I always get this message in my /var/log/rc.log :
iptables | * Your kernel lacks iptables support, please load
iptables | * appropriate modules and try again.
iptables | * ERROR: iptables failed to stop
It seems Iptables itself works ok:
Chain INPUT (policy ACCEPT 1 packets, 345 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
On pre_stop, Iptables service looks for /proc/net/ip_tables_names file which does not exist hence the error. I actually have thousands of ip_tables_names files at /proc/"num"/net/ip_tables_names and /proc/"num"/task/"num"/net/ip_tables_names where "num" is a number from 1 to several thousands. I beleive all the ip_tables_names contain just a word "filter".
My /usr/bin/iptables points at /usr/bin/xtables-legacy-multi binary file
Is it ok to correct the service file to make it look for /proc/1/net/ip_tables_names instead ?
Looks a bit janky (I don't even use iptables on my desktop so what do I know) in at least the fact that the script uses the checkkernel() function on stop_pre() and reload() but thankfully not on any of the start functions. If it did iptables would not be working at all.
And as it is it reloading iptables would not work.
The latest init.d script from Gentoo has some differences but not that location.
--- a 2023-06-01 00:21:11.000000000 +0100
+++ b 2025-01-13 09:13:54.000000000 +0000
@@ -1,4 +1,4 @@
-#!/usr/bin/openrc-run
+#!/sbin/openrc-run
# Copyright 1999-2022 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
@@ -14,7 +14,7 @@
*) iptables_name="iptables" ;;
esac
-iptables_bin="/usr/bin/${iptables_name}"
+iptables_bin="/sbin/${iptables_name}"
case ${iptables_name} in
iptables) iptables_proc="/proc/net/ip_tables_names"
iptables_save=${IPTABLES_SAVE};;
@@ -100,14 +100,16 @@
reload() {
checkkernel || return 1
checkrules || return 1
- ebegin "Flushing firewall"
- local has_errors=0 a
+ local has_errors=0 a flushed=0
for a in $(cat ${iptables_proc}) ; do
- ${iptables_bin} --wait ${iptables_lock_wait_time} -F -t $a
- [ $? -ne 0 ] && has_errors=1
-
- ${iptables_bin} --wait ${iptables_lock_wait_time} -X -t $a
- [ $? -ne 0 ] && has_errors=1
+ if ! grep -q "^\*${a}$" "${iptables_save}" ; then
+ [ $flushed -eq 0 ] && ebegin "Flushing firewall" && flushed=1
+ ${iptables_bin} --wait ${iptables_lock_wait_time} -F -t $a
+ [ $? -ne 0 ] && has_errors=1
+
+ ${iptables_bin} --wait ${iptables_lock_wait_time} -X -t $a
+ [ $? -ne 0 ] && has_errors=1
+ fi
done
eend ${has_errors}
You could just ignore the error. Or what I would probably do is just change the checkkernel() function to simply return 0 and then add /etc/init.d/iptables (and the ipv6 version if needed) to NoExtract in /etc/pacman.conf
Maybe it will get fixed or possibly it doesn't need fixing and the /proc/net/ip_tables_names file should be there?
I have no clue about much of anything and definitely not that :)
I'm wondering why /proc/net/ip_tables_names isn't present too, as I didn't encounter this issue just several months ago. For all I care, I just want to make sure that iptables is working correctly.
Sometimes I can't see the wood for the trees.
You have no rules. Therefore iptables is doing nothing. I installed it and the script could not even be enabled without at least one rule saved. Then when starting the service /proc/net/ip_tables_names was created.
You may as well disable iptables unless you have some rules as it's doing exactly nothing without them.
And that explains the lack of a kernelcheck function in the start functions. Bound to fail by that method of checking.
I'm sticking with janky though.
Upon adding up some rules, I noticed that /proc/net/ip_tables_names reappeared immediately. Thank you,
@gripped !