Linux 4.3.1 regression: -m state returns "Protocol wrong type for socket"

On Sun, 13 Dec 2015, Jan Engelhardt wrote:

> On Sunday 2015-12-13 01:32, Dâniel Fraga wrote:
> 
> >On Sun, 13 Dec 2015 01:30:17 +0100 (CET)
> >Jan Engelhardt <jengelh@inai.de> wrote:
> >
> >> nf_conntrack_ipv4 is indeed autoloaded (provided modprobe can do it)
> >> when you cause instantiation of a xt_conntrack (or xt_state) rule
> >> object through ip(4)tables. And if modprobe cannot satisfy the
> >> request, that feeds back through the kernel and to iptables, which
> >> may then report it to stderr.
> >
> >	No, I mean selected in the "make menuconfig" ;) If the user
> >chooses to compile state module, menuconfig won't select automatically
> >nf_conntrack_ipv4 (and it should, since it depends on it).
> 
> There is nothing to add to Kconfig, because there is no build-time 
> dependency here. In addition, some people might get grumpy if the 
> CONFIG_NETFILTER_XT_MATCH_CONNTRACK gained a dependency on something it 
> does not depend on at runtime in 100% of cases.

But the reversed dependency is what seems to be missing, something like 
this:


Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary

On Mon, Dec 14, 2015 at 09:47:31PM +0100, Jozsef Kadlecsik wrote:
> diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
> index a355841..a1dfd23 100644
> --- a/net/ipv4/netfilter/Kconfig
> +++ b/net/ipv4/netfilter/Kconfig
> @@ -12,6 +12,7 @@ config NF_DEFRAG_IPV4
>  config NF_CONNTRACK_IPV4
>         tristate "IPv4 connection tracking support (required for NAT)"
>         depends on NF_CONNTRACK
> +       default NETFILTER_XT_MATCH_CONNTRACK

I know of some people already giving a try to compiling nftables only
kernels, I think this would create an unnecessary dependency.

>         default m if NETFILTER_ADVANCED=n
>         select NF_DEFRAG_IPV4
>         ---help---
> 
> Best regards,
> Jozsef
> -
> E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
> PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
> Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
>           H-1525 Budapest 114, POB. 49, Hungary

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

On Mon, 14 Dec 2015, Pablo Neira Ayuso wrote:

> On Mon, Dec 14, 2015 at 09:47:31PM +0100, Jozsef Kadlecsik wrote:
> > diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
> > index a355841..a1dfd23 100644
> > --- a/net/ipv4/netfilter/Kconfig
> > +++ b/net/ipv4/netfilter/Kconfig
> > @@ -12,6 +12,7 @@ config NF_DEFRAG_IPV4
> >  config NF_CONNTRACK_IPV4
> >         tristate "IPv4 connection tracking support (required for NAT)"
> >         depends on NF_CONNTRACK
> > +       default NETFILTER_XT_MATCH_CONNTRACK
> 
> I know of some people already giving a try to compiling nftables only
> kernels, I think this would create an unnecessary dependency.
> 
> >         default m if NETFILTER_ADVANCED=n
> >         select NF_DEFRAG_IPV4
> >         ---help---

It don't see why would it be a dependency for nftables only kernels. In 
that case NETFILTER_XT_MATCH_CONNTRACK is set to "n", so the default would 
be the same as currently and just right.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

On Mon, 14 Dec 2015, Jozsef Kadlecsik wrote:

> On Mon, 14 Dec 2015, Pablo Neira Ayuso wrote:
> 
> > On Mon, Dec 14, 2015 at 09:47:31PM +0100, Jozsef Kadlecsik wrote:
> > > diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
> > > index a355841..a1dfd23 100644
> > > --- a/net/ipv4/netfilter/Kconfig
> > > +++ b/net/ipv4/netfilter/Kconfig
> > > @@ -12,6 +12,7 @@ config NF_DEFRAG_IPV4
> > >  config NF_CONNTRACK_IPV4
> > >         tristate "IPv4 connection tracking support (required for NAT)"
> > >         depends on NF_CONNTRACK
> > > +       default NETFILTER_XT_MATCH_CONNTRACK
> > 
> > I know of some people already giving a try to compiling nftables only
> > kernels, I think this would create an unnecessary dependency.
> > 
> > >         default m if NETFILTER_ADVANCED=n
> > >         select NF_DEFRAG_IPV4
> > >         ---help---
> 
> It don't see why would it be a dependency for nftables only kernels. In 
> that case NETFILTER_XT_MATCH_CONNTRACK is set to "n", so the default would 
> be the same as currently and just right.

Hmmm, the default would remain the same but wouldn't be right for 
nftables...

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html