iptables: No chain/target/match by that name. Ubuntu 16-04 (WSL2)

Question

I know, there are many questions with this topic, but none of them helps me.

After I run sudo iptables -w -t nat -A PREROUTING -s 100.64.0.8 -j CONNMARK --set-mark 25119

I get iptables: No chain/target/match by that name.

I was following this answer to identify the part of the rule that causes the error. I have discovered that if I run sudo iptables -w -t nat -A PREROUTING -s 100.64.0.8, no error is being returned. Furthermore, iptables -j CONNMARK -h returns

...
CONNMARK target options:
  --set-xmark value[/ctmask]    Zero mask bits and XOR ctmark with value
  --save-mark [--ctmask mask] [--nfmask mask]
                                Copy ctmark to nfmark using masks
  --restore-mark [--ctmask mask] [--nfmask mask]
                                Copy nfmark to ctmark using masks
  --set-mark value[/mask]       Set conntrack mark value
  --save-mark [--mask mask]     Save the packet nfmark in the connection
  --restore-mark [--mask mask]  Restore saved nfmark value
  --and-mark value              Binary AND the ctmark with bits
  --or-mark value               Binary OR  the ctmark with bits
  --xor-mark value              Binary XOR the ctmark with bits

indicating that this extension is compiled.

My operating system is Ubuntu-16.04 on Windows Subsystem for Linux 2, iptables version is 1.6.0-2ubuntu3.

Does iptables -t nat -A PREROUTING -m connmark --mark 0x0 work? If not, then it means that the kernel netfilter module for this feature is missing. — Tero Kilkanen, Feb 20 '23 at 06:24
@TeroKilkanen You are right. WSL2 does not have it. The solution is to recompile WSL from source after enabling all CONNMARK-related modules in config-wsl. Generic procedure is well described in this answer. — Rostyslav, Feb 20 '23 at 14:05

iptables: No chain/target/match by that name. Ubuntu 16-04 (WSL2)

0 Answers0