[frq] No firewall on Labrador 64bit possible (nftable and iptable missing)

#1

On a gateway you need at least some firewall support - how can I get nftable or iptable working on the Labrador 64bit? (Still trying to use Labrador as an IoT edge gateway).

Is remember there was a discussion once about it, but how can we build our own kernel again for the Labrador? What is the crosscompiling tool-chain? How can a new kernel be installed? How can missing modules be compiled?

#2

@ulno, Hi!

You can follow the instructions on readme file of our github, I believe that there are aswer for all your questions about kernel. (GIT

Best Regards,

Igor Ruschi

#3

Thanks, I managed to select some modules, compile them, but now failing to load them. When modprobing nf_nat, I get:

[ 1531.173233] nf_defrag_ipv4: disagrees about version of symbol register_pernet_subsys
[ 1531.173247] nf_defrag_ipv4: Unknown symbol register_pernet_subsys (err -22)
[ 1531.173253] nf_defrag_ipv4: disagrees about version of symbol nf_register_net_hooks
[ 1531.173256] nf_defrag_ipv4: Unknown symbol nf_register_net_hooks (err -22)
[ 1531.173267] nf_defrag_ipv4: disagrees about version of symbol nf_unregister_net_hooks
[ 1531.173270] nf_defrag_ipv4: Unknown symbol nf_unregister_net_hooks (err -22)
[ 1531.173284] nf_defrag_ipv4: disagrees about version of symbol unregister_pernet_subsys
[ 1531.173287] nf_defrag_ipv4: Unknown symbol unregister_pernet_subsys (err -22)
[ 1531.173293] nf_defrag_ipv4: disagrees about version of symbol ip_defrag
[ 1531.173296] nf_defrag_ipv4: Unknown symbol ip_defrag (err -22)

I have no idea what is going on here. Can’t finding anything about these in the kernel modules, so it seems to be something internal. Any idea?

Anybody ever tried to use the Labrador as a router or gateway, who could share their knowledge?

#4

I solved the unknown symbols problem, I basically just forgot depmod -a after transferring the modules (yep, it’s a long time ago I worked with the kernel) -> maybe that would be a nice addition to the documentation?

Now I am stuck with these errors when trying to set up masquerading:

iptables v1.8.2 (nf_tables):  CHAIN_ADD failed (No such file or directory): chain PREROUTING
iptables v1.8.2 (nf_tables):  CHAIN_ADD failed (No such file or directory): chain INPUT
Sharing Internet using method: nat
iptables v1.8.2 (nf_tables): Chain 'MASQUERADE' does not exist

Anybody has an idea what or which module I am missing?

1 Like
#5

Got a bit further, now it’s only:

iptables v1.8.2 (nf_tables):  RULE_INSERT failed (No such file or directory): rule in chain POSTROUTING

Did anybody build a kernel that includes all modules you can compile for Labrador (a bit closer to the Debian default)?

#6

Randomly enabling more network modules fixed above error and makes firewall workable. I also had to add --data=16 to the start of haveged (entropy daemon) - that error happened on other sbc too, it seems to hint at some cache errors, please check: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866306
After fixing this, I however now get serious errors from the WiFi driver, so I assume the Labrador still cannot be used as an accesspoint. Anybody working on WiFi?

Errors from hostapd:

Message from syslogd@localhost at Feb  2 18:09:19 ...
 kernel:[  591.253223] Internal error: Oops - BUG: 0 [#1] SMP

Message from syslogd@localhost at Feb  2 18:09:19 ...
 kernel:[  591.253298] Process RTW_CMD_THREAD (pid: 938, stack limit = 0x0000000072ea4a53)

Message from syslogd@localhost at Feb  2 18:09:19 ...
 kernel:[  591.253961] Code: 17ffffd0 f94004c0 3707fde0 f90013f5 (d4210000) 
wlan0: STA e4:8e:5d:c8:9a:ea IEEE 802.11: disassociated
wlan0: STA e4:8e:5d:c8:9a:ea IEEE 802.11: disassociated

journal shows:

Feb 02 18:08:53 caninos dnsmasq-dhcp[1805]: DHCP, IP range 192.168.12.1 -- 192.168.12.254, lease time 1d
Feb 02 18:08:53 caninos dnsmasq[1805]: reading /etc/resolv.conf
Feb 02 18:08:53 caninos dnsmasq[1805]: using nameserver 192.168.25.254#53
Feb 02 18:08:53 caninos dnsmasq[1805]: read /home/caninos/iot/tmp/ap-host - 1 addresses
Feb 02 18:08:53 caninos kernel: RTL8723BS: rtw_cmd_thread(wlan0) pcmd->sctx
Feb 02 18:08:53 caninos kernel: RTL8723BS: assoc success
Feb 02 18:08:53 caninos kernel: IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
Feb 02 18:08:53 caninos kernel: RTL8723BS: set group key camid:1, addr:00:00:00:00:00:00, kid:1, type:TKIP
Feb 02 18:08:54 caninos ntpd[393]: Listen normally on 13 wlan0 192.168.12.1:123
Feb 02 18:08:54 caninos ntpd[393]: bind(26) AF_INET6 fe80::166b:9cff:fe7d:56d4%3#123 flags 0x11 failed: Cannot assign requested address
Feb 02 18:08:54 caninos ntpd[393]: unable to create socket on wlan0 (14) for fe80::166b:9cff:fe7d:56d4%3#123
Feb 02 18:08:54 caninos ntpd[393]: failed to init interface for address fe80::166b:9cff:fe7d:56d4%3
Feb 02 18:08:54 caninos ntpd[393]: new interface(s) found: waking up resolver
Feb 02 18:08:55 caninos avahi-daemon[251]: Joining mDNS multicast group on interface wlan0.IPv6 with address fe80::166b:9cff:fe7d:56d4.
Feb 02 18:08:55 caninos avahi-daemon[251]: New relevant interface wlan0.IPv6 for mDNS.
Feb 02 18:08:55 caninos avahi-daemon[251]: Registering new address record for fe80::166b:9cff:fe7d:56d4 on wlan0.*.
Feb 02 18:08:56 caninos ntpd[393]: Listen normally on 15 wlan0 [fe80::166b:9cff:fe7d:56d4%3]:123
Feb 02 18:08:56 caninos ntpd[393]: new interface(s) found: waking up resolver
Feb 02 18:09:19 caninos kernel: ------------[ cut here ]------------
Feb 02 18:09:19 caninos kernel: kernel BUG at mm/slub.c:3904!
Feb 02 18:09:19 caninos kernel: Internal error: Oops - BUG: 0 [#1] SMP
Feb 02 18:09:19 caninos kernel: Modules linked in: xt_tcpudp nft_counter ipt_MASQUERADE nft_compat nft_chain_route_ipv4 nft_chain_nat_ipv4 nf_nat_ipv4 nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink cdc_ether usbnet r8152 mii bnep hci_uart bluetooth ecdh_generic realtek r8723bs(C) cfg80211 dwmac_caninos stmmac_platform stmmac of_mdio fixed_phy libphy aotg ip_tables x_tables
Feb 02 18:09:19 caninos kernel: Process RTW_CMD_THREAD (pid: 938, stack limit = 0x0000000072ea4a53)
Feb 02 18:09:19 caninos kernel: CPU: 3 PID: 938 Comm: RTW_CMD_THREAD Tainted: G         C        4.19.37 #3
Feb 02 18:09:19 caninos kernel: Hardware name: Caninos Labrador 7 (DT)
Feb 02 18:09:19 caninos kernel: pstate: 40400005 (nZcv daif +PAN -UAO)
Feb 02 18:09:19 caninos kernel: pc : kfree+0x1a8/0x1b0
Feb 02 18:09:19 caninos kernel: lr : nl80211_send_station.isra.0+0x370/0xa58 [cfg80211]
Feb 02 18:09:19 caninos kernel: sp : ffffff800a62bb80
Feb 02 18:09:19 caninos kernel: x29: ffffff800a62bb80 x28: 00000000000005d8 
Feb 02 18:09:19 caninos kernel: x27: 000000000000012c x26: ffffffc07259d000 
Feb 02 18:09:19 caninos kernel: x25: 0000000000000030 x24: ffffff800a62bcc8 
Feb 02 18:09:19 caninos kernel: x23: 0000000000000128 x22: 0000000000000000 
Feb 02 18:09:19 caninos kernel: x21: ffffff8008dc8688 x20: ffffff8000a2cec8 
Feb 02 18:09:19 caninos kernel: x19: ffffff8009c82d04 x18: 0000000000000000 
Feb 02 18:09:19 caninos kernel: x17: 0000000000000000 x16: 0000000000000000 
Feb 02 18:09:19 caninos kernel: x15: 0000000000000400 x14: 02ac0f00000104ac 
Feb 02 18:09:19 caninos kernel: x13: 0f00000102ac0f00 x12: 0001143000000000 
Feb 02 18:09:19 caninos kernel: x11: 00080000087f0000 x10: 02007b0546140802 
Feb 02 18:09:19 caninos kernel: x9 : 216c604830043224 x8 : 18120c160b040208 
Feb 02 18:09:19 caninos kernel: x7 : 01657269706d6574 x6 : ffffffbf00272080 
Feb 02 18:09:19 caninos kernel: x5 : 00000000000001b0 x4 : ffffff8008e84a60 
Feb 02 18:09:19 caninos kernel: x3 : 0000000000000000 x2 : ffffffffffffffcb 
Feb 02 18:09:19 caninos kernel: x1 : ffffffbf00272080 x0 : ffffffbf00272088 
Feb 02 18:09:19 caninos kernel: Call trace:
Feb 02 18:09:19 caninos kernel:  kfree+0x1a8/0x1b0
Feb 02 18:09:19 caninos kernel:  nl80211_send_station.isra.0+0x370/0xa58 [cfg80211]
Feb 02 18:09:19 caninos kernel:  cfg80211_new_sta+0x88/0x158 [cfg80211]
Feb 02 18:09:19 caninos kernel:  rtw_cfg80211_indicate_sta_assoc+0x70/0x90 [r8723bs]
Feb 02 18:09:19 caninos kernel:  rtw_stassoc_event_callback+0x280/0x2c8 [r8723bs]
Feb 02 18:09:19 caninos kernel:  mlme_evt_hdl+0x74/0xa0 [r8723bs]
Feb 02 18:09:19 caninos kernel:  rtw_cmd_thread+0x160/0x358 [r8723bs]
Feb 02 18:09:19 caninos kernel:  kthread+0x100/0x130
Feb 02 18:09:19 caninos kernel:  ret_from_fork+0x10/0x1c
Feb 02 18:09:19 caninos kernel: Code: 17ffffd0 f94004c0 3707fde0 f90013f5 (d4210000) 
Feb 02 18:09:19 caninos kernel: ---[ end trace 927acc9d2a1019fb ]---
Feb 02 18:09:29 caninos hostapd[1807]: wlan0: STA e4:8e:5d:c8:9a:ea IEEE 802.11: disassociated
Feb 02 18:09:29 caninos kernel: RTL8723BS: ap recv deauth reason code(3) sta:e4:8e:5d:c8:9a:ea
Feb 02 18:09:39 caninos hostapd[1807]: wlan0: STA e4:8e:5d:c8:9a:ea IEEE 802.11: disassociated
Feb 02 18:09:39 caninos kernel: RTL8723BS: ap recv deauth reason code(3) sta:e4:8e:5d:c8:9a:ea

Wifi Accesspoint does work on Labrador 32 bit (with kernel 4.14) though.

#7

Continuing on another topic: