Shorewall users - Sep 2005 - ...requires that your kernel and iptables have ROUTE target support

good day to you

i have compiled evertything related to ip tables as modules, but still i get
this error when trying to use /etc/shorewall/routes
can someone tell me the spicific module i need to have?
here are my info


intranet linux # shorewall version
2.4.2

intranet linux # uname -a
Linux intranet 2.6.12-gentoo-r10 #10 SMP Sun Sep 11 15:01:49 SAST 2005 i686
AMD Athlon(tm) XP 2400+ AuthenticAMD GNU/Linux

intranet linux # grep -i _ip_ /usr/src/linux/.config
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_FWMARK=y
CONFIG_IP_ROUTE_MULTIPATH=y
# CONFIG_IP_ROUTE_MULTIPATH_CACHED is not set
CONFIG_IP_ROUTE_VERBOSE=y
# CONFIG_IP_PNP is not set
CONFIG_IP_MROUTE=y
CONFIG_IP_PIMSM_V1=y
CONFIG_IP_PIMSM_V2=y
CONFIG_IP_TCPDIAG=y
# CONFIG_IP_TCPDIAG_IPV6 is not set
# CONFIG_IP_VS is not set
CONFIG_IP_NF_CONNTRACK=y
CONFIG_IP_NF_CT_ACCT=y
CONFIG_IP_NF_CONNTRACK_MARK=y
CONFIG_IP_NF_CT_PROTO_SCTP=m
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_IRC=m
CONFIG_IP_NF_TFTP=m
CONFIG_IP_NF_AMANDA=m
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_LIMIT=m
CONFIG_IP_NF_MATCH_IPRANGE=m
CONFIG_IP_NF_MATCH_MAC=m
CONFIG_IP_NF_MATCH_PKTTYPE=m
CONFIG_IP_NF_MATCH_MARK=m
CONFIG_IP_NF_MATCH_MULTIPORT=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_DSCP=m
CONFIG_IP_NF_MATCH_AH_ESP=m
CONFIG_IP_NF_MATCH_LENGTH=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_TCPMSS=m
CONFIG_IP_NF_MATCH_HELPER=m
CONFIG_IP_NF_MATCH_STATE=m
CONFIG_IP_NF_MATCH_CONNTRACK=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_MATCH_ADDRTYPE=m
CONFIG_IP_NF_MATCH_REALM=m
CONFIG_IP_NF_MATCH_SCTP=m
CONFIG_IP_NF_MATCH_COMMENT=m
CONFIG_IP_NF_MATCH_CONNMARK=m
CONFIG_IP_NF_MATCH_HASHLIMIT=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_TARGET_TCPMSS=m
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_IP_NF_TARGET_SAME=m
CONFIG_IP_NF_NAT_SNMP_BASIC=m
CONFIG_IP_NF_NAT_IRC=m
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_NAT_TFTP=m
CONFIG_IP_NF_NAT_AMANDA=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_DSCP=m
CONFIG_IP_NF_TARGET_MARK=m
CONFIG_IP_NF_TARGET_CLASSIFY=m
CONFIG_IP_NF_TARGET_CONNMARK=m
# CONFIG_IP_NF_TARGET_CLUSTERIP is not set
CONFIG_IP_NF_RAW=m
CONFIG_IP_NF_TARGET_NOTRACK=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m
# CONFIG_IP_SCTP is not set


thank you

On Sunday 25 September 2005 04:44, Winston Nolan wrote:
> good day to you
>
> i have compiled evertything related to ip tables as modules, but still i
> get this error when trying to use /etc/shorewall/routes
> can someone tell me the spicific module i need to have?
> here are my info
Two things:

1) The implementation of /etc/shorewall/routes in 2.4.x is broken -- it works 
but only "sort of". It is being removed in 3.0.

2) The ROUTE netfilter target requires patching your kernel using 
Patch-o-matic-ng which is available on the Netfilter site. It produces a 
module named ipt_ROUTE.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

hi tom!

thanks for the reply!
i have patched my kernel got it done all was well, now trying to get this to
work
getting this error:

intranet shorewall # /etc/init.d/shorewall restart
* Restarting firewall ...
RTNETLINK answers: File exists
/etc/init.d/shorewall: line 26: 16313 Terminated /sbin/shorewall
restart
>/dev/null [ !! ]
since this feature will be removed in version 3.0 what else can i use or how
will i achieve a similar result..?

im going to scratch some more but if you have an answer please help.

winston

On 9/25/05, Tom Eastep <teastep@shorewall.net>
wrote:
>
> On Sunday 25 September 2005 04:44, Winston Nolan wrote:
> > good day to you
> >
> > i have compiled evertything related to ip tables as modules, but still
i
> > get this error when trying to use /etc/shorewall/routes
> > can someone tell me the spicific module i need to have?
> > here are my info
>
> Two things:
>
> 1) The implementation of /etc/shorewall/routes in 2.4.x is broken -- it
> works
> but only "sort of". It is being removed in 3.0.
>
> 2) The ROUTE netfilter target requires patching your kernel using
> Patch-o-matic-ng which is available on the Netfilter site. It produces a
> module named ipt_ROUTE.
>
> -Tom
> --
> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
> Shoreline, \ http://shorewall.net
> Washington USA \ teastep@shorewall.net
> PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
>
>
>

On Sunday 25 September 2005 08:29, Winston Nolan wrote:
> hi tom!
>
> thanks for the reply!
> i have patched my kernel got it done all was well, now trying to get this
> to work
> getting this error:
>
> intranet shorewall # /etc/init.d/shorewall restart
> * Restarting firewall ...
> RTNETLINK answers: File exists
> /etc/init.d/shorewall: line 26: 16313 Terminated /sbin/shorewall restart
>
Why do people insist on running /etc/init.d/shorewall??? My documentation 
doesn''t even mention that file. Ah, I get it -- people don''t
read the
documentation (silly me).

ref: http://www.shorewall.net/starting_and_stopping_shorewall.htm

If you run /sbin/shorewall directly, you might get some clue as to what is 
failing.
>
> since this feature will be removed in version 3.0 what else can i use or
> how will i achieve a similar result..?
I don''t know -- you haven''t told us what you are trying to do.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Why do people insist on running /etc/init.d/shorewall???

because i use gentoo all my start scrips are there, this is how the os
function.
sorry for not using "shorewall start" but how will i add this to
starup, so
that shorewall would start during boot.
in any case, why do i have the start script for shorewall in /etc/init.d if
im not suppose to use it?


Ah, I get it -- people don''t read the
documentation (silly me).

no, i do read the documentation, but seeing as im not a "sysadmin alpha
geek" i do make mistakes...i dont know everything, thats why i am here -
asking your help, and i thank you for it.

I don''t know -- you haven''t told us what you are trying to do.

i have a gateway with 3 network cards

eth0 -> local
eth1 -> isp1
eth2 -> isp2

i will be leaving isp1 soon and would like to test the routing capabilities
and see if i can use shorewall to change my route so that i can switch over
efforlessly, i reckon shorewall can help me do this. i am having problems
though, and almost too scared to ask your help becuase if i miss anything i
get crapped on.

in any case, ill investigate more

thank you


On 9/25/05, Tom Eastep <teastep@shorewall.net>
wrote:
>
> On Sunday 25 September 2005 08:29, Winston Nolan wrote:
> > hi tom!
> >
> > thanks for the reply!
> > i have patched my kernel got it done all was well, now trying to get
> this
> > to work
> > getting this error:
> >
> > intranet shorewall # /etc/init.d/shorewall restart
> > * Restarting firewall ...
> > RTNETLINK answers: File exists
> > /etc/init.d/shorewall: line 26: 16313 Terminated /sbin/shorewall
restart
> >
>
> Why do people insist on running /etc/init.d/shorewall??? My documentation
> doesn''t even mention that file. Ah, I get it -- people
don''t read the
> documentation (silly me).
>
> ref: http://www.shorewall.net/starting_and_stopping_shorewall.htm
>
> If you run /sbin/shorewall directly, you might get some clue as to what is
> failing.
>
> >
> > since this feature will be removed in version 3.0 what else can i use
or
> > how will i achieve a similar result..?
>
> I don''t know -- you haven''t told us what you are trying
to do.
>
> -Tom
> --
> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
> Shoreline, \ http://shorewall.net
> Washington USA \ teastep@shorewall.net
> PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
>
>
>

Use shorewall start while configuring and testing your setup.  AFTER  
you have it working then you may add it to your default runlevel  
using gentoo''s handy start script.  I can see why Tom would be  
frustrated by this as he makes strong references to this in his  
docs.  Anyways, now you know.

On Sep 25, 2005, at 12:48 PM, Winston Nolan wrote:
> Why do people insist on running /etc/init.d/shorewall???
>
> because i use gentoo all my start scrips are there, this is how the  
> os function.
> sorry for not using "shorewall start" but how will i add this to
> starup, so that shorewall would start during boot.
> in any case, why do i have the start script for shorewall in /etc/ 
> init.d if im not suppose to use it?
>
>
> Ah, I get it -- people don''t read the
> documentation (silly me).
>
> no, i do read the documentation, but seeing as im not a "sysadmin  
> alpha geek" i do make mistakes...i dont know everything, thats why  
> i am here - asking your help, and i thank you for it.
>
> I don''t know -- you haven''t told us what you are trying
to do.
>
> i have a gateway with 3 network cards
>
> eth0 -> local
> eth1 -> isp1
> eth2 -> isp2
>
> i will be leaving isp1 soon and would like to test the routing  
> capabilities and see if i can use shorewall to change my route so  
> that i can switch over efforlessly, i reckon shorewall can help me  
> do this. i am having problems though, and almost too scared to ask  
> your help becuase if i miss anything i get crapped on.
>
> in any case, ill investigate more
>
> thank you
>
>
> On 9/25/05, Tom Eastep <teastep@shorewall.net> wrote:
> On Sunday 25 September 2005 08:29, Winston Nolan wrote:
> > hi tom!
> >
> > thanks for the reply!
> > i have patched my kernel got it done all was well, now trying to  
> get this
> > to work
> > getting this error:
> >
> > intranet shorewall # /etc/init.d/shorewall restart
> > * Restarting firewall ...
> > RTNETLINK answers: File exists
> > /etc/init.d/shorewall: line 26: 16313 Terminated /sbin/shorewall  
> restart
> >
>
> Why do people insist on running /etc/init.d/shorewall??? My  
> documentation
> doesn''t even mention that file. Ah, I get it -- people
don''t read the
> documentation (silly me).
>
> ref: http://www.shorewall.net/starting_and_stopping_shorewall.htm
>
> If you run /sbin/shorewall directly, you might get some clue as to  
> what is
> failing.
>
> >
> > since this feature will be removed in version 3.0 what else can i  
> use or
> > how will i achieve a similar result..?
>
> I don''t know -- you haven''t told us what you are trying
to do.
>
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>
>
>

On Sunday 25 September 2005 10:48, Winston Nolan wrote:
>
> I don''t know -- you haven''t told us what you are trying
to do.
>
> i have a gateway with 3 network cards
>
> eth0 -> local
> eth1 -> isp1
> eth2 -> isp2
>
> i will be leaving isp1 soon and would like to test the routing capabilities
> and see if i can use shorewall to change my route so that i can switch over
> efforlessly, i reckon shorewall can help me do this. i am having problems
> though, and almost too scared to ask your help becuase if i miss anything i
> get crapped on.
Oh please!

Are you currently using Shorewall''s multi-ISP support to handle the two
ISPs?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On 25 Sep 2005, Winston Nolan wrote:
> 
>    Why do people insist on running /etc/init.d/shorewall???
>    because i use gentoo all my start scrips are there, this is how the os
>    function.
>    sorry for not using "shorewall start" but how will i add this
to
>    starup, so that shorewall would start during boot.
>    in any case, why do i have the start script for shorewall in
>    /etc/init.d if im not suppose to use it?
>    Ah, I get it -- people don''t read the
>    documentation (silly me).
>    no, i do read the documentation, but seeing as im not a "sysadmin
>    alpha geek" i do make mistakes...i dont know everything, thats why
i
>    am here - asking your help, and i thank you for it.
>    I don''t know -- you haven''t told us what you are
trying to do.
>    i have a gateway with 3 network cards
>    eth0 -> local
>    eth1 -> isp1
>    eth2 -> isp2
>    i will be leaving isp1 soon and would like to test the routing
>    capabilities and see if i can use shorewall to change my route so that
>    i can switch over efforlessly, i reckon shorewall can help me do this.
>    i am having problems though, and almost too scared to ask your help
>    becuase if i miss anything i get crapped on.
>    in any case, ill investigate more
>    thank you
> 
[snip]

Getting the sharp end of Tom''s tongue is the price I generally expect
to
pay for asking things on this list. I can understand why it happens; Tom
is giving a vast amount of his time and knowledge, for free, to support
what must surely be the best firewall implementation available. This
doubtless requires him to answer the same question again and again in
different forms. He therefore feels frustrated when people fail to find
or understand the relevant documentation which is out there. 

The problem for some of us who come to the subject from scratch is that
it is in fact complex, and though the information is available there is
a lot to take in at first and it''s always possible to misunderstand
things.

So I expect I''ll usually get slapped down, no doubt justifiably, when I
ask a question here, but it''s worth it because I do get things working
in the end.

Anthony


-- 
ac@acampbell.org.uk    ||  http://www.acampbell.org.uk for
using Linux GNU/Debian ||  blog, book reviews, electronic  
Microsoft-free zone    ||  books and skeptical articles


-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache''s Geronimo App Server.
Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php

Anthony Campbell wrote:
>  Tom
> is giving a vast amount of his time and knowledge, for free, to support
> what must surely be the best firewall implementation available. This
> doubtless requires him to answer the same question again and again in
> different forms. He therefore feels frustrated when people fail to find
> or understand the relevant documentation which is out there.
that''s exactly the problem Anthony, not only Tom feels frustrated, me
too :-(


Personally, I think the problem is:

Opensource software is generally poorly documented and people use to
discard the manuals as a source of good information.

So, Shorewall is fully documented but people don''t RTM :-(




--
Cristian Rodriguez R.
perl -e
''$_=pack(c5,0105,0107,0123,0132,(1<<3)+2);y[A-Z][N-ZA-M];print;''