I'm not accusing anyone, I was asking for help diagnosing the problem.
Luckily I ignored your suggestions because you were both wrong.
I managed to get strace copied to my device:
# strace iptables -A OUTPUT -m owner --uid 0
execve("/usr/sbin/iptables", ["iptables", "-A", "OUTPUT", "-m",
"owner", "--uid", "0"], 0x7ffa7423d0 /* 29 vars */) = 0
brk(NULL) = 0x55a5afa000
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x7f8502f000
faccessat(AT_FDCWD, "/etc/ld.so.preload", R_OK) = -1 ENOENT (No such
file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=32961, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 32961, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f85026000
close(3) = 0
openat(AT_FDCWD, "/usr/lib/libip4tc.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\267\0\1\0\0\0\0\0\0\0\0\0\0\0"...,
832) = 832
newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=31152, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 160296, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f84fd1000
mmap(0x7f84fe0000, 94760, PROT_READ|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x7f84fe0000
munmap(0x7f84fd1000, 61440) = 0
munmap(0x7f84ff8000, 552) = 0
mprotect(0x7f84fe7000, 61440, PROT_NONE) = 0
mmap(0x7f84ff6000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x7f84ff6000
close(3) = 0
openat(AT_FDCWD, "/usr/lib/libip6tc.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\267\0\1\0\0\0\0\0\0\0\0\0\0\0"...,
832) = 832
newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=31152, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 160296, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f84fb8000
mmap(0x7f84fc0000, 94760, PROT_READ|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x7f84fc0000
munmap(0x7f84fb8000, 32768) = 0
munmap(0x7f84fd8000, 29224) = 0
mprotect(0x7f84fc7000, 61440, PROT_NONE) = 0
mmap(0x7f84fd6000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x7f84fd6000
close(3) = 0
openat(AT_FDCWD, "/usr/lib/libxtables.so.12", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\267\0\1\0\0\0\0\0\0\0\0\0\0\0"...,
832) = 832
newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=59304, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 199720, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f84f8f000
mmap(0x7f84f90000, 134184, PROT_READ|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x7f84f90000
munmap(0x7f84f8f000, 4096) = 0
munmap(0x7f84fb1000, 60456) = 0
mprotect(0x7f84f9e000, 61440, PROT_NONE) = 0
mmap(0x7f84fad000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xd000) = 0x7f84fad000
mmap(0x7f84faf000, 7208, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f84faf000
close(3) = 0
openat(AT_FDCWD, "/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0\267\0\1\0\0\0@\264\2\0\0\0\0\0"...,
832) = 832
pread64(3, "\4\0\0\0\24\0\0\0\3\0\0\0GNU\0/\267c\324\361R\25\177\n\177\26\327\322\277\4\211"...,
68, 768) = 68
newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=1630088, ...},
AT_EMPTY_PATH) = 0
mmap(NULL, 1805328, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f84dd7000
mmap(0x7f84de0000, 1739792, PROT_READ|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x7f84de0000
munmap(0x7f84dd7000, 36864) = 0
munmap(0x7f84f89000, 27664) = 0
mprotect(0x7f84f68000, 61440, PROT_NONE) = 0
mmap(0x7f84f77000, 24576, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x187000) = 0x7f84f77000
mmap(0x7f84f7d000, 48144, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f84f7d000
close(3) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x7f85024000
set_tid_address(0x7f850240f0) = 25050
set_robust_list(0x7f85024100, 24) = 0
rseq(0x7f850247c0, 0x20, 0, 0xd428bc00) = 0
mprotect(0x7f84f77000, 12288, PROT_READ) = 0
mprotect(0x7f84fad000, 4096, PROT_READ) = 0
mprotect(0x7f84fd6000, 4096, PROT_READ) = 0
mprotect(0x7f84ff6000, 4096, PROT_READ) = 0
mprotect(0x557a8bc000, 4096, PROT_READ) = 0
mprotect(0x7f85033000, 8192, PROT_READ) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024,
rlim_max=RLIM64_INFINITY}) = 0
munmap(0x7f85026000, 32961) = 0
newfstatat(AT_FDCWD, "/usr/lib/xtables/libipt_owner.so", 0x7fdac3dc78,
0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/lib/xtables/libxt_owner.so",
{st_mode=S_IFREG|0755, st_size=18904, ...}, 0) = 0
getrandom("\x89\xee\xcc\x55\xdc\x6d\x75\xd8", 8, GRND_NONBLOCK) = 8
brk(NULL) = 0x55a5afa000
brk(0x55a5b1b000) = 0x55a5b1b000
openat(AT_FDCWD, "/usr/lib/xtables/libxt_owner.so", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\267\0\1\0\0\0\0\0\0\0\0\0\0\0"...,
832) = 832
newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=18904, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 148048, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f84dbb000
mmap(0x7f84dc0000, 82512, PROT_READ|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x7f84dc0000
munmap(0x7f84dbb000, 20480) = 0
munmap(0x7f84dd5000, 41552) = 0
mprotect(0x7f84dc3000, 65536, PROT_NONE) = 0
mmap(0x7f84dd3000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x7f84dd3000
close(3) = 0
mprotect(0x7f84dd3000, 4096, PROT_READ) = 0
socket(AF_INET, SOCK_RAW, IPPROTO_RAW) = 3
fcntl(3, F_SETFD, FD_CLOEXEC) = 0
newfstatat(AT_FDCWD, "/proc/net/ip_tables_names",
{st_mode=S_IFREG|0440, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
statfs("/proc/net/ip_tables_names", {f_type=PROC_SUPER_MAGIC,
f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0,
f_fsid={val=[0, 0]}, f_namelen=255, f_frsize=4096,
f_flags=ST_VALID|ST_NOSUID|ST_NODEV|ST_NOEXEC|ST_RELATIME}) = 0
getsockopt(3, SOL_IP, IPT_SO_GET_REVISION_MATCH, 0x7fdac3db68, [30]) =
-1 ENOENT (No such file or directory)
close(3) = 0
socket(AF_INET, SOCK_RAW, IPPROTO_RAW) = 3
fcntl(3, F_SETFD, FD_CLOEXEC) = 0
getsockopt(3, SOL_IP, IPT_SO_GET_REVISION_MATCH, 0x7fdac3db68, [30]) =
-1 ENOENT (No such file or directory)
close(3) = 0
write(2, "iptables v1.8.7 (legacy): ", 26iptables v1.8.7 (legacy): ) = 26
write(2, "Couldn't load match `owner':No s"..., 54Couldn't load match
`owner':No such file or directory
) = 54
write(2, "\n", 1
) = 1
write(2, "Try `iptables -h' or 'iptables -"..., 61Try `iptables -h' or
'iptables --help' for more information.
) = 61
exit_group(2) = ?
+++ exited with 2 +++
Looks like we're missing /usr/lib/xtables/libipt_owner.so?
https://forums.gentoo.org/viewtopic-t-754259-start-0.html suggests
this requires CONFIG_NETFILTER_XT_MATCH_OWNER=m so I tried rebuilding
the kernel with that:
# iptables -A OUTPUT -m owner --uid 0
No error returned.
But /usr/lib/xtables/libipt_owner.so is still missing. If I run the
working version with strace the difference seems to be getsockopt,
from:
newfstatat(AT_FDCWD, "/proc/net/ip_tables_names",
{st_mode=S_IFREG|0440, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
statfs("/proc/net/ip_tables_names", {f_type=PROC_SUPER_MAGIC,
f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0,
f_fsid={val=[0, 0]}, f_namelen=255, f_frsize=4096,
f_flags=ST_VALID|ST_NOSUID|ST_NODEV|ST_NOEXEC|ST_RELATIME}) = 0
getsockopt(3, SOL_IP, IPT_SO_GET_REVISION_MATCH, 0x7fdac3db68, [30]) =
-1 ENOENT (No such file or directory)
to:
newfstatat(AT_FDCWD, "/proc/net/ip_tables_names",
{st_mode=S_IFREG|0440, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
statfs("/proc/net/ip_tables_names", {f_type=PROC_SUPER_MAGIC,
f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0,
f_fsid={val=[0, 0]}, f_namelen=255, f_frsize=4096,
f_flags=ST_VALID|ST_NOSUID|ST_NODEV|ST_NOEXEC|ST_RELATIME}) = 0
getsockopt(3, SOL_IP, IPT_SO_GET_REVISION_MATCH,
"owner\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1", [30]) = 0
I don't understand why getsockopt() doesn't show the string in the
first instance, makes diagnosing the problem difficult.
The full command still fails:
# strace iptables -w -t nat -I PREROUTING -s 192.168.12.0/24 -d
192.168.12.1 -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 5353
execve("/usr/sbin/iptables", ["iptables", "-w", "-t", "nat", "-I",
"PREROUTING", "-s", "192.168.12.0/24", "-d", "192.168.12.1", "-p",
"tcp", "-m", "tcp", "--dport", "53", "-j", "REDIRECT", "--to-ports",
"5353"], 0x7ff90c7de8 /* 29 vars */) = 0
brk(NULL) = 0x55b6039000
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x7fb4e97000
faccessat(AT_FDCWD, "/etc/ld.so.preload", R_OK) = -1 ENOENT (No such
file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=32961, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 32961, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fb4e8e000
close(3) = 0
openat(AT_FDCWD, "/usr/lib/libip4tc.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\267\0\1\0\0\0\0\0\0\0\0\0\0\0"...,
832) = 832
newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=31152, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 160296, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb4e39000
mmap(0x7fb4e40000, 94760, PROT_READ|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x7fb4e40000
munmap(0x7fb4e39000, 28672) = 0
munmap(0x7fb4e58000, 33320) = 0
mprotect(0x7fb4e47000, 61440, PROT_NONE) = 0
mmap(0x7fb4e56000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x7fb4e56000
close(3) = 0
openat(AT_FDCWD, "/usr/lib/libip6tc.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\267\0\1\0\0\0\0\0\0\0\0\0\0\0"...,
832) = 832
newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=31152, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 160296, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb4e18000
mmap(0x7fb4e20000, 94760, PROT_READ|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x7fb4e20000
munmap(0x7fb4e18000, 32768) = 0
munmap(0x7fb4e38000, 29224) = 0
mprotect(0x7fb4e27000, 61440, PROT_NONE) = 0
mmap(0x7fb4e36000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x7fb4e36000
close(3) = 0
openat(AT_FDCWD, "/usr/lib/libxtables.so.12", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\267\0\1\0\0\0\0\0\0\0\0\0\0\0"...,
832) = 832
newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=59304, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 199720, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb4def000
mmap(0x7fb4df0000, 134184, PROT_READ|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x7fb4df0000
munmap(0x7fb4def000, 4096) = 0
munmap(0x7fb4e11000, 60456) = 0
mprotect(0x7fb4dfe000, 61440, PROT_NONE) = 0
mmap(0x7fb4e0d000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xd000) = 0x7fb4e0d000
mmap(0x7fb4e0f000, 7208, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fb4e0f000
close(3) = 0
openat(AT_FDCWD, "/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0\267\0\1\0\0\0@\264\2\0\0\0\0\0"...,
832) = 832
pread64(3, "\4\0\0\0\24\0\0\0\3\0\0\0GNU\0/\267c\324\361R\25\177\n\177\26\327\322\277\4\211"...,
68, 768) = 68
newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=1630088, ...},
AT_EMPTY_PATH) = 0
mmap(NULL, 1805328, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb4c37000
mmap(0x7fb4c40000, 1739792, PROT_READ|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x7fb4c40000
munmap(0x7fb4c37000, 36864) = 0
munmap(0x7fb4de9000, 27664) = 0
mprotect(0x7fb4dc8000, 61440, PROT_NONE) = 0
mmap(0x7fb4dd7000, 24576, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x187000) = 0x7fb4dd7000
mmap(0x7fb4ddd000, 48144, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fb4ddd000
close(3) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x7fb4e8c000
set_tid_address(0x7fb4e8c0f0) = 83953
set_robust_list(0x7fb4e8c100, 24) = 0
rseq(0x7fb4e8c7c0, 0x20, 0, 0xd428bc00) = 0
mprotect(0x7fb4dd7000, 12288, PROT_READ) = 0
mprotect(0x7fb4e0d000, 4096, PROT_READ) = 0
mprotect(0x7fb4e36000, 4096, PROT_READ) = 0
mprotect(0x7fb4e56000, 4096, PROT_READ) = 0
mprotect(0x558371f000, 4096, PROT_READ) = 0
mprotect(0x7fb4e9b000, 8192, PROT_READ) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024,
rlim_max=RLIM64_INFINITY}) = 0
munmap(0x7fb4e8e000, 32961) = 0
getrandom("\xfa\xf8\xa1\x00\x5e\xc6\xd6\x38", 8, GRND_NONBLOCK) = 8
brk(NULL) = 0x55b6039000
brk(0x55b605a000) = 0x55b605a000
newfstatat(AT_FDCWD, "/etc/nsswitch.conf", {st_mode=S_IFREG|0644,
st_size=482, ...}, 0) = 0
newfstatat(AT_FDCWD, "/", {st_mode=S_IFDIR|0755, st_size=4096, ...}, 0) = 0
openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=482, ...}, AT_EMPTY_PATH) = 0
read(3, "# /etc/nsswitch.conf\n#\n# Example"..., 4096) = 482
read(3, "", 4096) = 0
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=482, ...}, AT_EMPTY_PATH) = 0
close(3) = 0
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=32961, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 32961, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fb4e8e000
close(3) = 0
openat(AT_FDCWD, "/lib/tls/aarch64/libnss_db.so.2",
O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/lib/tls/aarch64", 0x7fe4e67730, 0) = -1 ENOENT
(No such file or directory)
openat(AT_FDCWD, "/lib/tls/libnss_db.so.2", O_RDONLY|O_CLOEXEC) = -1
ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/lib/tls", 0x7fe4e67730, 0) = -1 ENOENT (No such
file or directory)
openat(AT_FDCWD, "/lib/aarch64/libnss_db.so.2", O_RDONLY|O_CLOEXEC) =
-1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/lib/aarch64", 0x7fe4e67730, 0) = -1 ENOENT (No
such file or directory)
openat(AT_FDCWD, "/lib/libnss_db.so.2", O_RDONLY|O_CLOEXEC) = -1
ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/lib", {st_mode=S_IFDIR|0755, st_size=4096, ...}, 0) = 0
openat(AT_FDCWD, "/usr/lib/tls/aarch64/libnss_db.so.2",
O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/lib/tls/aarch64", 0x7fe4e67730, 0) = -1
ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/tls/libnss_db.so.2", O_RDONLY|O_CLOEXEC) =
-1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/lib/tls", 0x7fe4e67730, 0) = -1 ENOENT (No
such file or directory)
openat(AT_FDCWD, "/usr/lib/aarch64/libnss_db.so.2",
O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/lib/aarch64", 0x7fe4e67730, 0) = -1 ENOENT
(No such file or directory)
openat(AT_FDCWD, "/usr/lib/libnss_db.so.2", O_RDONLY|O_CLOEXEC) = -1
ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/lib", {st_mode=S_IFDIR|0755, st_size=32768,
...}, 0) = 0
munmap(0x7fb4e8e000, 32961) = 0
openat(AT_FDCWD, "/etc/protocols", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=2932, ...}, AT_EMPTY_PATH) = 0
lseek(3, 0, SEEK_SET) = 0
read(3, "# Internet (IP) protocols\n#\n# Up"..., 4096) = 2932
close(3) = 0
newfstatat(AT_FDCWD, "/usr/lib/xtables/libipt_tcp.so", 0x7fe4e68508,
0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/lib/xtables/libxt_tcp.so",
{st_mode=S_IFREG|0755, st_size=14424, ...}, 0) = 0
openat(AT_FDCWD, "/usr/lib/xtables/libxt_tcp.so", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\267\0\1\0\0\0\0\0\0\0\0\0\0\0"...,
832) = 832
newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=14424, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 143568, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb4c1c000
mmap(0x7fb4c20000, 78032, PROT_READ|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x7fb4c20000
munmap(0x7fb4c1c000, 16384) = 0
munmap(0x7fb4c34000, 45264) = 0
mprotect(0x7fb4c23000, 61440, PROT_NONE) = 0
mmap(0x7fb4c32000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7fb4c32000
close(3) = 0
mprotect(0x7fb4c32000, 4096, PROT_READ) = 0
socket(AF_INET, SOCK_RAW, IPPROTO_RAW) = 3
fcntl(3, F_SETFD, FD_CLOEXEC) = 0
newfstatat(AT_FDCWD, "/proc/net/ip_tables_names",
{st_mode=S_IFREG|0440, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
statfs("/proc/net/ip_tables_names", {f_type=PROC_SUPER_MAGIC,
f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0,
f_fsid={val=[0, 0]}, f_namelen=255, f_frsize=4096,
f_flags=ST_VALID|ST_NOSUID|ST_NODEV|ST_NOEXEC|ST_RELATIME}) = 0
getsockopt(3, SOL_IP, IPT_SO_GET_REVISION_MATCH,
"tcp\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", [30]) = 0
close(3) = 0
newfstatat(AT_FDCWD, "/usr/lib/xtables/libipt_REDIRECT.so",
{st_mode=S_IFREG|0755, st_size=10344, ...}, 0) = 0
openat(AT_FDCWD, "/usr/lib/xtables/libipt_REDIRECT.so", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\267\0\1\0\0\0\0\0\0\0\0\0\0\0"...,
832) = 832
newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=10344, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 139480, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb4bfd000
mmap(0x7fb4c00000, 73944, PROT_READ|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x7fb4c00000
munmap(0x7fb4bfd000, 12288) = 0
munmap(0x7fb4c13000, 49368) = 0
mprotect(0x7fb4c02000, 61440, PROT_NONE) = 0
mmap(0x7fb4c11000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1000) = 0x7fb4c11000
close(3) = 0
mprotect(0x7fb4c11000, 4096, PROT_READ) = 0
socket(AF_INET, SOCK_RAW, IPPROTO_RAW) = 3
fcntl(3, F_SETFD, FD_CLOEXEC) = 0
getsockopt(3, SOL_IP, IPT_SO_GET_REVISION_TARGET, 0x7fe4e683e8, [30])
= -1 ENOENT (No such file or directory)
close(3) = 0
write(2, "iptables v1.8.7 (legacy): ", 26iptables v1.8.7 (legacy): ) = 26
write(2, "unknown option \"--to-ports\"", 27unknown option "--to-ports") = 27
write(2, "\n", 1
) = 1
write(2, "Try `iptables -h' or 'iptables -"..., 61Try `iptables -h' or
'iptables --help' for more information.
) = 61
exit_group(2) = ?
+++ exited with 2 +++
Previously we had a failure with IPT_SO_GET_REVISION_MATCH, now it's
IPT_SO_GET_REVISION_TARGET. I looked for usage of this in the Linux
source for v5.4.238:
https://elixir.bootlin.com/linux/v5.4.238/C/ident/IPT_SO_GET_REVISION_TARGET
They're used in the same function.
I also noticed that if you run without --to-ports you get:
# iptables -w -t nat -I PREROUTING -s 192.168.12.0/24 -d 192.168.12.1
-p tcp -m tcp --dport 53 -j REDIRECT
iptables v1.8.7 (legacy): Couldn't load target `REDIRECT':No such file
or directory
So if adding CONFIG_NETFILTER_XT_MATCH_OWNER fixed
IPT_SO_GET_REVISION_MATCH, would adding
CONFIG_NETFILTER_XT_TARGET_REDIRECT fix IPT_SO_GET_REVISION_TARGET?
Yes it does, NAT method now works.
On Mon, 29 Jul 2024 at 04:58, Reindl Harald <h.reindl@xxxxxxxxxxxxx> wrote:
>
>
>
> Am 25.07.24 um 04:29 schrieb Tom Isaacson:
> > I don't have strace on the device, it's pretty minimal. But
> > libxt_owner.so is present here:
> > /usr/lib/xtables/libxt_owner.so
> > along with all the other files.
> >
> > The installation is from Yocto:
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__layers.openembedded.org_layerindex_recipe_300425_&d=DwICaQ&c=q3cDpHe1hF8lXU5EFjNM_C93KOmcBXCBnhee2v6PYlc&r=MO7EWU3DamJNNM8h6vHmeK6CEry2ufcorA3OreLf9oSJJvfzyukEHrKjEuU65HDv&m=qra8kepdXvk2kSHd5pZNDgZwemrhMGNw-eOtKfUoleBSvjSCrB1FYvyXb5aXbklA&s=nDKMvy2KD4qfYfMInybCHSfKn1_vI_KQd3Re6Bp8lxA&e=
>
> so why don't you ask them what they have done to cripple down the
> binary? upstream is innocent
>
> > On Thu, 25 Jul 2024 at 14:19, Florian Westphal <fw@xxxxxxxxx> wrote:
> >>
> >> Tom Isaacson <thomas.isaacson@xxxxxxxxxxxxxxxxxxxxx> wrote:
> >>>> Sharing Internet using method: nat
> >>>> iptables v1.8.7 (legacy): unknown option "--to-ports"
> >>>> Try `iptables -h' or 'iptables --help' for more information.
> >>>> Doing cleanup.. done
> >>
> >> Broken iptables installation.
> >>
> >>>> The offending iptables commands are:
> >>>> iptables -w -t nat -D PREROUTING -s ${GATEWAY%.*}.0/24 -d
> >>>> ${GATEWAY} \
> >>>> -p tcp -m tcp --dport 53 -j REDIRECT --to-ports $DNS_PORT
> >>>> iptables -w -t nat -D PREROUTING -s ${GATEWAY%.*}.0/24 -d
> >>>> ${GATEWAY} \
> >>>> -p udp -m udp --dport 53 -j REDIRECT --to-ports $DNS_PORT
> >>>>
> >>>> I searched around for a solution and found
> >>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__community.unix.com_t_iptables-2Dv1-2D8-2D7-2Dnf-2Dtables-2Dunknown-2Doption-2Dto-2Dports_385377_3&d=DwIBAg&c=q3cDpHe1hF8lXU5EFjNM_C93KOmcBXCBnhee2v6PYlc&r=MO7EWU3DamJNNM8h6vHmeK6CEry2ufcorA3OreLf9oSJJvfzyukEHrKjEuU65HDv&m=3pEifEeIBaWYzhy_9MSuLYFwj7s1hDnpv2ftIP8xg0VZA5QWqX6RKTC79F1ylozp&s=sBy-V0FVFtnFXyvzNpVWO6IaPMyAYTyauL9S5RRjQrk&e=
> >>
> >> This has all diagnostic commands that you'll need to figure out whats
> >> happening.
> >>
> >>>> but this command also fails:
> >>>> # iptables -A OUTPUT -m owner --uid 0
> >>>> iptables v1.8.7 (legacy): Couldn't load match `owner':No such file
> >>>> or directory
> >>>>
> >>>> iptables links to xtables-legacy-multi but it seems to have all of the
> >>>> necessary files present.
> >>
> >> iptables says it can't load match 'owner' (libxt_owner.so).
> >>
> >> So its either missing or iptables is searching the wrong location.
> >>
> >> strace should tell which directory iptables is searching to fetch
> >> extensions.
> >>
> >> Some embedded distros split packages into subpackages to save space,
> >> so it might be missing package too.
--
*For more information on how and why we collect your personal
information, please visit our Privacy Policy
<https://www.motorolasolutions.com/en_us/about/privacy-policy.html?elqTrackId=8980d888905940e39a2613a7a3dcb0a7&elqaid=2786&elqat=2#privacystatement>.*
