xt_time.ko kernel module missing

Issues related to applications and software problems and general support
roberto.nunnari
Posts: 7
Joined: 2020/07/22 12:16:46

xt_time.ko kernel module missing

Post by roberto.nunnari » 2020/07/22 13:01:33

Hi all.

I have to replace an old ubuntu server, and decided to go with my preferred OS, CentOS! :)
This server acts as a router, firewall and proxy.

But I ran into a blocking issue while trying implement the firewall rules that use the time module.
For instance, when I run:

[root@fw-new ~]# iptables -A INPUT -i ens256 -s 192.168.200.0/24 -m state --state NEW -m time --timestart 06:00 --timestop 10:00 --weekdays Thu
iptables v1.8.4 (nf_tables): Couldn't load match `time':No such file or directory

In fact, if I search for it:
[root@fw-new ~]# l /lib/modules/4.18.0-193.6.3.el8_2.x86_64/kernel/net/netfilter/ | grep time
-rw-r--r--. 1 root root 5812 Jun 10 13:23 nfnetlink_cttimeout.ko.xz

while on the old server:
ammin@FW1:~$ ll /lib/modules/3.13.0-74-generic/kernel/net/netfilter/ | grep time
-rw-r--r-- 1 root root 15028 Dec 18 2015 nfnetlink_cttimeout.ko
-rw-r--r-- 1 root root 7732 Dec 18 2015 xt_time.ko

My env:
[root@fw-new ~]# cat /etc/centos-release
CentOS Linux release 8.2.2004 (Core)
[root@fw-new ~]# uname -rms
Linux 4.18.0-193.6.3.el8_2.x86_64 x86_64

I'll be gratefull for any help. It's many years I don't even try to compile a kernel myself..

Thank you and best regards.
Robi
Robi

User avatar
TrevorH
Forum Moderator
Posts: 29662
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: xt_time.ko kernel module missing

Post by TrevorH » 2020/07/22 13:14:17

That kernel module is in CentOS 7 but not in 8. I would presume that it's yet another thing that RH decided to deprecate. Might be worth checking the RHEL 8.0 release notes to see if it's documented.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

roberto.nunnari
Posts: 7
Joined: 2020/07/22 12:16:46

Re: xt_time.ko kernel module missing

Post by roberto.nunnari » 2020/07/22 14:43:56

Hi TrevorH.

Thanks for your suggestion.
I have checked RHEL 8.0 release notes and found no mention about the missing kernel module.
Considered that iptables still accept the time module commands, It seems at least 'inconsistent' to remove the kernel module..
To me, it looks like more an error during the kernel configure/build steps of CentOS 8.

How can we check if it's an error or an intended change?

And more important: How can I solve this problem?

Thank you.
Robi

Jean-Pierre
Posts: 9
Joined: 2020/05/31 16:36:25

Re: xt_time.ko kernel module missing

Post by Jean-Pierre » 2020/07/22 14:57:25

In the centos 8 kernel .config, I see

Code: Select all

# CONFIG_NETFILTER_XT_MATCH_TIME is not set
It's many years I don't even try to compile a kernel myself..
Too bad...

roberto.nunnari
Posts: 7
Joined: 2020/07/22 12:16:46

Re: xt_time.ko kernel module missing

Post by roberto.nunnari » 2020/07/22 15:13:28

gonna try now.. installing kernel-devel.. ;)
I'll post here the results.
Robi

roberto.nunnari
Posts: 7
Joined: 2020/07/22 12:16:46

Re: xt_time.ko kernel module missing

Post by roberto.nunnari » 2020/07/22 15:55:26

ok.. working on that..
Anyways, how/where can we ask redhat (or CentOS?) to correct that mistake (if it is an mistake) so that the module will be included in a next release (or via yum update)?
Robi

User avatar
TrevorH
Forum Moderator
Posts: 29662
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: xt_time.ko kernel module missing

Post by TrevorH » 2020/07/22 16:44:57

Since the kernel options used for the CentOS kernel are identical to those used for the RHEL kernel you would need to ask Red Hat. If you don't have a support agreement/subscription then you'd have to use bugzilla.redhat.com
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

roberto.nunnari
Posts: 7
Joined: 2020/07/22 12:16:46

Re: xt_time.ko kernel module missing

Post by roberto.nunnari » 2020/07/23 12:01:51

Hi TrevorH.

Following your advice, I opened a new bug on bugzilla.redhat.com
I hope Redhat will correct the kernel config..

Building my own kernel module is a good workaround, but it's not a sustainable solution.. I don't want to run and rebuild the module everytime a new kernel comes with yum update.. and I don't want to automatic kernel rebuild.. I want to stay on the standard distro.

Still trying to build the kernel module.. but at present I have little time left for this..

Best regards.
Robi

roberto.nunnari
Posts: 7
Joined: 2020/07/22 12:16:46

Re: xt_time.ko kernel module missing

Post by roberto.nunnari » 2020/07/23 15:38:32

Hi all.

This is just to let you know that as a temporary workaround, I built myself the missing kernel module and now iptables works as expected.
As mentioned in a previous message, I also opened a bug on bugzilla.redhat.com (see https://bugzilla.redhat.com/show_bug.cgi?id=1859877) so that hopefully the upstream provider will correct the kernel config so that in future CentOS and Redhat users will not need to build the module like I did.

I don't know if this module will need to be rebuilded every time a new kernel is put in place by yum update.. that's what worries me with hacking around on a production server.. I prefer to stay on the easy and safe side in server administration.

Thank you and best regards.
Robi

roberto.nunnari
Posts: 7
Joined: 2020/07/22 12:16:46

Re: xt_time.ko kernel module missing

Post by roberto.nunnari » 2020/07/24 07:58:14

Hi all.

For the next people who will face this: Redhat will not fix this. Here's redhat reply to my request:

///////////////
sushil kulkarni 2020-07-23 18:12:06 UTC

Hi Robi,

This option has been disabled on purpose..

From another bz, here is a recommendation:

Nowadays its better to use a rule that is always-enabled and then
add/remove addresses from a set (e.g. using cron) to toggle if off/on.

If you have further concerns, please reach out to Red Hat support by creating a ticket for appropriate follow up.

Thanks!
Sushil

Status: NEW → CLOSED
CC: sukulkar@redhat.com
Resolution: --- → WONTFIX
Doc Type: --- → If docs needed, set a value
Last Closed: 2020-07-23 18:12:06
///////////////////

Best regards.
Robi

Post Reply

Return to “CentOS 8 - General Support”