(Yocto) Add iptable_nat

Moderator: nferre

r1sprecinfosys
Posts: 3
Joined: Mon Feb 25, 2019 9:02 pm

(Yocto) Add iptable_nat

Mon Feb 25, 2019 9:09 pm

Hello

I need help to add NAT in my image for sama5d27

i try edit file:
/usr/yocto/meta-atmel/recipes-kernel/linux/linux-at91-4.9/sama5/defconfig

add to the end:

Code: Select all

CONFIG_PACKET=m
CONFIG_NETFILTER=m
CONFIG_IP_NF_CONNTRACK=m
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_IRC=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_MATCH_STATE=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_MATCH_LIMIT=m
CONFIG_IP_NF_TARGET_MASQUERADE=m
But after bitbake core-image-minimal
i don't have any 'nat' in output lsmod | grep 'nat'

What i wrong do? How i can add NAT to my image?

Thanks!
blue_z
Location: USA
Posts: 2077
Joined: Thu Apr 19, 2007 10:15 pm

Re: (Yocto) Add iptable_nat

Wed Feb 27, 2019 4:53 am

r1sprecinfosys wrote: i try edit file:
/usr/yocto/meta-atmel/recipes-kernel/linux/linux-at91-4.9/sama5/defconfig

add to the end:

Code: Select all

CONFIG_PACKET=m
CONFIG_NETFILTER=m
CONFIG_IP_NF_CONNTRACK=m
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_IRC=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_MATCH_STATE=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_MATCH_LIMIT=m
CONFIG_IP_NF_TARGET_MASQUERADE=m
In general direct editing of .config (or a defconfig) file is discouraged because you would bypass any dependency checks as well as value validation, and skip any automatic selections.
Your edits simply do not enable the kernel configuration that you want because of an incorrect value and unsatisfied dependencies.
For instance the following is the state of CONFIG_IP_NF_NAT using your hacked defconfig:

Code: Select all

  Symbol: IP_NF_NAT [=n]                                                                                                                               
  Type  : tristate                                                                                                                                     
  Prompt: iptables NAT support                                                                                                                         
     Location:                                                                                                                                          
       -> Networking support (NET [=y])                                                                                                                
         -> Networking options                                                                                                                          
   (1)     -> Network packet filtering framework (Netfilter) (NETFILTER [=n])                                                                          
             -> IP: Netfilter Configuration                                                                                                             
               -> IP tables support (required for filtering/masq/NAT) (IP_NF_IPTABLES [=n])                                                             
     Defined at net/ipv4/netfilter/Kconfig:270                                                                                                          
     Depends on: NET [=y] && INET [=y] && NETFILTER [=n] && IP_NF_IPTABLES [=n] && NF_CONNTRACK_IPV4 [=n]                                            
     Selects: NF_NAT [=n] && NF_NAT_IPV4 [=n] && NETFILTER_XT_NAT [=n]
Note the three unmet dependencies (which inhibit this configuration value).



r1sprecinfosys wrote: What i wrong do?
The salient (but not sole) error is the line

Code: Select all

CONFIG_NETFILTER=m
since that is a boolean (Y or N) rather than a tristate (Y, N, or M) selection.

Code: Select all

Symbol: NETFILTER [=n] 
Type  : boolean 
Prompt: Network packet filtering framework (Netfilter) 
  Location:  
    -> Networking support (NET [=y]) 
(1)   -> Networking options 
  Defined at net/Kconfig:114 
  Depends on: NET [=y]   

Regards
r1sprecinfosys
Posts: 3
Joined: Mon Feb 25, 2019 9:02 pm

Re: (Yocto) Add iptable_nat

Thu Feb 28, 2019 2:07 pm

Thankyou blue_z!

I also try
CONFIG_NETFILTER=y

but as I noticed, when i edited /usr/yocto/meta-atmel/recipes-kernel/linux/linux-at91-4.9/sama5/defconfig
some variable don't copy to build_dir (/usr/yocto/poky/build-atmel/tmp/work/sama5d27_som1_ek_sd-poky-linux-gnueabi/linux-at91/4.9+gitAUTOINC+29796588eb-r0/build/.config)

i have big .config file (82.9 KB), but this file not have "CONFIG_NETFILTER=y", that have my defconfig.

In documentation i found: https://www.yoctoproject.org/docs/2.5/k ... l-dev.html (2.6.2 - 2.6.5)
Maybe I do not understand correctly this documentation. If it's not difficult for you, could you explain it on your fingers :roll:

Thanks!
blue_z
Location: USA
Posts: 2077
Joined: Thu Apr 19, 2007 10:15 pm

Re: (Yocto) Add iptable_nat

Fri Mar 01, 2019 2:39 am

Let me state upfront that I prefer to use Buildroot and/or the kernel make commands, and do not know how to use Yocto other than strictly following the Linux4SAM demo instructions.

In the document link that you mentioned, 2.6.3. Creating Configuration Fragments has directions for "2. Launch menuconfig: Run the menuconfig command:", which is what you need to use to sensibly configure the Linux kernel.
Once in menuconfig mode, you can use the built-in search command (e.g. `/CONFIG_XXX` or simply `/XXX`) to get the status of a config value as I posted previously.
After you have figured out what needs to be enabled (e.g. dependencies that you overlooked), you can exit and save the new .config file.

The next step would be to convert the large .config file to just a minimal defconfig file.
(The Yocto document statement that "A defconfig file is simply a .config renamed to "defconfig"" is not 100% accurate.)
The proper method of converting a .config file to a defconfig file is to use the `make savedefconfig` command.
I do not know how you could do that with Yocto.


Regards
r1sprecinfosys
Posts: 3
Joined: Mon Feb 25, 2019 9:02 pm

Re: (Yocto) Add iptable_nat

Sat Mar 09, 2019 3:29 pm

blue_z

Thank you very much for your help!
neofresa
Posts: 3
Joined: Tue Feb 18, 2020 11:06 am

Re: (Yocto) Add iptable_nat

Mon Apr 06, 2020 11:02 am

Hi,
I build out ip_table.ko
but when doing modprobe , it will show
version is the same, I can use other modules at same build out, any comment? thanks

Code: Select all

ip_tables: Unknown symbol xt_free_table_info (err -2)
ip_tables: Unknown symbol xt_match_to_user (err -2)
ip_tables: Unknown symbol xt_alloc_table_info (err -2)
ip_tables: Unknown symbol nf_register_sockopt (err -2)
ip_tables: Unknown symbol xt_percpu_counter_free (err -2)
ip_tables: Unknown symbol nf_unregister_net_hooks (err -2)
ip_tables: Unknown symbol xt_alloc_entry_offsets (err -2)
ip_tables: Unknown symbol xt_target_to_user (err -2)
ip_tables: Unknown symbol xt_register_table (err -2)
ip_tables: Unknown symbol xt_proto_init (err -2)
ip_tables: Unknown symbol xt_replace_table (err -2)
ip_tables: Unknown symbol xt_find_table_lock (err -2)
ip_tables: Unknown symbol xt_counters_alloc (err -2)
ip_tables: Unknown symbol xt_table_unlock (err -2)
ip_tables: Unknown symbol xt_proto_fini (err -2)
ip_tables: Unknown symbol xt_check_entry_offsets (err -2)
ip_tables: Unknown symbol xt_percpu_counter_alloc (err -2)
ip_tables: Unknown symbol xt_register_matches (err -2)
ip_tables: Unknown symbol xt_check_target (err -2)
ip_tables: Unknown symbol xt_find_revision (err -2)
ip_tables: Unknown symbol xt_copy_counters_from_user (err -2)
ip_tables: Unknown symbol xt_unregister_table (err -2)
insmod: ERROR: could not insert module ip_tables.ko: Unknown symbol in module

//modinfo looks nice and match version with uname

root@sama5d2-xplained:~/# modinfo ip_tables.ko
filename:       /home/root/ip_tables.ko
alias:          ipt_icmp
description:    IPv4 packet filter
author:         Netfilter Core Team <coreteam@netfilter.org>
license:        GPL
depends:
intree:         Y
name:           ip_tables
vermagic:       4.19.78-linux4sam-6.2 mod_unload ARMv7 p2v8
blue_z
Location: USA
Posts: 2077
Joined: Thu Apr 19, 2007 10:15 pm

Re: (Yocto) Add iptable_nat

Tue Apr 07, 2020 11:26 pm

neofresa wrote: I build out ip_table.ko [sic]
How did you configure, build, and install this (misspelled) module?
Did you read and adhere to the advice in this topic, or are you simply using this topic to attach your post?
IOW if you ignored the warning to not directly edit the kernel .config (or a defconfig) file, then you would bypass the automatic selection of another config value (and build a dependent module).

What is a "build out" compared to a build?

Did you bother to search for any of these undefined symbols, i.e. where in the source code file are they defined?

Regards
neofresa
Posts: 3
Joined: Tue Feb 18, 2020 11:06 am

Re: (Yocto) Add iptable_nat

Wed Apr 08, 2020 4:20 am

Hi,
thanks for your reply.
How did you configure, build, and install this (misspelled) module?
Did you read and adhere to the advice in this topic, or are you simply using this topic to attach your post?
IOW if you ignored the warning to not directly edit the kernel .config (or a defconfig) file, then you would bypass the automatic selection of another config value (and build a dependent module).

What is a "build out" compared to a build?

Did you bother to search for any of these undefined symbols, i.e. where in the source code file are they defined?
yes I read this topic and find a similar topic "Atmel-11255-32-bit-Cortex-A5-Microcontroller-Software-Ethernet-Bridge-on-SAMA5D3_D4_Application-note"
but this issue happened when I do it both

here are step I doing for this test.
1. make menuconfig and choose all "Y" in netfilter, then check .config find all set to "Y"
2. rebuild kernel and replace zImage in /boot,check checksum that I replaced successfully. nothing found in /lib/modulds/.../kernel/net/ipv4
3. thus I change to make it as modules, repeat step2&3 that's I called it module build out
4. put those modules ko in filesystem, and try to use "iptables -F" , get errors at beginning

I think this won't include other source, it's only simple netfilter modules
comments are welcome. thanks
blue_z
Location: USA
Posts: 2077
Joined: Thu Apr 19, 2007 10:15 pm

Re: (Yocto) Add iptable_nat

Thu Apr 09, 2020 12:31 am

neofresa wrote: here are step I doing for this test ...
Your description of what you did is vague and recursive (i.e. "3. thus I change to make it as modules, repeat step2&3 ...").
Since you didn't respond to my last question, I'll assume you did nothing and prefer to wait for an answer rather than solve this simple problem.

If you bother to locate any of those "unknown symbols" in the Linux kernel source, then you would know that all of them are from just one source code file, net/netfilter/x_tables.c.

If you inspect the Makefile in the same directory of that source code file, then you would know the conditional for compiling that source code file into the .o file:

Code: Select all

# generic X tables 
obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o
So CONFIG_NETFILTER_XTABLES controls the building of the dependent code that ip_tables.ko requires.
That fact is clearly stated in the menuconfig help:
Symbol: NETFILTER_XTABLES [=m]
Type : tristate
Prompt: Netfilter Xtables support (required for ip_tables)
That help text also indicates that this configuration entry is automatically selected when CONFIG_IP_NF_IPTABLES is selected.
Selected by [m]:
- IP_NF_IPTABLES [=m] && NET [=y] && INET [=y] && NETFILTER [=y]

If you read the help entry for CONFIG_IP_NF_IPTABLES (which controls the building of ip_tables.c) then this automatic selection for the dependency is verified:
Symbol: IP_NF_IPTABLES [=m]
Type : tristate
Prompt: IP tables support (required for filtering/masq/NAT)
...
Selects: NETFILTER_XTABLES [=m]

So the dependent loadable module would be automatically selected and built.
All you have to do is properly install the new kernel and loadable modules directory to the target.


neofresa wrote: 4. put those modules ko in filesystem, and try to use "iptables -F" , get errors at beginning
Simply copying .ko files to the target is not a proper installation nor suffcient.
A new kernel build generates new (loadable) module information files, e.g. modules.dep.

Regards

Return to “SAMA5-based”

Who is online

Users browsing this forum: No registered users and 4 guests