Can't load in Debian 9

[col-panic]

I just tried according to your documentation, and installed the module via insmod, as modprobe delivers

root@bridge:/lib/modules/4.9.0-8-amd64# modprobe xt_tls
modprobe: FATAL: Module xt_tls not found in directory /lib/modules/4.9.0-8-amd6

But when I try to use your sample iptables rule I receive

root@bridge:/lib/modules/4.9.0-8-amd64/extra# iptables -A OUTPUT -p tcp --dport 443 -m tls --tls-host "www.facebook.com" -j DROP
iptables v1.6.0: Couldn't load match `tls':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

lsmod shows me its loaded

Module                  Size  Used by
xt_tls                 16384  0
nf_conntrack_ipv6      20480  0
nf_defrag_ipv6         36864  1 nf_conntrack_ipv6
nf_conntrack_ipv4      16384  0
nf_defrag_ipv4         16384  1 nf_conntrack_ipv4
tun                    28672  2
ip6t_REJECT            16384  3

what am i doing wrong? thanks

[col-panic]

Any chance of someone helping here? I'd really like to try this feature as a replacement for an nginx based solution I have running up so far ..

[Lochnair]

Might be as easy as running depmod -a.

[col-panic]

Thanks for the input - unfortunately this does not change the situation. I pulled fresh and did make, make install again - but still

root@bridge:/var/dev/xt_tls# !ipt
iptables -A OUTPUT -p tcp --dport 443 -m tls --tls-host "www.facebook.com" -j DROP
iptables v1.6.0: Couldn't load match `tls':No such file or directory

[Lochnair]

If running depmod helped at all you should at least be able to load the module with modprobe now. Could be that the userspace library isn't installed to the right place.

What does pkg-config --variable=xtlibdir xtables give you? If you check the contents of that folder you should see a ton of iptables libraries.

[col-panic]

The module is loaded, I can confirm that with lsmod as can be seen above, here is the requested output

root@bridge:/var/dev/xt_tls# pkg-config --variable=xtlibdir xtables
/usr/lib/x86_64-linux-gnu/xtables
root@bridge:/var/dev/xt_tls# dir /usr/lib/x86_64-linux-gnu/xtables/
total 1.4M
-rw-r--r-- 1 root root  11K Apr 12  2017 libip6t_ah.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libip6t_DNAT.so
-rw-r--r-- 1 root root 6.2K Apr 12  2017 libip6t_DNPT.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libip6t_dst.so
-rw-r--r-- 1 root root 6.1K Apr 12  2017 libip6t_eui64.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libip6t_frag.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libip6t_hbh.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libip6t_hl.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libip6t_HL.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libip6t_icmp6.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libip6t_ipv6header.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libip6t_LOG.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libip6t_MASQUERADE.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libip6t_mh.so
-rw-r--r-- 1 root root 6.2K Apr 12  2017 libip6t_NETMAP.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libip6t_REDIRECT.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libip6t_REJECT.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libip6t_rt.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libip6t_SNAT.so
-rw-r--r-- 1 root root 6.2K Apr 12  2017 libip6t_SNPT.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libipt_ah.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libipt_CLUSTERIP.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libipt_DNAT.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libipt_ECN.so
-rw-r--r-- 1 root root  15K Apr 12  2017 libipt_icmp.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libipt_LOG.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libipt_MASQUERADE.so
-rw-r--r-- 1 root root 6.2K Apr 12  2017 libipt_NETMAP.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libipt_realm.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libipt_REDIRECT.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libipt_REJECT.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libipt_SNAT.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libipt_ttl.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libipt_TTL.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libipt_ULOG.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libxt_addrtype.so
-rw-r--r-- 1 root root 6.2K Apr 12  2017 libxt_AUDIT.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libxt_bpf.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libxt_cgroup.so
-rw-r--r-- 1 root root 6.2K Apr 12  2017 libxt_CHECKSUM.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libxt_CLASSIFY.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libxt_cluster.so
-rw-r--r-- 1 root root 6.2K Apr 12  2017 libxt_comment.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libxt_connbytes.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libxt_connlabel.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libxt_connlimit.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libxt_connmark.so
-rw-r--r-- 1 root root  15K Apr 12  2017 libxt_CONNMARK.so
-rw-r--r-- 1 root root 6.2K Apr 12  2017 libxt_CONNSECMARK.so
-rw-r--r-- 1 root root  32K Apr 12  2017 libxt_conntrack.so
-rw-r--r-- 1 root root 6.2K Apr 12  2017 libxt_cpu.so
-rw-r--r-- 1 root root  16K Apr 12  2017 libxt_CT.so
-rw-r--r-- 1 root root  15K Apr 12  2017 libxt_dccp.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libxt_devgroup.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libxt_dscp.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libxt_DSCP.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libxt_ecn.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libxt_esp.so
-rw-r--r-- 1 root root  23K Apr 12  2017 libxt_hashlimit.so
-rw-r--r-- 1 root root 6.2K Apr 12  2017 libxt_helper.so
-rw-r--r-- 1 root root  15K Apr 12  2017 libxt_HMARK.so
-rw-r--r-- 1 root root 6.2K Apr 12  2017 libxt_IDLETIMER.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libxt_ipcomp.so
-rw-r--r-- 1 root root  15K Apr 12  2017 libxt_iprange.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libxt_ipvs.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libxt_LED.so
-rw-r--r-- 1 root root 6.2K Apr 12  2017 libxt_length.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libxt_limit.so
-rw-r--r-- 1 root root 6.2K Apr 12  2017 libxt_mac.so
-rw-r--r-- 1 root root  15K Apr 12  2017 libxt_mangle.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libxt_mark.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libxt_MARK.so
-rw-r--r-- 1 root root  15K Apr 12  2017 libxt_multiport.so
-rw-r--r-- 1 root root 6.2K Apr 12  2017 libxt_nfacct.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libxt_NFLOG.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libxt_NFQUEUE.so
-rw-r--r-- 1 root root  16K Apr 12  2017 libxt_NOTRACK.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libxt_osf.so
-rw-r--r-- 1 root root  15K Apr 12  2017 libxt_owner.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libxt_physdev.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libxt_pkttype.so
-rw-r--r-- 1 root root  15K Apr 12  2017 libxt_policy.so
-rw-r--r-- 1 root root 6.2K Apr 12  2017 libxt_quota.so
-rw-r--r-- 1 root root  15K Apr 12  2017 libxt_rateest.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libxt_RATEEST.so
-rw-r--r-- 1 root root  15K Apr 12  2017 libxt_recent.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libxt_rpfilter.so
-rw-r--r-- 1 root root  15K Apr 12  2017 libxt_sctp.so
-rw-r--r-- 1 root root 6.2K Apr 12  2017 libxt_SECMARK.so
-rw-r--r-- 1 root root  19K Apr 12  2017 libxt_set.so
-rw-r--r-- 1 root root  19K Apr 12  2017 libxt_SET.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libxt_socket.so
-rw-r--r-- 1 root root 6.1K Apr 12  2017 libxt_standard.so
-rw-r--r-- 1 root root  32K Apr 12  2017 libxt_state.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libxt_statistic.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libxt_string.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libxt_SYNPROXY.so
-rw-r--r-- 1 root root 6.2K Apr 12  2017 libxt_tcpmss.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libxt_TCPMSS.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libxt_TCPOPTSTRIP.so
-rw-r--r-- 1 root root  15K Apr 12  2017 libxt_tcp.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libxt_TEE.so
-rw-r--r-- 1 root root  15K Apr 12  2017 libxt_time.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libxt_tos.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libxt_TOS.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libxt_TPROXY.so
-rw-r--r-- 1 root root 6.1K Apr 12  2017 libxt_TRACE.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libxt_u32.so
-rw-r--r-- 1 root root  11K Apr 12  2017 libxt_udp.so

[Lochnair]

Thanks.

Okay so we should see libxt_tls.so in there, but alas we do not. Can you try cd-ing into the ipt folder and doing sudo make install there?

[col-panic]

Doing this results in

root@bridge:/var/dev/xt_tls/ipt# make install
install -D -v -m 644 libxt_tls.so //usr/lib/x86_64-linux-gnu/xtables
removed '//usr/lib/x86_64-linux-gnu/xtables/libxt_tls.so'

and libxt_tls.so is now effectively visible in

root@bridge:/var/dev/xt_tls/ipt# ls -l /usr/lib/x86_64-linux-gnu/xtables/libxt_t*
-rw-r--r-- 1 root root  6272 Apr 12  2017 /usr/lib/x86_64-linux-gnu/xtables/libxt_tcpmss.so
-rw-r--r-- 1 root root 14464 Apr 12  2017 /usr/lib/x86_64-linux-gnu/xtables/libxt_tcp.so
-rw-r--r-- 1 root root 14464 Apr 12  2017 /usr/lib/x86_64-linux-gnu/xtables/libxt_time.so
-rw-r--r-- 1 root root  8864 Oct  7 17:58 /usr/lib/x86_64-linux-gnu/xtables/libxt_tls.so
-rw-r--r-- 1 root root 10560 Apr 12  2017 /usr/lib/x86_64-linux-gnu/xtables/libxt_tos.so

I also once again executed depmod -a, did an rmmod xt_tls and modprobe xt_tls, still I get

root@bridge:/var/dev/xt_tls/ipt# !ip
iptables -A OUTPUT -p tcp --dport 443 -m xt_tls --tls-host "www.facebook.com" -j DROP
iptables v1.6.0: Couldn't load match `xt_tls':No such file or directory

but after doing a iptables -m tls -h it seems to work! I can load the rule now!

root@bridge:/etc/iptables# iptables -A OUTPUT -p tcp --dport 443 -m tls --tls-host "www.facebook.com" -j DROP
root@bridge:/etc/iptables# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       tcp  --  anywhere             anywhere             tcp dpt:https TLS match --tls-host www.facebook.com

[col-panic]

It does work now, thanks a lot :)