Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

#323 Probably unknown missing kernel module results in failed iprange whitelisting (allow.p2p)

PeerGuardian_Linux
closed
jre-phoenix
5
2014-08-16
2013-02-19
Iiburukibun
No

Hey there,

I have an allow.p2p with some whitelisted entries, every time I start pgl it coughs up an error message along the lines of...

Commented out malformed line "rssthepiratebayorg:194.71.107.17-194.71.107.17" in /etc/pgl/allow.p2p. ... failed!

My allow.p2p looks something like this...

# Malformed line commented out by pglcmd: ezrss.it:192.121.86.104
# Some organization:1.0.0.0-1.255.255.255
rss.bt-chat.com:67.212.71.74
rss.thepiratebay.org:194.71.107.17
showrss.karmorra.info:46.246.93.98
torrentz.eu:38.112.82.35
www.torlock.com:108.162.200.98

[ deluge Aluminum-Flacon : 01:27:04 ~ ] pglcmd --version
PeerGuardian Linux 2.2.2

Running on a newly compiled Gentoo machine... not sure why pglcmd is eating my allow.p2p, the same formatting worked fine in Ubuntu.

Discussion

  • jre-phoenix
    jre-phoenix
    2013-02-19

    allow.p2p requires IP ranges, e.g.
    rss.bt-chat.com:67.212.71.74-67.212.71.74
    instead of
    rss.bt-chat.com:67.212.71.74

     
  • jre-phoenix
    jre-phoenix
    2013-02-19

    • status: open --> closed
    • assigned_to: jre-phoenix
    • milestone: PeerGuardian_2 --> PeerGuardian_Linux
     
  • Iiburukibun
    Iiburukibun
    2013-02-19

    No difference - Still eats the line

    Commented out malformed line "rss.bt-chat.com:67.212.71.74-67.212.71.74" in /etc/pgl/allow.p2p.
    
    # Some organization:1.0.0.0-1.255.255.255
    # Malformed line commented out by pglcmd: rss.bt-chat.com:67.212.71.74-67.212.71.74
    # Malformed line commented out by pglcmd: rss.thepiratebay.org:194.71.107.17-194.71.107.17
    showrss.karmorra.info:46.246.93.98-46.246.93.98
    torrentz.eu:38.112.82.35-38.112.82.35
    www.torlock.com:108.162.200.98-108.162.200.98
    ezrss.it:192.121.86.104-192.121.86.104
    
     
  • Iiburukibun
    Iiburukibun
    2013-02-19

    Full pglcmd.log

    2013-02-19 13:49:41 EST Begin: pglcmd start
    Inserting iptables ...
    ..Setting up iptables for INPUT:
    ....Creating chain and inserting NFQUEUE rule.
    ....Whitelisting ports.
    ....Whitelisting IPs.
    ....Whitelisting IP rangesiptables: No chain/target/match by that name.
    Commented out malformed line "rss.thepiratebay.org:194.71.107.17-194.71.107.17" in /etc/pgl/allow.p2p. ... failed!
    .
    Deleting iptables ...
    ..Executing iptables remove script /var/lib/pgl/.pglcmd.iptables.remove.sh.
    ..Removing iptables remove script /var/lib/pgl/.pglcmd.iptables.remove.sh.
    Iptables deleted.
     failed!
    
     
  • jre-phoenix
    jre-phoenix
    2013-02-19

    • status: closed --> pending
     
  • jre-phoenix
    jre-phoenix
    2013-02-19

    I tested the commented line, works just fine here.
    Are there any invisible characters in there? Perhaps Windows line-ending?
    Delete the old file and readd the lines with a normal Linux text editor.

    Good luck and report if it works

     
  • Iiburukibun
    Iiburukibun
    2013-02-19

    I think it's a problem with my kernel not supporting something in iptables.

    pglcmd.lib
    iptables -I $PGL_CHAIN -m iprange $CMD $IPRANGE_BEGIN-$IPRANGE_END -j $IPTABLES_TARGET_WHITELISTING || {
    # If iptables insertion failed assume that the line is malformed.
    # Comment this line out.
    sed -i "s|^$LINE$|# Malformed line commented out by $(basename $0): &|" $ALLOW_FILE
    log_failure_msg "Commented out malformed line \"$LINE\" in $ALLOW_FILE."
    fail_insert_iptables
    }

    Just not sure what I forgot in the kernel, as such it's unable to run that iptables command then assumes that the allow.p2p is malformed.

    No windows characters, at least none that vim is showing. I deleted allow.p2p on the safe side then did a 'sudo touch allow.p2p' followed by echo 'ezrss.it:192.121.86.104-192.121.86.104' >> allow.p2p. No dice.

     
    Last edit: Iiburukibun 2013-02-19
  • jre-phoenix
    jre-phoenix
    2013-02-19

    Sure, that might be it.
    Most probably it's the kernel module "iprange", on the other side you should see at least a warning in pglcmd.log.

    You need these kernel modules:
    From pgl/INSTALL:
    "This list was compiled with:
    lsmod|grep -E "^x|^nf|^ip"|grep -Ev "^ip6|^ipv6"|sed "s| .*||"|sort
    iptable_filter
    ip_tables
    ipt_REJECT
    nf_conntrack
    nf_conntrack_ipv4
    nf_defrag_ipv4
    nfnetlink
    nfnetlink_queue
    x_tables
    xt_iprange
    xt_mark
    xt_multiport
    xt_NFQUEUE
    xt_state
    xt_tcpudp
    "

     
  • jre-phoenix
    jre-phoenix
    2013-02-19

    Ok, first off allow.p2p also allows single IPs instead of IP ranges (correcting my first message).

    In your pglcmd.log I just spotted
    ....Whitelisting IP rangesiptables: No chain/target/match by that name.

    The command
    iptables -I $PGL_CHAIN -m iprange $CMD $IPRANGE_BEGIN-$IPRANGE_END -j $IPTABLES_TARGET_WHITELISTING
    expands to something like
    iptables -I pgl_in -m iprange --src-range 192.121.86.104-192.121.86.104 -j RETURN

    Try this command, does it work?

    I don't know how the error message for a non-existent kernel module looks.

    The only matching error message that I found is for an incorrect PGL_CHAIN.

    Please post your "pglcmd show_config".

    Finally to verify PGL_CHAIN and to debug you may add an
    echo "Current iptables rules in $PGL_CHAIN:"
    sudo iptables -L $PGL_CHAIN -nv
    one line before
    iptables -I $PGL_CHAIN -m iprange $CMD $IPRANGE_BEGIN-$IPRANGE_END -j $IPTABLES_TARGET_WHITELISTING

     
  • Iiburukibun
    Iiburukibun
    2013-02-20

    Fixed;

    Thought I had everything I needed in the kernel, was missing xt_iprange I believe.

    Thanks for the help!

     
  • jre-phoenix
    jre-phoenix
    2013-02-26

    • summary: Malformed line commented out by pglcmd --> missing kernel module xt_iprange is interpreted as failed iptables command
    • status: pending --> accepted
     
  • jre-phoenix
    jre-phoenix
    2013-02-26

    There should have been an error message about the missing module in /var/log/pgl/pglcmd.log

    "Error 170: Could not load kernel module xt_iprange, not starting pgld!
    Use a kernel with netfilter IPRANGE support or reconfigure pglcmd
    to not use the allow list $ALLOW_FILE."

    I assume there wasn't one!?

    So I retitled this to "missing kernel module xt_iprange is not detected, but interpreted as failed iptables command" to remind me to fix the checking of necessary kernel modules.

    Can you post the output (while running the bad kernel) of:
    sudo [ -f /proc/net/ip_tables_matches ] &&
    sudo grep -q iprange /proc/net/ip_tables_matches ||
    sudo modprobe -q xt_iprange ||
    sudo modprobe -q ipt_iprange
    echo $?
    ls -l /proc/net/ip_tables_matches
    grep iprange /proc/net/ip_tables_matches

     
  • jre-phoenix
    jre-phoenix
    2013-05-12

    I built a kernel with xt_iprange missing. And I get a correct error message in pglcmd.log (contrary to you):

    Error 170: Could not load kernel module xt_iprange, not starting pgld! ... failed!
    Use a kernel with netfilter IPRANGE support or reconfigure pglcmd ... failed!
    to not use the allow list /etc/pgl/allow.p2p. ... failed!
    

    So, can you tell me what you changed in order to get pglcmd working with your kernel? Perhaps a diff of the non-working and the working kernel config (here at /boot/config-xxx).

    I really hope you help me fixing this for everybody.

     
  • jre-phoenix
    jre-phoenix
    2013-05-12

    • summary: missing kernel module xt_iprange is interpreted as failed iptables command --> Probably unknown missing kernel module results in failed iprange whitelisting (allow.p2p)
    • status: accepted --> pending
     
  • jre-phoenix
    jre-phoenix
    2014-06-18

    • status: pending --> closed
     
  • jre-phoenix
    jre-phoenix
    2014-06-18

    Closing. Works for submitter now. Unfortunately the submitter gave no further info to debug the missing error message for failed kernel module loading (of xt_iprange or whatever the missing module was).