Date:Posted By:Category:linuxTag:

In case you are getting this sort of error when setting up your box with iptable rules to support tproxy:

root@cartman:~# iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables: No chain/target/match by that name.

That error is refering to the ‘-m socket’ match.

It seems that on certain kernels (linode kernels have no modules) that Linode used to offer there is 1 small config parameter that they left unset. Pretty weird since about everthing is on, I guess someone tried to prevent you from running your own haproxy install at one point.

root@cartman:~# zcat /proc/config.gz | grep "CONFIG_NETFILTER_TPROXY"
# CONFIG_NETFILTER_TPROXY is not set

Apparently, the kernel I use isn’t compiled with it, I really could have used it to solve a problem with ha-proxy (only used as a transparent tcp proxy, not as a true HA loadbalancer.

root@cartman:~# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=10.04
DISTRIB_CODENAME=lucid
DISTRIB_DESCRIPTION="Ubuntu 10.04.4 LTS"

I guess this install is affected, I read about the fact that their latest kernels suppose have it but I’m reluctant to upgrade this very busy box and stop all the services. Bummer but it will be without source ip’s now .. Now I’m going to have to find out how to distinguish the loadbalancer backend checks from true proxied traffic.

Glenn