site  contact  subhomenews

iptables host/network not found error

July 12, 2020 — BarryK

I am testing the 5.8-rc4 kernel, and /tmp/bootsysinit.log, which is the log of stdout and stderr from /etc/rc.d/rc.sysinit, reports this multiple times:

iptables v1.8.2 (legacy): host/network `' not found

This error is from /etc/init.d/rc.firewall, which is the firewall generated by "firewall_ng", which is "Alien Bob's Easy Firewall Generator" modified for Puppy by 01micko.

There is a "Puppy Rules" section in 'rc.firewall' that is responsible for these error messages.

Did not have these error messages before, it is new with the 5.8-rc4 kernel. Here is an example of one line that produces the error:

/usr/sbin/iptables -A udp_inbound -p UDP -s /8 --destination-port 137 -j ACCEPT
iptables v1.8.2 (legacy): host/network `' not found

After a quick search online, it seems the " /8 " syntax is wrong. It is supposed to be prefixed with an IP address. OK, so I replaced all occurences of " /8 " with " 127.0.0.1/8 ", and no longer get error messages.

However, I don't know if what I have done is correct. Does the " /8 " imply that it is 127.0.0.1 host? Why did it work before?

The Puppy Forum has been down all day, so cannot pose these questions there. Indeed, the answer may already be somewhere on that forum. So, if there is anyone knowledgeable with iptables and firewall rules, would you mind posting via the "Contact me" button at top of this page?

If you want to see the firewall_ng generator, it is in this tarball, at easy-code/rootfs-skeleton/usr/sbin/firewall_ng:

http://distro.ibiblio.org/easyos/project/woof/woof-project-20200622.tar.gz

EDIT 2020-07-13:
Daniel read the above post and sent me a message:

Hello, I saw your post about the iptables firewall rules today and figured I should mention that the rule you added was for 127.0.0.1 hosts on the entire class A of addresses. I don't remember how many IP addresses are allocated to the localhost address but the way you added the rule should effectively block all incoming udp traffic that originates from your machine. If you wanted to block all outside traffic, the typical convention is to use 0.0.0.0 as the source.

I took a quick look at iptables man page, and it looks like /8 should have never worked on its own. The man page lists the subnet as optional but the ip address as required, so it is curious that worked for you in the past. I am led to wonder if there was previously code not reflected in the man page that would default to 0.0.0.0 or some other IP range when only a subnet was specified.

 I will ask Michael Amadio about this, as he is the guy who did the original modifications to Alien Bob's Firewall.

EDIT 2020-07-13:
Michael (01micko) has advised me that the problem might be the busybox 'ip', as the firewall-generator script /usr/sbin/firewall_ng, has an explicit call "busybox ip ...".

EasyOS has the full 'ip', as the busybox ip is inadequate for the usage it is put to in Easy Containers. So edited 'firewall_ng' and removed the "busybox" prefix, and hey, the firewall is fixed!

That "/8" is no longer there. Instead, now getting lines like this:

$IPT -A udp_inbound -p UDP -s 192.168.43.0/24 --destination-port 137 -j ACCEPT

Good! 

Tags: easy