Perfect is the enemy of good enough.

Resolving "x_tables: ip_tables: udp match: only valid for protocol 17" iptables error

Posted March 27, 2019 by shaun

You may encounter the following error from iptables in dmesg or some other system log:

x_tables: ip_tables: udp match: only valid for protocol 17

This error indicates a parameter mismatch in one of your iptables rules. Specifically, one or more of the rule specifications isn't supported by the protocol you're trying to match.

For example, here's a rule intended to allow outbound NTP traffic, but it contains a typo:

iptables -A OUTPUT -p tcp -m udp --dport 123 -m state --state NEW -j ACCEPT

Here, the rule first attempts (wrongly) to match the TCP protocol, -p tcp, then tries to specify further matching based on the UDP module, -m udp. When iptables tries to process this rule, the rule will fail, and an error is logged:

x_tables: ip_tables: udp match: only valid for protocol 17

Because NTP is a UDP-based protocol, the inclusion of -p tcp in this rule was surely a brain fart. The corrected rule fixes the typo, specifying the correct protocol:

iptables -A OUTPUT -p udp -m udp --dport 123 -m state --state NEW -j ACCEPT

Now the rule is correctly parsed, with no error message. You should examine your ruleset looking for any protocol conflicts like this example. A full description of all parameters and matching modules is available in the iptables man page.

