iptables TRACE No chain/target/match by that name

Question

I'm debugging the iptables for a kvm VM running a Buildroot image.When I try to set the following TRACE rule I get the error iptables: No chain/target/match by that name

sudo iptables -t raw -A OUTPUT -p tcp --destination 192.168.1.0/24 --dport 8443 -j TRACE

If I instead enable the LOG rule it works, and the packets are logged, but I need to check which rule, if any, is dropping the packages.

Update: Information about the environment on which the problem occurs (inside the VM):

$ uname -a
  Linux minikube 4.15.0 #1 SMP Sat Dec 8 00:26:02 UTC 2018 x86_64 GNU/Linux
  $ cat /proc/version 
  Linux version 4.15.0 (jenkins@jenkins) (gcc version 7.3.0 (Buildroot 2018.05)) #1 SMP Sat Dec 8 00:26:02 UTC 2018

Please post the output of `uname -a` and `virt-what`, each run inside the environment where the problem is occurring. — Michael Hampton, Dec 14 '18 at 21:18
I updates the question with information about the environment inside the VM. Unfortunately, the virt-what command is not available. — pablochacin, Dec 15 '18 at 01:37

score 0 · Answer 1 · answered Dec 15 '18 at 05:13

0

The problem here is that the iptables TRACE target requires the nf_log_ipv4 (or nf_log_ipv6) kernel module. If the module is present, it gets loaded automatically. However, minikube's kernel build has only a limited set of netfilter modules, so what you can do with iptables inside minikube is limited to the functionality provided by the existing modules.

answered Dec 15 '18 at 05:13

Michael Hampton

237,123
42
477
940

@michael-hamptom nf_log_ipv4 is loaded. `lsmod grep nf_log_ipv4` shows this: `nf_log_ipv4 16384 6` – pablochacin Dec 15 '18 at 08:17
Well that's strange. Where did that come from? My minikube doesn't even appear to have that module. – Michael Hampton Dec 15 '18 at 15:53
Not sure. But in any case, even that won't explain the error message, as the absence of the nf_log_ipv4 just makes the traces not to appear in the log, but not the iptables command to fail. – pablochacin Dec 15 '18 at 18:49
I suspect it's a different module that's actually unavailable, though tracking down which one is probably not worth the effort. It would probably be less work to put up a Kubernetes cluster on a normal Linux distro, where the modules are already available. – Michael Hampton Dec 15 '18 at 18:54
CONFIG_NETFILTER_XT_TARGET_TRACE <=> xt_TRACE.ko – A.B Dec 26 '18 at 20:58

iptables TRACE No chain/target/match by that name

1 Answers1