=y

CONFIG_XFRM=y

CONFIG_NET_KEY=y

CONFIG_INET=y

CONFIG_IP_MULTICAST=y

CONFIG_IP_FIB_HASH=y

CONFIG_SYN_COOKIES=y

CONFIG_INET_XFRM_MODE_TRANSPORT=y

CONFIG_INET_XFRM_MODE_TUNNEL=y

CONFIG_INET_XFRM_MODE_BEET=y

CONFIG_INET_DIAG=y

CONFIG_INET_TCP_DIAG=y

CONFIG_TCP_CONG_CUBIC=y

CONFIG_DEFAULT_TCP_CONG="cubic"

CONFIG_NETFILTER=y

#

# Core Netfilter Configuration

#

CONFIG_NETFILTER_NETLINK=y

CONFIG_NF_CONNTRACK_ENABLED=y

CONFIG_NF_CONNTRACK=y

CONFIG_NETFILTER_XTABLES=y

CONFIG_NETFILTER_XT_MATCH_COMMENT=y

CONFIG_NETFILTER_XT_MATCH_DCCP=y

CONFIG_NETFILTER_XT_MATCH_LENGTH=y

CONFIG_NETFILTER_XT_MATCH_LIMIT=y

CONFIG_NETFILTER_XT_MATCH_MAC=y

CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y

CONFIG_NETFILTER_XT_MATCH_SCTP=y

CONFIG_NETFILTER_XT_MATCH_STATE=y

CONFIG_NETFILTER_XT_MATCH_STRING=y

CONFIG_NETFILTER_XT_MATCH_TCPMSS=y

#

# IP: Netfilter Configuration

#

CONFIG_IP_NF_IPTABLES=y

CONFIG_IP_NF_MATCH_TOS=y

CONFIG_IP_NF_MATCH_RECENT=y

CONFIG_IP_NF_MATCH_OWNER=y

CONFIG_IP_NF_MATCH_ADDRTYPE=y

CONFIG_IP_NF_FILTER=y

CONFIG_IP_NF_TARGET_REJECT=y

CONFIG_IP_NF_TARGET_LOG=y

```

And what I wrote up (check again my original config, ok it has lots of junk in it but that match state thing was selected above, and in this newly compiled kernel as well see code in this post, and iptables behaved exactly as said above. It said invalid argument but when I wanted to give a fake state descriptor, then it complained about bad state...

I will check one more thing, the

```
<*> IPv4 connection tracking support (required for NAT) 
```

in the menuconfig, as it has some help which may be relevant to this.

----------

## ZMaroti

The option

```
<*> IPv4 connection tracking support (required for NAT)
```

```

CONFIG_NF_CONNTRACK_IPV4:                                                                  

  │                                                                                                           

  │ Connection tracking keeps a record of what packets have passed   

  │ through your machine, in order to figure out how they are related  

  │ into connections.                                                                               

  │                                                                                                           

  │ This is IPv4 support on Layer 3 independent connection tracking.    

  │ Layer 3 independent connection tracking is experimental scheme    

  │ which generalize ip_conntrack to support other layer 3 protocols.    

  │                                                                                                            

  │ To compile it as a module, choose M here.  If unsure, say N.              

  │                                                                       

  │ Symbol: NF_CONNTRACK_IPV4 [=y]               

  │ Prompt: IPv4 connection tracking support (required for NAT)            

  │   Defined at net/ipv4/netfilter/Kconfig:8                             

  │   Depends on: NET && INET && NETFILTER && NF_CONNTRACK         

  │   Location:                                                     

  │     -> Networking                                           

  │       -> Networking support (NET [=y])           

  │         -> Networking options                           

  │           -> Network packet filtering framework (Netfilter) (NETFILTER 

  │             -> IP: Netfilter Configuration                    

  │  

```

did the trick for me

Although I don't use NAT just have strict firewall rules /disabling everything coming outside plus some dynamic rules like enabling stuff which I started from inside/

```
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
```

----------

