Nf_log_common kernel module missing


#1

Hello, I have Resin OS 1.24.0 and Supervisor 2.8.3 on my device (FROM resin/nuc-debian:latest), and I was surprised to find that I could not create a LOG target in my iptables rules. I want this to that I know that packets are about to be dropped. If my understanding is correct, the issue is that the Yocto modules installed on my device (at 4.1.8) are missing the required Netfilter modules, nf_log_common and nf_log_ipv4 in particular.

Googling, I see that a relatively old commit to resinhup includes 4.1.10 along with the expected Netfilter plugins:
https://github.com/resin-os/resinhup/blob/master/modules/fingerprint/known-images/resin-ffbc50d09e7b6c28743fe2ff851082e9.fingerprint

I’d rather not have to use resinhup to update my device if I don’t have to. I guess my questions are:

  1. Is it expected/by design that 4.1.8 is missing nf_log_common and nf_log_ipv4?
  2. Is there any plan to have 4.1.10 on ResinOS 1.x devices? By extension, should I just try ResinOS 2?
  3. What should I be doing to get the LOG target in my iptables rules? Without the module, iptables says that LOG is not a valid target.
root@nuc:~# ls -l /lib/modules/4.1.8-yocto-standard/kernel/net/ipv4/netfilter/ | grep nf_
-rw-r--r-- 1 root root 14152 Dec  5 17:14 nf_nat_h323.ko
-rw-r--r-- 1 root root  6248 Dec  5 17:14 nf_nat_masquerade_ipv4.ko
-rw-r--r-- 1 root root  6832 Dec  5 17:14 nf_nat_pptp.ko
-rw-r--r-- 1 root root  5240 Dec  5 17:14 nf_nat_proto_gre.ko
-rw-r--r-- 1 root root  6416 Dec  5 17:14 nf_reject_ipv4.ko
root@nuc:~#

#2

Hi.
Yes, by default we use the kernel config supplied by the BSP layer. And in this case it looks like these modules are not enabled by default.
So to answer your questions:

1 - yes, it looks like the BSP doe snot have them by default so we did not add them either until now
2 - resinOS 1.X will not receive updates anymore. All development is done towards 2.X
3 - there would be a way for you to build the kernel modules and load them in your container. One examplefor doing this is https://github.com/resin-io-playground/kernel-module-build . But if I recall correctly, the modules headers are not exported correctly for 1.X versions and should best be used with 2.X

We are taking into consideration adding these modules in resinOS 2. Will keep you updated


#3

Thanks, I’d really appreciate that. That file listing I posted above suggests that any Yocto >= 4.1.10 will include this, unless you selectively remove them for the ResinOS.

Are you able to tell me whether ResinOS 2 has these modules present in /lib/modules/ as is? It would help me decide whether to give ResinOS 2 a try.


#4

I’ve checked the resinOS 2.0.0-rc5 image now, and it has the 4.8.17-yocto-standard kernel & modules. Don’t seem to have either nf_log_common or nf_log_ipv4. Checking the upstream meta-intel BSP, it does not seem like that they enable those modules in the default kernel settings, just as @florin mentioned above.

The file listing you mentioned above was from a different hardware, if I date to guess, it was one of the BeagleBone series (judging by the presence of the TI firmware files). Their BSP might include those modules by default.

Support for custom kernel modules are important extra for 2.0, and definitely taking feedback for including more/different default modules, thank you for the feedback!