(new Soapbox())->shout(array_map('strtoupper', $opinions)); //Shaun's blog

Me, elsewhere

Miscellaneous public code

A PHP API client for Reddit

I don't tweet much

XMPP chat
(Pidgin, Miranda, Swift, etc.)

Perfect is the enemy of good enough.

Resolving "x_tables: ip_tables: udp match: only valid for protocol 17" iptables error

Posted March 27, 2019 by shaun

You may encounter the following error from iptables in dmesg or some other system log:

x_tables: ip_tables: udp match: only valid for protocol 17

This error indicates a parameter mismatch in one of your iptables rules. Specifically, one or more of the rule specifications isn't supported by the protocol you're trying to match.

For example, here's a rule intended to allow outbound NTP traffic, but it contains a typo:

iptables -A OUTPUT -p tcp -m udp --dport 123 -m state --state NEW -j ACCEPT

Here, the rule first attempts (wrongly) to match the TCP protocol, -p tcp, then tries to specify further matching based on the UDP module, -m udp. When iptables tries to process this rule, the rule will fail, and an error is logged:

x_tables: ip_tables: udp match: only valid for protocol 17

Because NTP is a UDP-based protocol, the inclusion of -p tcp in this rule was surely a brain fart. The corrected rule fixes the typo, specifying the correct protocol:

iptables -A OUTPUT -p udp -m udp --dport 123 -m state --state NEW -j ACCEPT

Now the rule is correctly parsed, with no error message. You should examine your ruleset looking for any protocol conflicts like this example. A full description of all parameters and matching modules is available in the iptables man page.

Recent articles

📰 chrony improves client stats output for easier abuse detection

📰 Resolving PHP error "Fatal error: strict_types declaration must not use block mode"

📰 Resolving "Not using downloaded repomd.xml because it is older than what we have" yum error

📰 Resolving subversion error E125001: Couldn't determine absolute path of '.'

📰 Caveat with Vantec SATA/IDE to USB 2.0 Adapter and Macrium software

📰 Jay Niffley, Man of Mystery

📰 Multi-protocol scanning activity from Amazon GovCloud

📰 Compiling Doxygen on FreeBSD without LaTeX and Ghostscript

📰 Introducing Snuze, a PHP client for the Reddit API

📰 jisusaiche: Java's installer telemetry

📰 BIND client log error "query_find: query_getdb failed"

📰 Resolving "The lang/perl5.24 port has been deleted: Has expired" portmaster error

📰 Armagaddon2 interim fix for Firefox 56 and other old versions

📰 Strange DNS queries: qname "miep", qtype ANY

📰 Resolving "x_tables: ip_tables: udp match: only valid for protocol 17" iptables error

▲ Back to top | Permalink to this page