Hey,

I've been playing with firewall configurations using iptables in Slackware
10.0 running kernel 2.6.7.

One thing I did not get - I used to use quite frequently the following rule:
"iptables -A FORWARD -m unclean -j DROP"

But it seems it is not working anymore (I used it a lot in 2.4.x kernels). I
get the following error message:

"iptables: No chain/target/match by that name"

Already tried loading different modules, and have not been succesful. I have
also have searched the web, the netfilter list, and got no further
information. Anyone has more information on why and how to solve it?

Thanks a lot!

Paulo

Paulo R. Dallan wrote:
> "iptables -A FORWARD -m unclean -j DROP"
>
> But it seems it is not working anymore (I used it a lot in 2.4.x kernels). I
> get the following error message:
>
> "iptables: No chain/target/match by that name"

my guess would be that you don't have a module for the 'unclean' match.

--
Joost Kremers joostkremers@yahoo.com
Selbst in die Unterwelt dringt durch Spalten Licht
EN:SiS(9)

Joost Kremers wrote:

> Paulo R. Dallan wrote:
>> "iptables -A FORWARD -m unclean -j DROP"
>>
>> But it seems it is not working anymore (I used it a lot in 2.4.x
>> kernels). I get the following error message:
>>
>> "iptables: No chain/target/match by that name"
>
> my guess would be that you don't have a module for the 'unclean' match.
>

Hey Joost, thanks for the reply!

I've been playing with the netfilter modules (actually, tried all
available), and could not make it work.

Checked my kernel config (it is the standard Slack 10.0 2.6.7 kernel), and
at least the CONFIG_IP_NF_CONNTRACK is set as a module...

Do you know which module I should be looking for ?

Best regards,

Paulo

Paulo R. Dallan wrote:

> Joost Kremers wrote:
>
>> Paulo R. Dallan wrote:
>>> "iptables -A FORWARD -m unclean -j DROP"
>>>
>>> But it seems it is not working anymore (I used it a lot in 2.4.x
>>> kernels). I get the following error message:
>>>
>>> "iptables: No chain/target/match by that name"
>>
>> my guess would be that you don't have a module for the 'unclean' match.
>>
>
> Hey Joost, thanks for the reply!
>
> I've been playing with the netfilter modules (actually, tried all
> available), and could not make it work.
>
> Checked my kernel config (it is the standard Slack 10.0 2.6.7 kernel), and
> at least the CONFIG_IP_NF_CONNTRACK is set as a module...
>
> Do you know which module I should be looking for ?
>
> Best regards,
>
> Paulo

BTW, just complementing: no, I have not seen any ipt_unclean or ip_unclean
modules. But found the information bellow:

"From: Linus Torvalds [email blocked]
To: Kernel Mailing List [email blocked]
Subject: Linux 2.6.0-test5
Date: Mon, 8 Sep 2003 13:32:05 -0700 (PDT)

Lots of small stuff, as usual. I think the biggest "core" change is the
Futex changes by Jamie and Hugh, and the dev_t preparations by Al Viro.

But there are ARM and ppc updates here too, and a few drivers have bigger
fixes (tg3 driver and the USB gadget interface stand out on diffstat).
Watchdog driver updates etc. And Russell King fixed more PCMCIA issues.

Linus

---
(...)
(...)
(...)
(...)

Summary of changes from v2.6.0-test4 to v2.6.0-test5
Harald Welte:
o [NETFILTER]: Fix ipt_REJECT if used on bridge
o [NETFILTER]: Remove ipt_MIRROR target from 2.6.x
o [NETFILTER]: Remove ipt_unclean match from 2.6.x
^^^^^^^^^^^^^^^^^^^^^^^
o [NETFILTER]: Remove EXPERIMENTAL mark from some netfilter stuff
o [NETFILTER]: Cosmetic netfilter patch
o [NETFILTER]: NAT optimization
o [NETFILTER]: Conntrack optimization (LIST_DELETE)
o [NETFILTER]: New iptables modules (iprange, CLASSIFY, SAME, NETMAP)
o [NETFILTER]: Fix ipt_helper build problem wrt. Kconfig
o [NETFILTER]: Fix email address in MODULE_AUTHOR
o [NETFILTER]: NAT range calculation fix
.......................
"


So, no more "unclean"? Anyone knows why it was cut out? Any other equivalent
procedure?

On Mon, 11 Oct 2004 19:32:12 -0300, Paulo R. Dallan wrote:

> Hey,
>
> I've been playing with firewall configurations using iptables in Slackware
> 10.0 running kernel 2.6.7.
>
> One thing I did not get - I used to use quite frequently the following rule:
> "iptables -A FORWARD -m unclean -j DROP"
>
> But it seems it is not working anymore (I used it a lot in 2.4.x kernels). I
> get the following error message:
>
> "iptables: No chain/target/match by that name"
>
> Already tried loading different modules, and have not been succesful. I have
> also have searched the web, the netfilter list, and got no further
> information. Anyone has more information on why and how to solve it?
>
> Thanks a lot!
>
> Paulo

Just wondering: what did this "unclean" module do?




----== Posted via Newsfeeds.Com - Unlimited-Uncensored-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! >100,000 Newsgroups
---= East/West-Coast Server Farms - Total Privacy via Encryption =---

Joseph A. Philip wrote:

> On Mon, 11 Oct 2004 19:32:12 -0300, Paulo R. Dallan wrote:
>
>> Hey,
>>
>> I've been playing with firewall configurations using iptables in
>> Slackware 10.0 running kernel 2.6.7.
>>
>> One thing I did not get - I used to use quite frequently the following
>> rule: "iptables -A FORWARD -m unclean -j DROP"
>>
>> But it seems it is not working anymore (I used it a lot in 2.4.x
>> kernels). I get the following error message:
>>
>> "iptables: No chain/target/match by that name"
>>
>> Already tried loading different modules, and have not been succesful. I
>> have also have searched the web, the netfilter list, and got no further
>> information. Anyone has more information on why and how to solve it?
>>
>> Thanks a lot!
>>
>> Paulo
>
> Just wondering: what did this "unclean" module do?


<snip>

To use tag/match in iptables, you neeed the module. This tag/match, as used
in the rule above, seems to protects against "damaged" tcp/ip packages,
commonly used (it seems) in DoS attacks.

Regards!

Paulo

On Mon, 11 Oct 2004 19:32:12 -0300
"Paulo R. Dallan" <prdolc@yahoo.com.br> wrote:

> One thing I did not get - I used to use quite frequently the
> following rule:"iptables -A FORWARD -m unclean -j DROP"
>
> But it seems it is not working anymore (I used it a lot in 2.4.x
> kernels). I

Came accross that early because we distribute firewalls...

ipt_unclean was removed, starting with kernel 2.6.0 because it
conflicted with TCP/IP header usage for IETF network congestion
notification.

TonyB

--
__ __ _ I N C. http://www.sysdev.org
/ __|\\// __|| \ __ __ / tonyb@sysdev.org
\__ \ \/\__ \||)|/ O_)\/ / \/ System Tools / Utilities
|___/ || ___/|_ /\___|\_/ WIntel / Linux Device Drivers

Joaco wrote:

> On Mon, 11 Oct 2004 19:32:12 -0300
> "Paulo R. Dallan" <prdolc@yahoo.com.br> wrote:
>
>> One thing I did not get - I used to use quite frequently the
>> following rule:"iptables -A FORWARD -m unclean -j DROP"
>>
>> But it seems it is not working anymore (I used it a lot in 2.4.x
>> kernels). I
>
> Came accross that early because we distribute firewalls...
>
> ipt_unclean was removed, starting with kernel 2.6.0 because it
> conflicted with TCP/IP header usage for IETF network congestion
> notification.
>
> TonyB

Hey, thank you for highlighting that!

Do you know if there is any other equivalent procedure/rule I could use
instead?

Best regards!

Paulo

On Monday 11 October 2004 07:56 pm, Joseph A. Philip did deign to grace us
with the following:

> On Mon, 11 Oct 2004 19:32:12 -0300, Paulo R. Dallan wrote:
>
>> Hey,
>>
>> I've been playing with firewall configurations using iptables in
>> Slackware 10.0 running kernel 2.6.7.
>>
>> One thing I did not get - I used to use quite frequently the following
>> rule: "iptables -A FORWARD -m unclean -j DROP"
>>
>> But it seems it is not working anymore (I used it a lot in 2.4.x
>> kernels). I get the following error message:
>>
>> "iptables: No chain/target/match by that name"
>>
>> Already tried loading different modules, and have not been succesful. I
>> have also have searched the web, the netfilter list, and got no further
>> information. Anyone has more information on why and how to solve it?
>>
>> Thanks a lot!
>>
>> Paulo
>
> Just wondering: what did this "unclean" module do?
>
It blocks packets from lepers.

;-)

On 2004-10-13, Paulo R. Dallan <prdolc@yahoo.com.br> wrote:
>
> Hey, thank you for highlighting that!

Another FYI: According to Linux Firewalls (2nd ed) by Robert Ziegler, "The
module is considered to be experimental and the iptables authors recommend
against its use for now".

Evidently the experiment failed.

nb