Hi,
I am trying to build and run iptables for Ubuntu Core 18 on the Raspberry Pi 3 (arm64) and I am encountering a strange behaviour.
The following simplified example shows what happens, when I try to add a new rule to the FORWARD chain on the target system using the match / module / extension (I am not sure what the correct term is) “tcp”:
root@rpi3:/snap/iptables# iptables -A FORWARD -p tcp -m tcp --dport 77 -j DROP
iptables v1.6.1: Couldn’t load matchtcp':No such file or directory Tryiptables -h’ or ‘iptables --help’ for more information.
It looks like iptables just can’t find the required file(s), although they are part of the snap:
root@rpi3:/snap/iptables/current/lib/xtables# ls -hl libxt_tcp.so
-rwxr-xr-x 1 root root 44K Apr 3 2019 libxt_tcp.so
root@icx-sn01234567:/snap/iptables/current/lib/xtables# ldd libxt_tcp.so
linux-vdso.so.1 (0x0000ffff94b76000)
libxtables.so.12 => not found
libc.so.6 => /lib/aarch64-linux-gnu/libc.so.6 (0x0000ffff949de000)
/lib/ld-linux-aarch64.so.1 (0x0000ffff94b4b000)
libxtables.so is in fact available:
root@rpi3:/snap/iptables/current/lib# ls -hl libxtables.so*
lrwxrwxrwx 1 root root 20 Apr 3 2019 libxtables.so -> libxtables.so.12.0.0
lrwxrwxrwx 1 root root 20 Apr 3 2019 libxtables.so.12 -> libxtables.so.12.0.0
-rwxr-xr-x 1 root root 181K Apr 3 2019 libxtables.so.12.0.0
I tried several different approaches (shown below), none of them worked. The packages were built using
snapcraft --target-arch=arm64
Approach #1 (First try):
name: iptables
base: core18
version: ‘0.0.1’
summary: Iptables
description: |
Initial snap for Iptables
grade: devel
confinement: devmode # use ‘strict’ once you have the right plugs and slots
apps:
iptables:
command: sbin/iptables
parts:
build-iptables:
plugin: autotools
source: .
configflags:
- --disable-nftables
Approach #2 (with wrapper scripts, which sets LD_LIBRARY_PATH explicitely):
name: iptables
base: core18
version: ‘0.0.1’
summary: Iptables
description: |
Initial snap for Iptables
grade: devel
confinement: devmode # use ‘strict’ once you have the right plugs and slots
apps:
iptables:
command: bin/iptables
[…]
Wrapper script (/bin/iptables):
#!/bin/sh
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$SNAP/lib:$SNAP/lib/xtables
$SNAP/sbin/iptables “$@”
Last but not least I even tried to use the prebuilt variant from the Ubuntu repository.
Approach #3 (stage-packages):
name: iptables
base: core18
version: ‘0.0.1’
summary: Iptables
description: |
Initial snap for Iptables
grade: devel
confinement: devmode # use ‘strict’ once you have the right plugs and slots
apps:
iptables:
command: sbin/iptables
parts:
iptables:
plugin: nil
stage-packages:
- on amd64 to arm64:
- “iptables:arm64”
- else:
- “iptables”
Same behaviour on the target system for any of the approaches listed above. I am out of ideas / options, what am I doing wrong? Help is very much appreciated.
Kind regards,
Michael