NAT on Bubba|2 running Debian jessie, Linux bubba 3.18.24-1

[bugios]

Sorry for the bad styled links: Forum told me "Your post looks too spamy for a new user, please remove off-site URLs.". If a moderator feels my links are spam, please let me know. I find some essential for udnerstanding the posting.

Hello all, first of all i want to thank the community for all the great manuals and documentation about the bubba devices! Its great what one can do with them

What i want:
Bubba2 as a bridge acting as a hardware firewall isolating a network segment (LAN) by only enabling communication to certain hosts on the other segment (WAN). Its not about much traffic, but about reachability. Currently my idea is based on usage of iptables with NAT on the bubba2 between the segments. Probably another solution exists without NAT just mirrorring traffic of one port to the otherone, but for the main topic i would like to stick getting NAT working in the current configuration.

What i have:
I installed b2-install-1.2.zip on the bubba2 and followed the guide on viewtopic.php?f=11&t=2518#p11869 to reach a debian squeeze system, which i then upgraded to wheezy and now jessie currently with sources.list:

Code: Select all

deb http://repo.excito.org jessie main
deb-src http://repo.excito.org jessie main
deb http://ftp.debian.org/debian/ jessie main
deb http://security.debian.org/ jessie/updates main contrib non-free

kernel:
Linux bubba 3.18.24-1 #1 Thu Nov 19 23:29:50 EST 2015 ppc GNU/Linux

So far the bubba2 seems to work great!

Then i tried to configure iptables with NAT, but the kernel seems not to support it:

Code: Select all

$ iptables --table nat --flush
iptables v1.4.21: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

$ modprobe iptable_nat
modprobe: FATAL: Module iptable_nat not found.
$ modprobe nf_nat
modprobe: FATAL: Module nf_nat not found.
$ modprobe nf_conntrack_ipv4
$ modprobe nf_conntrack

So only nf_conntrack_ipv4, and nf_conntrack do exist.

Code: Select all

$ ls /lib/modules/3.18.24-1/kernel/net/ipv4/netfilter/
arptable_filter.ko  iptable_filter.ko  ip_tables.ko	 ipt_ECN.ko	       nf_defrag_ipv4.ko
arp_tables.ko	    iptable_mangle.ko  ipt_ah.ko	 ipt_REJECT.ko	       nf_reject_ipv4.ko
arpt_mangle.ko	    iptable_raw.ko     ipt_CLUSTERIP.ko  nf_conntrack_ipv4.ko

Then i tried to compile the missing modules leaning on these guides:
http://wiki.excito.com/w/index.php?titl ... _on_the_B3
(same http://www.splitbrain.org/blog/2010-11/ ... _on_the_b3)

Code: Select all

$ apt-get source bubba3-kernel
 #which is downloading linux_3.18.24.orig.tar.gz, linux_3.18.24-1.dsc, and linux_3.18.24-1.debian.tar.xz from http://repo.excito.org/pool/main/l/linux/
$ cd linux-3.18.24
$ cp -pr arch/powerpc/configs/bubbatwo_defconfig .config

$ make menuconfig

marked hopefully all parts missing for NAT to build as module:

.config - Linux/powerpc 3.18.24 Kernel Configuration
[*] Networking support ---> Networking options ---> [*] Network packet filtering framework (Netfilter) ---> IP: Netfilter Configuration --->
<M> iptables NAT support (NEW)
<M> MASQUERADE target support (NEW)
<M> NETMAP target support
<M> REDIRECT target support
(<M> IPv4 NAT)
(<M> IPv4 masquerade support )

Exit & Save.

Code: Select all

$ make modules
...
  LD [M]  lib/zlib_deflate/zlib_deflate.o
  Building modules, stage 2.
  MODPOST 456 modules
  CC      crypto/ansi_cprng.mod.o
  LD [M]  crypto/ansi_cprng.ko
ld: cannot find arch/powerpc/lib/crtsavres.o: No such file or directory
scripts/Makefile.modpost:124: recipe for target 'crypto/ansi_cprng.ko' failed
make[1]: *** [crypto/ansi_cprng.ko] Error 1
Makefile:1099: recipe for target 'modules' failed
make: *** [modules] Error 2

Then i tried to compile just the missing modules (since its them i think i just need to modprobe)
leaned on https://askubuntu.com/questions/168279/ ... ule#338403

Code: Select all

$ make SUBDIR=net/netfilter modules
  CHK     include/config/kernel.release
  CHK     include/generated/uapi/linux/version.h
  CHK     include/generated/utsrelease.h
  CALL    scripts/checksyscalls.sh
  Building modules, stage 2.
  MODPOST 455 modules
  LD [M]  crypto/anubis.ko
ld: cannot find arch/powerpc/lib/crtsavres.o: No such file or directory
scripts/Makefile.modpost:124: recipe for target 'crypto/anubis.ko' failed
make[1]: *** [crypto/anubis.ko] Error 1
Makefile:1099: recipe for target 'modules' failed
make: *** [modules] Error 2

Also combination of "make prepare" & "make modules_prepare" & "make M=net/netfilter" lead to similar errors. Perhaps i made some initial mistake with the used .config ?

Sorry for the help request, im not very good in kernel compilage and have no clue how to analyze further due to not understanding usage of the recipes :-/

[Gordon]

A quick scan on the internet reveals this is a known powerpc bug. The solution appears simple:

Code: Select all

make arch/powerpc/lib/crtsavres.o

Do note that when using deb sources for the kernel the kernel Makefile will not contain the correct subversion. Use uname to find the exact version for your kernel and edit the variables at the top of Makefile to reflect that version ID. The kernel will not load the module if the version ID does not match.

[sakaki]

Also, if your application doesn't specifically require Debian, you might try the Gentoo live USB for the B2, it has the necessary iptables kernel modules precompiled (config here). You can run it without harming any existing Debian install on your B2's HDD.
Best, sakaki

[bugios]

Thanks for the great ideas! Architecture bugs in kernel compilage are really way to lowlevel for me

Code: Select all

$ uname -a
Linux bubba 3.18.24-1 #1 Thu Nov 19 23:29:50 EST 2015 ppc GNU/Linux

I changed EXTRAVERSION in the Makefile to:

Code: Select all

$ head -n 5 Makefile 
VERSION = 3
PATCHLEVEL = 18
SUBLEVEL = 24
EXTRAVERSION = 1
NAME = Diseased Newt

Then tried the suggested fix:

Code: Select all

$ make arch/powerpc/lib/crtsavres.o
scripts/kconfig/conf --silentoldconfig Kconfig
  CHK     include/config/kernel.release
  UPD     include/config/kernel.release
  CHK     include/generated/uapi/linux/version.h
  CHK     include/generated/utsrelease.h
  UPD     include/generated/utsrelease.h
  CALL    scripts/checksyscalls.sh
make[1]: 'arch/powerpc/lib/crtsavres.o' is up to date.

...and now again to compile all modules:

Code: Select all

$ make modules
...
LD [M]  crypto/seed.ko
  CC      crypto/seqiv.mod.o
  LD [M]  crypto/seqiv.ko
  CC      crypto/serpent_generic.mod.o
...

I am still unsure about the step using arch/powerpc/configs/bubbatwo_defconfig as .config but compiling of make modules is currently running right now and looks promising


Will keep the Gentoo live USB idea in the back and will try it if i dont success here on the kernel way!
Also had the idea today to try an older kernel, since i fount /lib/modules/2.6.32.13/kernel/net/ipv4/netfilter/iptable_nat.ko.
But i did not investigate yet how to downgrade via aptitude using the bubba specific kernels, and if 2.6.32.13 kernel will work with jessie and for example the new systemd.

Will have further look into this two other ideas tomorrow and keep you all updated about make modules result

[Gordon]

Do note that EXTRAVERSION must contain all separator characters. There's no rule that says it has to start with a hyphen although I think it may assume so if the first character is a number. For clarity you should set value "-1" (including the quotation).

But I guess you'll find out when you run `make modules_install` and it creates an incorrectly named folder in /lib/modules

[bugios]

Hello all, there is progess in the topic!

I managed to successfully compile the modules!

Yes, i changed the linux-3.18.24/Makefile to be:

VERSION = 3
PATCHLEVEL = 18
SUBLEVEL = 24
EXTRAVERSION = -1

Which then exactly matched current kernels version!

Code: Select all

$ uname -a: 
 Linux bubba 3.18.24-1 #1 Thu Nov 19 23:29:50 EST 2015 ppc GNU/Linux

Code: Select all

$ make arch/powerpc/lib/crtsavres.o
  CHK     include/config/kernel.release
  CHK     include/generated/uapi/linux/version.h
  CHK     include/generated/utsrelease.h
  CALL    scripts/checksyscalls.sh
  AS      arch/powerpc/lib/crtsavres.o

Code: Select all

$ make modules
  CHK     include/config/kernel.release
  CHK     include/generated/uapi/linux/version.h
  CHK     include/generated/utsrelease.h
  CALL    scripts/checksyscalls.sh
  Building modules, stage 2.
  MODPOST 455 modules
  CC      crypto/anubis.mod.o
  LD [M]  crypto/anubis.ko
  CC      crypto/arc4.mod.o
  LD [M]  crypto/arc4.ko
  CC      crypto/async_tx/async_memcpy.mod.o
  LD [M]  crypto/async_tx/async_memcpy.ko

...

  CC      sound/soundcore.mod.o
  LD [M]  sound/soundcore.ko
  CC      sound/usb/caiaq/snd-usb-caiaq.mod.o
  LD [M]  sound/usb/caiaq/snd-usb-caiaq.ko
  CC      sound/usb/snd-usb-audio.mod.o
  LD [M]  sound/usb/snd-usb-audio.ko
  CC      sound/usb/snd-usbmidi-lib.mod.o
  LD [M]  sound/usb/snd-usbmidi-lib.ko
  CC      sound/usb/usx2y/snd-usb-usx2y.mod.o
  LD [M]  sound/usb/usx2y/snd-usb-usx2y.ko
  HOSTCC  firmware/ihex2fw
  IHEX2FW firmware/emi26/loader.fw
  IHEX2FW firmware/emi26/firmware.fw
  IHEX2FW firmware/emi26/bitstream.fw
  IHEX2FW firmware/emi62/loader.fw
  IHEX2FW firmware/emi62/bitstream.fw
  IHEX2FW firmware/emi62/spdif.fw
  IHEX2FW firmware/emi62/midi.fw
  IHEX    firmware/kaweth/new_code.bin
  IHEX    firmware/kaweth/trigger_code.bin
  IHEX    firmware/kaweth/new_code_fix.bin
  IHEX    firmware/kaweth/trigger_code_fix.bin
  IHEX    firmware/ti_3410.fw
  IHEX    firmware/ti_5052.fw
  IHEX    firmware/mts_cdma.fw
  IHEX    firmware/mts_gsm.fw
  IHEX    firmware/mts_edge.fw
  H16TOFW firmware/edgeport/boot.fw
  H16TOFW firmware/edgeport/boot2.fw
  H16TOFW firmware/edgeport/down.fw
  H16TOFW firmware/edgeport/down2.fw
  IHEX    firmware/edgeport/down3.bin
  IHEX2FW firmware/whiteheat_loader.fw
  IHEX2FW firmware/whiteheat.fw
  IHEX2FW firmware/keyspan_pda/keyspan_pda.fw
  IHEX2FW firmware/keyspan_pda/xircom_pgs.fw

Then i tried to copy the needed ones to the modules path of the kernel (i did not want to blindly copy all because im afraid i cannot reboot afterwards):

Code: Select all

$ dmesg
[ 2601.109107] iptable_nat: Unknown symbol nf_nat_ipv4_fn (err 0)
[ 2601.113774] iptable_nat: Unknown symbol nf_nat_ipv4_local_fn (err 0)
[ 2601.118942] iptable_nat: Unknown symbol nf_nat_ipv4_out (err 0)
[ 2601.123667] iptable_nat: Unknown symbol nf_nat_ipv4_in (err 0)

Code: Select all

$ cp -v -i net/ipv4/netfilter/iptable_nat.ko /lib/modules/3.18.24-1/kernel/net/ipv4/netfilter/
	‘net/ipv4/netfilter/iptable_nat.ko’ -> ‘/lib/modules/3.18.24-1/kernel/net/ipv4/netfilter/iptable_nat.ko’

$ cp -v -i net/ipv4/netfilter/nf_nat_ipv4.ko /lib/modules/3.18.24-1/kernel/net/ipv4/netfilter/

$ cp -i -v net/ipv4/netfilter/*nat*.ko /lib/modules/3.18.24-1/kernel/net/ipv4/netfilter/
	cp: overwrite ‘/lib/modules/3.18.24-1/kernel/net/ipv4/netfilter/iptable_nat.ko’? n
	‘net/ipv4/netfilter/nf_nat_h323.ko’ -> ‘/lib/modules/3.18.24-1/kernel/net/ipv4/netfilter/nf_nat_h323.ko’
	cp: overwrite ‘/lib/modules/3.18.24-1/kernel/net/ipv4/netfilter/nf_nat_ipv4.ko’? n
	‘net/ipv4/netfilter/nf_nat_masquerade_ipv4.ko’ -> ‘/lib/modules/3.18.24-1/kernel/net/ipv4/netfilter/nf_nat_masquerade_ipv4.ko’
	‘net/ipv4/netfilter/nf_nat_pptp.ko’ -> ‘/lib/modules/3.18.24-1/kernel/net/ipv4/netfilter/nf_nat_pptp.ko’
	‘net/ipv4/netfilter/nf_nat_proto_gre.ko’ -> ‘/lib/modules/3.18.24-1/kernel/net/ipv4/netfilter/nf_nat_proto_gre.ko’

$ cp -v -i net/netfilter/nf_nat*.ko /lib/modules/3.18.24-1/kernel/net/netfilter/
	‘net/netfilter/nf_nat_amanda.ko’ -> ‘/lib/modules/3.18.24-1/kernel/net/netfilter/nf_nat_amanda.ko’
	‘net/netfilter/nf_nat_ftp.ko’ -> ‘/lib/modules/3.18.24-1/kernel/net/netfilter/nf_nat_ftp.ko’
	‘net/netfilter/nf_nat_irc.ko’ -> ‘/lib/modules/3.18.24-1/kernel/net/netfilter/nf_nat_irc.ko’
	‘net/netfilter/nf_nat.ko’ -> ‘/lib/modules/3.18.24-1/kernel/net/netfilter/nf_nat.ko’
	‘net/netfilter/nf_nat_proto_sctp.ko’ -> ‘/lib/modules/3.18.24-1/kernel/net/netfilter/nf_nat_proto_sctp.ko’
	‘net/netfilter/nf_nat_proto_udplite.ko’ -> ‘/lib/modules/3.18.24-1/kernel/net/netfilter/nf_nat_proto_udplite.ko’
	‘net/netfilter/nf_nat_sip.ko’ -> ‘/lib/modules/3.18.24-1/kernel/net/netfilter/nf_nat_sip.ko’
	‘net/netfilter/nf_nat_tftp.ko’ -> ‘/lib/modules/3.18.24-1/kernel/net/netfilter/nf_nat_tftp.ko’

$ cp -v -i net/netfilter/xt_nat.ko /lib/modules/3.18.24-1/kernel/net/netfilter/

$ cp -i -v net/ipv4/netfilter/ipt_MASQUERADE.ko /lib/modules/3.18.24-1/kernel/net/ipv4/netfilter/
	‘net/ipv4/netfilter/ipt_MASQUERADE.ko’ -> ‘/lib/modules/3.18.24-1/kernel/net/ipv4/netfilter/ipt_MASQUERADE.ko’

Code: Select all

$ depmod -a

Code: Select all

$ modprobe nf_conntrack_ipv4
$ modprobe nf_conntrack
$ modprobe iptable_nat
modprobe: ERROR: could not insert 'iptable_nat': Unknown symbol in module, or unknown parameter (see dmesg)
bubba:/linux-3.18.24# modprobe nf_nat
modprobe: ERROR: could not insert 'nf_nat': Unknown symbol in module, or unknown parameter (see dmesg)

$ dmesg:
[  578.460438] nf_nat: Unknown symbol nf_nat_decode_session_hook (err 0)

$ modprobe iptable_nat
	modprobe: ERROR: could not insert 'iptable_nat': Unknown symbol in module, or unknown parameter (see dmesg)

$ insmod /lib/modules/3.18.24-1/kernel/net/ipv4/netfilter/iptable_nat.ko
	insmod: ERROR: could not insert module /lib/modules/3.18.24-1/kernel/net/ipv4/netfilter/iptable_nat.ko: Unknown symbol in module

The problem seems just to be iptable_nat (if i dit not completely forget a missing module for NAT).


Investigation looks like the missing method is defined in (fount on http://lxr.free-electrons.com/ident?i=n ... ssion_hook):

net/netfilter/core.c
include/linux/netfilter.h

But in which module(s) .ko files do those two files land on compilage?
I guess its a module which already exists but is not compiled with the missing symbol on the running kernel, and which i did not yet copy over from the new modules (im afraid using just make modules_install to move all modules over, since i removed some flags in the .config to compile faster or skip some errors). Yes, that was not very clean...

Thanks for all the help guys!

[Gordon]

If you are afraid of damaging existing good modules, simply tar them, run make modules_install and then untar the original modules back. Don't forget to run depmod afterwards!

Bonus: by running make modules_install the modules will be placed in their corresponding /lib/modules/`version` and you will have confirmation that you set the version info correctly.

[MouettE]

I have changed to configs and I will compile a new kernel for the B2 which will include the missing NAT modules tonight. It will also be upgraded to latest 3.18.27 (the b3 will also get an upgrade). Hopefully it will be uploaded on the repository tomorrow.

Sorry about that it shouldn't have happened. If you are in a hurry I can provide the deb package directly (the cross compiled versions I use for testing), let me know.

[MouettE]

Kernel 3.18.27-1 is available on the repository for both b2 and b3 with NAT modules re-added on the B2. Ley me know if it works !

[kees]

works perfectly:

Linux b2 3.18.27-1 #1 Thu Feb 25 00:53:08 UTC 2016 ppc

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Aug 1 22:46:24 2016 from 192.168.7.30


root@b2:/home/kees# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination