Nftables support for TTL mangling

It seems that Linux4Tegra doesn’t have nftables support compiled into the kernel. I’m not able to modify outbound TTL with iptables:

$ sudo iptables -t mangle -I POSTROUTING -j TTL --ttl-set 65
iptables: No chain/target/match by that name.

I’ve looked at compiling xtables-addons, are the linux headers for the kernel patch available anywhere? Or is there another way I can get TTL mangling support?

Hello,

Could you check if you can build it from the kernel source?

Source link:
https://developer.nvidia.com/embedded/downloads#?search=L4T%20sources

Guidance for how to build kernel.
https://docs.nvidia.com/jetson/l4t/index.html#page/Tegra%20Linux%20Driver%20Package%20Development%20Guide/kernel_custom.html#wwpID0E06C0HA

Thanks for the tip. I tried building the kernel from scratch, it seems that the source code for this module is not included in the L4T source tbz2?

When I run make menuconfig I enabled this module:

  | Symbol: IP_NF_MATCH_TTL [=m]                                                                             
  | Type  : tristate                                                                                       
  | Prompt: "ttl" match support                                                                            
  |   Location:                                                                                            
  |     -> Networking support (NET [=y])                                                                   
  |       -> Networking options                                                                            
  |         -> Network packet filtering framework (Netfilter) (NETFILTER [=y])                             
  |           -> IP: Netfilter Configuration                                                               
  | (6)         -> IP tables support (required for filtering/masq/NAT) (IP_NF_IPTABLES [=m])               
  |   Defined at net/ipv4/netfilter/Kconfig:210                                                            
  |   Depends on: NET [=y] && INET [=y] && NETFILTER [=y] && IP_NF_IPTABLES [=m] && NETFILTER_ADVANCED [=y]
  |   Selects: NETFILTER_XT_MATCH_HL [=m]                                                                       

however it didn’t seem to actually enable the module once I packaged it up and deployed it to my Jetson Nano.

Debugging a bit, under ~/Linux_for_Tegra/source/public/kernel/kernel-4.9/net/ipv4/netfilter I don’t have an ipt_TTL.c file, however this seems to be present in the linux kernel: ipt_TTL.c - net/ipv4/netfilter/ipt_TTL.c - Linux source code (v2.6.24) - Bootlin

The uapi header seems to be present under ~/Linux_for_Tegra/source/public/kernel/kernel-4.9/include/uapi/linux/netfilter_ipv4 however.

I’m new to kernel development, have I missed something?

Some more debugging, it seems that ipt_TTL was removed in a newer version of the Linux kernel. The option CONFIG_IP_NF_TARGET_TTL is still available in Kconfig, however I don’t see it being mapped to any source modules in any Makefiles.

So this seems not really Jetson-related, but any idea about why this might be?

Ok I’ve actually managed to get this to work, turns out it was just refactored into another module. I’ve written up my steps here for posterity: Compiling Custom Kernel Modules on the Jetson Nano | Kevin's Blog

I found the nvidia guide to be a bit difficult to follow but with enough guessing was able to get it working :)