Compile the kernel with CONFIG_IP_NF_TARGET_SYNPROXY=m
Chrome-GitHub opened this issue · comments
Describe the bug
Raspberry Pi OS's kernel is compiled with:
CONFIG_IP_NF_TARGET_SYNPROXY is not set
Resulting in the following error message when trying to use -j SYNPROXY when adding IPv4 iptables rules:
Warning: Extension SYNPROXY revision 0 not supported, missing kernel module?
Steps to reproduce the behaviour
Try to use IPv4's -j SYNPROXY via iptables
Device (s)
Raspberry Pi CM4 Lite
System
Raspberry Pi reference 2024-03-15
Apr 17 2024 17:27:09
Linux raspberry 6.6.28+rpt-rpi-v8 #1 SMP PREEMPT Debian 1:6.6.28-1+rpt1 (2024-04-22) aarch64 GNU/Linux
Logs
sudo iptables -A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
Warning: Extension SYNPROXY revision 0 not supported, missing kernel module?
Additional context
It seems strange the IPv6 version is modularized in default 64-bit build configuration: CONFIG_IP6_NF_TARGET_SYNPROXY=m
but the IPv4 version is not. All dependencies are already modularized in the default configuration.
This request is separate, but related to issue #4993, which was accepted/commit on Sep 2,2022. The rationale remains similar to the previous issue. Once the kernel was recompiled with:
CONFIG_IP_NF_TARGET_SYNPROXY=m
then -j SYNPROXY works as expected for IPv4 iptables rules.
I've added IP_NF_TARGET_SYNPROXY=m to our standard defconfigs - see 3f472b2.