I'm not accusing anyone, I was asking for help diagnosing the problem. Luckily I ignored your suggestions because you were both wrong. I managed to get strace copied to my device: # strace iptables -A OUTPUT -m owner --uid 0 execve("/usr/sbin/iptables", ["iptables", "-A", "OUTPUT", "-m", "owner", "--uid", "0"], 0x7ffa7423d0 /* 29 vars */) = 0 brk(NULL) = 0x55a5afa000 mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f8502f000 faccessat(AT_FDCWD, "/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=32961, ...}, AT_EMPTY_PATH) = 0 mmap(NULL, 32961, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f85026000 close(3) = 0 openat(AT_FDCWD, "/usr/lib/libip4tc.so.2", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\267\0\1\0\0\0\0\0\0\0\0\0\0\0"..., 832) = 832 newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=31152, ...}, AT_EMPTY_PATH) = 0 mmap(NULL, 160296, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f84fd1000 mmap(0x7f84fe0000, 94760, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x7f84fe0000 munmap(0x7f84fd1000, 61440) = 0 munmap(0x7f84ff8000, 552) = 0 mprotect(0x7f84fe7000, 61440, PROT_NONE) = 0 mmap(0x7f84ff6000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x7f84ff6000 close(3) = 0 openat(AT_FDCWD, "/usr/lib/libip6tc.so.2", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\267\0\1\0\0\0\0\0\0\0\0\0\0\0"..., 832) = 832 newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=31152, ...}, AT_EMPTY_PATH) = 0 mmap(NULL, 160296, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f84fb8000 mmap(0x7f84fc0000, 94760, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x7f84fc0000 munmap(0x7f84fb8000, 32768) = 0 munmap(0x7f84fd8000, 29224) = 0 mprotect(0x7f84fc7000, 61440, PROT_NONE) = 0 mmap(0x7f84fd6000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x7f84fd6000 close(3) = 0 openat(AT_FDCWD, "/usr/lib/libxtables.so.12", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\267\0\1\0\0\0\0\0\0\0\0\0\0\0"..., 832) = 832 newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=59304, ...}, AT_EMPTY_PATH) = 0 mmap(NULL, 199720, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f84f8f000 mmap(0x7f84f90000, 134184, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x7f84f90000 munmap(0x7f84f8f000, 4096) = 0 munmap(0x7f84fb1000, 60456) = 0 mprotect(0x7f84f9e000, 61440, PROT_NONE) = 0 mmap(0x7f84fad000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xd000) = 0x7f84fad000 mmap(0x7f84faf000, 7208, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f84faf000 close(3) = 0 openat(AT_FDCWD, "/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0\267\0\1\0\0\0@\264\2\0\0\0\0\0"..., 832) = 832 pread64(3, "\4\0\0\0\24\0\0\0\3\0\0\0GNU\0/\267c\324\361R\25\177\n\177\26\327\322\277\4\211"..., 68, 768) = 68 newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=1630088, ...}, AT_EMPTY_PATH) = 0 mmap(NULL, 1805328, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f84dd7000 mmap(0x7f84de0000, 1739792, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x7f84de0000 munmap(0x7f84dd7000, 36864) = 0 munmap(0x7f84f89000, 27664) = 0 mprotect(0x7f84f68000, 61440, PROT_NONE) = 0 mmap(0x7f84f77000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x187000) = 0x7f84f77000 mmap(0x7f84f7d000, 48144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f84f7d000 close(3) = 0 mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f85024000 set_tid_address(0x7f850240f0) = 25050 set_robust_list(0x7f85024100, 24) = 0 rseq(0x7f850247c0, 0x20, 0, 0xd428bc00) = 0 mprotect(0x7f84f77000, 12288, PROT_READ) = 0 mprotect(0x7f84fad000, 4096, PROT_READ) = 0 mprotect(0x7f84fd6000, 4096, PROT_READ) = 0 mprotect(0x7f84ff6000, 4096, PROT_READ) = 0 mprotect(0x557a8bc000, 4096, PROT_READ) = 0 mprotect(0x7f85033000, 8192, PROT_READ) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 munmap(0x7f85026000, 32961) = 0 newfstatat(AT_FDCWD, "/usr/lib/xtables/libipt_owner.so", 0x7fdac3dc78, 0) = -1 ENOENT (No such file or directory) newfstatat(AT_FDCWD, "/usr/lib/xtables/libxt_owner.so", {st_mode=S_IFREG|0755, st_size=18904, ...}, 0) = 0 getrandom("\x89\xee\xcc\x55\xdc\x6d\x75\xd8", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x55a5afa000 brk(0x55a5b1b000) = 0x55a5b1b000 openat(AT_FDCWD, "/usr/lib/xtables/libxt_owner.so", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\267\0\1\0\0\0\0\0\0\0\0\0\0\0"..., 832) = 832 newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=18904, ...}, AT_EMPTY_PATH) = 0 mmap(NULL, 148048, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f84dbb000 mmap(0x7f84dc0000, 82512, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x7f84dc0000 munmap(0x7f84dbb000, 20480) = 0 munmap(0x7f84dd5000, 41552) = 0 mprotect(0x7f84dc3000, 65536, PROT_NONE) = 0 mmap(0x7f84dd3000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x7f84dd3000 close(3) = 0 mprotect(0x7f84dd3000, 4096, PROT_READ) = 0 socket(AF_INET, SOCK_RAW, IPPROTO_RAW) = 3 fcntl(3, F_SETFD, FD_CLOEXEC) = 0 newfstatat(AT_FDCWD, "/proc/net/ip_tables_names", {st_mode=S_IFREG|0440, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 statfs("/proc/net/ip_tables_names", {f_type=PROC_SUPER_MAGIC, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={val=[0, 0]}, f_namelen=255, f_frsize=4096, f_flags=ST_VALID|ST_NOSUID|ST_NODEV|ST_NOEXEC|ST_RELATIME}) = 0 getsockopt(3, SOL_IP, IPT_SO_GET_REVISION_MATCH, 0x7fdac3db68, [30]) = -1 ENOENT (No such file or directory) close(3) = 0 socket(AF_INET, SOCK_RAW, IPPROTO_RAW) = 3 fcntl(3, F_SETFD, FD_CLOEXEC) = 0 getsockopt(3, SOL_IP, IPT_SO_GET_REVISION_MATCH, 0x7fdac3db68, [30]) = -1 ENOENT (No such file or directory) close(3) = 0 write(2, "iptables v1.8.7 (legacy): ", 26iptables v1.8.7 (legacy): ) = 26 write(2, "Couldn't load match `owner':No s"..., 54Couldn't load match `owner':No such file or directory ) = 54 write(2, "\n", 1 ) = 1 write(2, "Try `iptables -h' or 'iptables -"..., 61Try `iptables -h' or 'iptables --help' for more information. ) = 61 exit_group(2) = ? +++ exited with 2 +++ Looks like we're missing /usr/lib/xtables/libipt_owner.so? https://forums.gentoo.org/viewtopic-t-754259-start-0.html suggests this requires CONFIG_NETFILTER_XT_MATCH_OWNER=m so I tried rebuilding the kernel with that: # iptables -A OUTPUT -m owner --uid 0 No error returned. But /usr/lib/xtables/libipt_owner.so is still missing. If I run the working version with strace the difference seems to be getsockopt, from: newfstatat(AT_FDCWD, "/proc/net/ip_tables_names", {st_mode=S_IFREG|0440, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 statfs("/proc/net/ip_tables_names", {f_type=PROC_SUPER_MAGIC, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={val=[0, 0]}, f_namelen=255, f_frsize=4096, f_flags=ST_VALID|ST_NOSUID|ST_NODEV|ST_NOEXEC|ST_RELATIME}) = 0 getsockopt(3, SOL_IP, IPT_SO_GET_REVISION_MATCH, 0x7fdac3db68, [30]) = -1 ENOENT (No such file or directory) to: newfstatat(AT_FDCWD, "/proc/net/ip_tables_names", {st_mode=S_IFREG|0440, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 statfs("/proc/net/ip_tables_names", {f_type=PROC_SUPER_MAGIC, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={val=[0, 0]}, f_namelen=255, f_frsize=4096, f_flags=ST_VALID|ST_NOSUID|ST_NODEV|ST_NOEXEC|ST_RELATIME}) = 0 getsockopt(3, SOL_IP, IPT_SO_GET_REVISION_MATCH, "owner\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1", [30]) = 0 I don't understand why getsockopt() doesn't show the string in the first instance, makes diagnosing the problem difficult. The full command still fails: # strace iptables -w -t nat -I PREROUTING -s 192.168.12.0/24 -d 192.168.12.1 -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 5353 execve("/usr/sbin/iptables", ["iptables", "-w", "-t", "nat", "-I", "PREROUTING", "-s", "192.168.12.0/24", "-d", "192.168.12.1", "-p", "tcp", "-m", "tcp", "--dport", "53", "-j", "REDIRECT", "--to-ports", "5353"], 0x7ff90c7de8 /* 29 vars */) = 0 brk(NULL) = 0x55b6039000 mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb4e97000 faccessat(AT_FDCWD, "/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=32961, ...}, AT_EMPTY_PATH) = 0 mmap(NULL, 32961, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fb4e8e000 close(3) = 0 openat(AT_FDCWD, "/usr/lib/libip4tc.so.2", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\267\0\1\0\0\0\0\0\0\0\0\0\0\0"..., 832) = 832 newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=31152, ...}, AT_EMPTY_PATH) = 0 mmap(NULL, 160296, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb4e39000 mmap(0x7fb4e40000, 94760, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x7fb4e40000 munmap(0x7fb4e39000, 28672) = 0 munmap(0x7fb4e58000, 33320) = 0 mprotect(0x7fb4e47000, 61440, PROT_NONE) = 0 mmap(0x7fb4e56000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x7fb4e56000 close(3) = 0 openat(AT_FDCWD, "/usr/lib/libip6tc.so.2", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\267\0\1\0\0\0\0\0\0\0\0\0\0\0"..., 832) = 832 newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=31152, ...}, AT_EMPTY_PATH) = 0 mmap(NULL, 160296, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb4e18000 mmap(0x7fb4e20000, 94760, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x7fb4e20000 munmap(0x7fb4e18000, 32768) = 0 munmap(0x7fb4e38000, 29224) = 0 mprotect(0x7fb4e27000, 61440, PROT_NONE) = 0 mmap(0x7fb4e36000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x7fb4e36000 close(3) = 0 openat(AT_FDCWD, "/usr/lib/libxtables.so.12", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\267\0\1\0\0\0\0\0\0\0\0\0\0\0"..., 832) = 832 newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=59304, ...}, AT_EMPTY_PATH) = 0 mmap(NULL, 199720, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb4def000 mmap(0x7fb4df0000, 134184, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x7fb4df0000 munmap(0x7fb4def000, 4096) = 0 munmap(0x7fb4e11000, 60456) = 0 mprotect(0x7fb4dfe000, 61440, PROT_NONE) = 0 mmap(0x7fb4e0d000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xd000) = 0x7fb4e0d000 mmap(0x7fb4e0f000, 7208, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fb4e0f000 close(3) = 0 openat(AT_FDCWD, "/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0\267\0\1\0\0\0@\264\2\0\0\0\0\0"..., 832) = 832 pread64(3, "\4\0\0\0\24\0\0\0\3\0\0\0GNU\0/\267c\324\361R\25\177\n\177\26\327\322\277\4\211"..., 68, 768) = 68 newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=1630088, ...}, AT_EMPTY_PATH) = 0 mmap(NULL, 1805328, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb4c37000 mmap(0x7fb4c40000, 1739792, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x7fb4c40000 munmap(0x7fb4c37000, 36864) = 0 munmap(0x7fb4de9000, 27664) = 0 mprotect(0x7fb4dc8000, 61440, PROT_NONE) = 0 mmap(0x7fb4dd7000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x187000) = 0x7fb4dd7000 mmap(0x7fb4ddd000, 48144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fb4ddd000 close(3) = 0 mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb4e8c000 set_tid_address(0x7fb4e8c0f0) = 83953 set_robust_list(0x7fb4e8c100, 24) = 0 rseq(0x7fb4e8c7c0, 0x20, 0, 0xd428bc00) = 0 mprotect(0x7fb4dd7000, 12288, PROT_READ) = 0 mprotect(0x7fb4e0d000, 4096, PROT_READ) = 0 mprotect(0x7fb4e36000, 4096, PROT_READ) = 0 mprotect(0x7fb4e56000, 4096, PROT_READ) = 0 mprotect(0x558371f000, 4096, PROT_READ) = 0 mprotect(0x7fb4e9b000, 8192, PROT_READ) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 munmap(0x7fb4e8e000, 32961) = 0 getrandom("\xfa\xf8\xa1\x00\x5e\xc6\xd6\x38", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x55b6039000 brk(0x55b605a000) = 0x55b605a000 newfstatat(AT_FDCWD, "/etc/nsswitch.conf", {st_mode=S_IFREG|0644, st_size=482, ...}, 0) = 0 newfstatat(AT_FDCWD, "/", {st_mode=S_IFDIR|0755, st_size=4096, ...}, 0) = 0 openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 3 newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=482, ...}, AT_EMPTY_PATH) = 0 read(3, "# /etc/nsswitch.conf\n#\n# Example"..., 4096) = 482 read(3, "", 4096) = 0 newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=482, ...}, AT_EMPTY_PATH) = 0 close(3) = 0 openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=32961, ...}, AT_EMPTY_PATH) = 0 mmap(NULL, 32961, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fb4e8e000 close(3) = 0 openat(AT_FDCWD, "/lib/tls/aarch64/libnss_db.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) newfstatat(AT_FDCWD, "/lib/tls/aarch64", 0x7fe4e67730, 0) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/lib/tls/libnss_db.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) newfstatat(AT_FDCWD, "/lib/tls", 0x7fe4e67730, 0) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/lib/aarch64/libnss_db.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) newfstatat(AT_FDCWD, "/lib/aarch64", 0x7fe4e67730, 0) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/lib/libnss_db.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) newfstatat(AT_FDCWD, "/lib", {st_mode=S_IFDIR|0755, st_size=4096, ...}, 0) = 0 openat(AT_FDCWD, "/usr/lib/tls/aarch64/libnss_db.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) newfstatat(AT_FDCWD, "/usr/lib/tls/aarch64", 0x7fe4e67730, 0) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/tls/libnss_db.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) newfstatat(AT_FDCWD, "/usr/lib/tls", 0x7fe4e67730, 0) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/aarch64/libnss_db.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) newfstatat(AT_FDCWD, "/usr/lib/aarch64", 0x7fe4e67730, 0) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib/libnss_db.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) newfstatat(AT_FDCWD, "/usr/lib", {st_mode=S_IFDIR|0755, st_size=32768, ...}, 0) = 0 munmap(0x7fb4e8e000, 32961) = 0 openat(AT_FDCWD, "/etc/protocols", O_RDONLY|O_CLOEXEC) = 3 newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=2932, ...}, AT_EMPTY_PATH) = 0 lseek(3, 0, SEEK_SET) = 0 read(3, "# Internet (IP) protocols\n#\n# Up"..., 4096) = 2932 close(3) = 0 newfstatat(AT_FDCWD, "/usr/lib/xtables/libipt_tcp.so", 0x7fe4e68508, 0) = -1 ENOENT (No such file or directory) newfstatat(AT_FDCWD, "/usr/lib/xtables/libxt_tcp.so", {st_mode=S_IFREG|0755, st_size=14424, ...}, 0) = 0 openat(AT_FDCWD, "/usr/lib/xtables/libxt_tcp.so", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\267\0\1\0\0\0\0\0\0\0\0\0\0\0"..., 832) = 832 newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=14424, ...}, AT_EMPTY_PATH) = 0 mmap(NULL, 143568, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb4c1c000 mmap(0x7fb4c20000, 78032, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x7fb4c20000 munmap(0x7fb4c1c000, 16384) = 0 munmap(0x7fb4c34000, 45264) = 0 mprotect(0x7fb4c23000, 61440, PROT_NONE) = 0 mmap(0x7fb4c32000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7fb4c32000 close(3) = 0 mprotect(0x7fb4c32000, 4096, PROT_READ) = 0 socket(AF_INET, SOCK_RAW, IPPROTO_RAW) = 3 fcntl(3, F_SETFD, FD_CLOEXEC) = 0 newfstatat(AT_FDCWD, "/proc/net/ip_tables_names", {st_mode=S_IFREG|0440, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 statfs("/proc/net/ip_tables_names", {f_type=PROC_SUPER_MAGIC, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={val=[0, 0]}, f_namelen=255, f_frsize=4096, f_flags=ST_VALID|ST_NOSUID|ST_NODEV|ST_NOEXEC|ST_RELATIME}) = 0 getsockopt(3, SOL_IP, IPT_SO_GET_REVISION_MATCH, "tcp\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", [30]) = 0 close(3) = 0 newfstatat(AT_FDCWD, "/usr/lib/xtables/libipt_REDIRECT.so", {st_mode=S_IFREG|0755, st_size=10344, ...}, 0) = 0 openat(AT_FDCWD, "/usr/lib/xtables/libipt_REDIRECT.so", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\267\0\1\0\0\0\0\0\0\0\0\0\0\0"..., 832) = 832 newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=10344, ...}, AT_EMPTY_PATH) = 0 mmap(NULL, 139480, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb4bfd000 mmap(0x7fb4c00000, 73944, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x7fb4c00000 munmap(0x7fb4bfd000, 12288) = 0 munmap(0x7fb4c13000, 49368) = 0 mprotect(0x7fb4c02000, 61440, PROT_NONE) = 0 mmap(0x7fb4c11000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1000) = 0x7fb4c11000 close(3) = 0 mprotect(0x7fb4c11000, 4096, PROT_READ) = 0 socket(AF_INET, SOCK_RAW, IPPROTO_RAW) = 3 fcntl(3, F_SETFD, FD_CLOEXEC) = 0 getsockopt(3, SOL_IP, IPT_SO_GET_REVISION_TARGET, 0x7fe4e683e8, [30]) = -1 ENOENT (No such file or directory) close(3) = 0 write(2, "iptables v1.8.7 (legacy): ", 26iptables v1.8.7 (legacy): ) = 26 write(2, "unknown option \"--to-ports\"", 27unknown option "--to-ports") = 27 write(2, "\n", 1 ) = 1 write(2, "Try `iptables -h' or 'iptables -"..., 61Try `iptables -h' or 'iptables --help' for more information. ) = 61 exit_group(2) = ? +++ exited with 2 +++ Previously we had a failure with IPT_SO_GET_REVISION_MATCH, now it's IPT_SO_GET_REVISION_TARGET. I looked for usage of this in the Linux source for v5.4.238: https://elixir.bootlin.com/linux/v5.4.238/C/ident/IPT_SO_GET_REVISION_TARGET They're used in the same function. I also noticed that if you run without --to-ports you get: # iptables -w -t nat -I PREROUTING -s 192.168.12.0/24 -d 192.168.12.1 -p tcp -m tcp --dport 53 -j REDIRECT iptables v1.8.7 (legacy): Couldn't load target `REDIRECT':No such file or directory So if adding CONFIG_NETFILTER_XT_MATCH_OWNER fixed IPT_SO_GET_REVISION_MATCH, would adding CONFIG_NETFILTER_XT_TARGET_REDIRECT fix IPT_SO_GET_REVISION_TARGET? Yes it does, NAT method now works. On Mon, 29 Jul 2024 at 04:58, Reindl Harald <h.reindl@xxxxxxxxxxxxx> wrote: > > > > Am 25.07.24 um 04:29 schrieb Tom Isaacson: > > I don't have strace on the device, it's pretty minimal. But > > libxt_owner.so is present here: > > /usr/lib/xtables/libxt_owner.so > > along with all the other files. > > > > The installation is from Yocto: > > https://urldefense.proofpoint.com/v2/url?u=https-3A__layers.openembedded.org_layerindex_recipe_300425_&d=DwICaQ&c=q3cDpHe1hF8lXU5EFjNM_C93KOmcBXCBnhee2v6PYlc&r=MO7EWU3DamJNNM8h6vHmeK6CEry2ufcorA3OreLf9oSJJvfzyukEHrKjEuU65HDv&m=qra8kepdXvk2kSHd5pZNDgZwemrhMGNw-eOtKfUoleBSvjSCrB1FYvyXb5aXbklA&s=nDKMvy2KD4qfYfMInybCHSfKn1_vI_KQd3Re6Bp8lxA&e= > > so why don't you ask them what they have done to cripple down the > binary? upstream is innocent > > > On Thu, 25 Jul 2024 at 14:19, Florian Westphal <fw@xxxxxxxxx> wrote: > >> > >> Tom Isaacson <thomas.isaacson@xxxxxxxxxxxxxxxxxxxxx> wrote: > >>>> Sharing Internet using method: nat > >>>> iptables v1.8.7 (legacy): unknown option "--to-ports" > >>>> Try `iptables -h' or 'iptables --help' for more information. > >>>> Doing cleanup.. done > >> > >> Broken iptables installation. > >> > >>>> The offending iptables commands are: > >>>> iptables -w -t nat -D PREROUTING -s ${GATEWAY%.*}.0/24 -d > >>>> ${GATEWAY} \ > >>>> -p tcp -m tcp --dport 53 -j REDIRECT --to-ports $DNS_PORT > >>>> iptables -w -t nat -D PREROUTING -s ${GATEWAY%.*}.0/24 -d > >>>> ${GATEWAY} \ > >>>> -p udp -m udp --dport 53 -j REDIRECT --to-ports $DNS_PORT > >>>> > >>>> I searched around for a solution and found > >>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__community.unix.com_t_iptables-2Dv1-2D8-2D7-2Dnf-2Dtables-2Dunknown-2Doption-2Dto-2Dports_385377_3&d=DwIBAg&c=q3cDpHe1hF8lXU5EFjNM_C93KOmcBXCBnhee2v6PYlc&r=MO7EWU3DamJNNM8h6vHmeK6CEry2ufcorA3OreLf9oSJJvfzyukEHrKjEuU65HDv&m=3pEifEeIBaWYzhy_9MSuLYFwj7s1hDnpv2ftIP8xg0VZA5QWqX6RKTC79F1ylozp&s=sBy-V0FVFtnFXyvzNpVWO6IaPMyAYTyauL9S5RRjQrk&e= > >> > >> This has all diagnostic commands that you'll need to figure out whats > >> happening. > >> > >>>> but this command also fails: > >>>> # iptables -A OUTPUT -m owner --uid 0 > >>>> iptables v1.8.7 (legacy): Couldn't load match `owner':No such file > >>>> or directory > >>>> > >>>> iptables links to xtables-legacy-multi but it seems to have all of the > >>>> necessary files present. > >> > >> iptables says it can't load match 'owner' (libxt_owner.so). > >> > >> So its either missing or iptables is searching the wrong location. > >> > >> strace should tell which directory iptables is searching to fetch > >> extensions. > >> > >> Some embedded distros split packages into subpackages to save space, > >> so it might be missing package too. -- *For more information on how and why we collect your personal information, please visit our Privacy Policy <https://www.motorolasolutions.com/en_us/about/privacy-policy.html?elqTrackId=8980d888905940e39a2613a7a3dcb0a7&elqaid=2786&elqat=2#privacystatement>.*