0

After a huge hustle I managed to compile the xt_DSCP.ko kernel module and it can be loaded with no errors.

:/ $ su
:/ # insmod /sdcard/xt_DSCP.ko
:/ #

I also managed to pull iptables external from androidgooglesource and managed to build iptables 1.8.4(same version packaged with the device) with --enables-static --disable-shared which bundled all extensions inside the executable.

Now expecting everything to go smoothly I get this error when I try to use the DSCP target

:/ $ su
:/ # export T=/data/local/iptables/sbin/iptables
:/ # $T -t mangle -A OUTPUT -p udp -j DSCP --set-dscp 0
iptables v1.8.4 (legacy): unknown option "--set-dscp"
Try `iptables -h' or 'iptables --help' for more information.
2|:/ #

The whole folder is chmod -R 777 /data/local/iptables and chown -R 0:2000 /data/local/iptables. I have also tried moving libxt_DSCP.so to /system/lib and system/lib64 but with no avail.

I have hit a wall I'm not sure I will be able to climb. External iptables was built with autotools using Android NDK r25c. Help will be greatly appreciated.

OS specifics:

Model-name: Galaxy M12(rooted with magisk)
Android-version: 11(stock)
Kernel-version: 4.19.111-22482896
Silent
  • 121
  • 10
  • iptables binary is built statically linked with all the extensions bundled inside. So why are you putting libxt_DSCP.so on the device? Seems strange. – Irfan Latif Jun 09 '23 at 18:42
  • if I insmod the xt_DSCO.ko kernel module and run the iptables binary from /system/bin, the same error as above appears. Also, copying libxt_DSCP.so to /system/lib was just a trial and error thing. I really don't know what else to do. The real reason I built iptables from scratch is because I thought the default iptables lacked the extensions but now I'm even more confused. – Silent Jun 09 '23 at 19:06
  • If DSCP plugin is statically linked with iptables binary, iptables -m dscp -h should show the help for DSCP extension. In other case you should build the binary with --enable-shared and provide --with-xtlibdir=PATH option to configure to specify where iptables should look for the extension plugins (shared libraries) in order to dynamically load them. – Irfan Latif Jun 09 '23 at 20:49
  • ok let me try again. iptables -m dscp -h tries to load the xt_dscp match. I only have the xt_DSCP.ko kernel module for the target and no kernel module for the match. Is this where the error is sourced? Do I need both kernel modules? – Silent Jun 09 '23 at 21:21
  • iptables -m dscp -h does not try to load the module (.ko file). It just prints the help from the statically linked or dynamically loaded plugin (.so file). unknown option "--set-dscp" error is also due to missing extension plugin, not due to missing extension module. If you are not clear about the terminology, I'd suggest you read the iptables extensions documentation. – Irfan Latif Jun 09 '23 at 21:32
  • In short, you need the module on kernel side, and the plugin on userspace side. Module is loaded using modprobe or insmod. That's what you have done correctly. Now the iptables needs the plugin to interact with the loaded module. You can build the plugin within the iptables using --enable-static. Or you can build the plugin separately as an .so file using --enable-shared --disable-static and let the iptables load this .so file from a directory specified with --with-xtlibdir=PATH at compile time. – Irfan Latif Jun 09 '23 at 21:41
  • well explained indeed. I think the problem is sourced from the iptables from androidgooglesource in a sense that it was modified to exclude some of those extensions and maybe that is why the iptables from the stock rom excludes them too. I will try to build the same exact version from the netfilter source and see if there is any difference. – Silent Jun 09 '23 at 23:41

1 Answers1

0

Well, it seems like insmod was at fault here for giving me false hope. According to this answer by @Irfan Latif 4 years ago, the xt_DSCP.ko module can't be loaded since its not one of the modules listed in /sys/module and the only way I can get it to work is to build the kernel from scratch.

Silent
  • 121
  • 10