Hi,
I am trying to build and run iptables for Ubuntu Core 18 on the Raspberry Pi 3 (arm64) and I am encountering a strange behaviour.
The following simplified example shows what happens, when I try to add a new rule to the FORWARD chain on the target system using the match / module / extension (I am not sure what the correct term is) “tcp”:
root@rpi3:/snap/iptables# iptables -A FORWARD -p tcp -m tcp --dport 77 -j DROP iptables v1.6.1: Couldn’t load match
tcp':No such file or directory Tryiptables -h’ or ‘iptables --help’ for more information.
It looks like iptables just can’t find the required file(s), although they are part of the snap:
root@rpi3:/snap/iptables/current/lib/xtables# ls -hl libxt_tcp.so -rwxr-xr-x 1 root root 44K Apr 3 2019 libxt_tcp.so
root@icx-sn01234567:/snap/iptables/current/lib/xtables# ldd libxt_tcp.so linux-vdso.so.1 (0x0000ffff94b76000) libxtables.so.12 => not found libc.so.6 => /lib/aarch64-linux-gnu/libc.so.6 (0x0000ffff949de000) /lib/ld-linux-aarch64.so.1 (0x0000ffff94b4b000)
libxtables.so is in fact available:
root@rpi3:/snap/iptables/current/lib# ls -hl libxtables.so* lrwxrwxrwx 1 root root 20 Apr 3 2019 libxtables.so → libxtables.so.12.0.0 lrwxrwxrwx 1 root root 20 Apr 3 2019 libxtables.so.12 → libxtables.so.12.0.0 -rwxr-xr-x 1 root root 181K Apr 3 2019 libxtables.so.12.0.0
I tried several different approaches (shown below), none of them worked. The packages were built using
snapcraft --target-arch=arm64
Approach #1 (First try):
name: iptables base: core18 version: ‘0.0.1’ summary: Iptables description: | Initial snap for Iptables grade: devel confinement: devmode # use ‘strict’ once you have the right plugs and slots apps: iptables: command: sbin/iptables parts: build-iptables: plugin: autotools source: . configflags: - --disable-nftables
Approach #2 (with wrapper scripts, which sets LD_LIBRARY_PATH explicitely):
name: iptables base: core18 version: ‘0.0.1’ summary: Iptables description: | Initial snap for Iptables grade: devel confinement: devmode # use ‘strict’ once you have the right plugs and slots apps: iptables: command: bin/iptables […]
Wrapper script (/bin/iptables):
#!/bin/sh export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$SNAP/lib:$SNAP/lib/xtables $SNAP/sbin/iptables “$@”
Last but not least I even tried to use the prebuilt variant from the Ubuntu repository. Approach #3 (stage-packages):
name: iptables base: core18 version: ‘0.0.1’ summary: Iptables description: | Initial snap for Iptables grade: devel confinement: devmode # use ‘strict’ once you have the right plugs and slots apps: iptables: command: sbin/iptables parts: iptables: plugin: nil stage-packages: - on amd64 to arm64: - “iptables:arm64” - else: - “iptables”
Same behaviour on the target system for any of the approaches listed above. I am out of ideas / options, what am I doing wrong? Help is very much appreciated.
Kind regards, Michael