Fedora 6, yum updated to the hilt results in kernel-2.6.20-1.2925.fc6 shorewall-3.2.8-1.fc6 Some modules aren''t getting loaded. Looks like the netfilter gnomes have been changing module names. Weighing up if I should go with 3.4, or go back to using a modules file - or both. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
shorewall@aanet.com.au wrote:> Fedora 6, yum updated to the hilt results in > kernel-2.6.20-1.2925.fc6 > shorewall-3.2.8-1.fc6 > > Some modules aren''t getting loaded. > Looks like the netfilter gnomes have been changing module names. > > Weighing up if I should go with 3.4, or go back to using a > modules file - or both.Shorewall 3.2.8 (what you are running) was released by me on January 16, 2007 (ref. http://www.shorewall.net/News.htm). Shorewall 3.4.0-RC1 (the first release candidate of what you are asking about) was released by me on February 2, 2007 (ref. Shorewall Announcements mailing list archives). The first 2.6.20 release by kernel.org occurred on Feb 4, 2007 (ref ftp.kernel.org). Do you think that either Shorewall 3.2.8 or Shorewall 3.4.0 would be updated to include knowledge of changes introduced by kernel 2.6.20? The answer is ''No''. If you were managing a new "stable" release of a product (like Shorewall 3.4.0), would you modify your candidate code to try to accommodate a new kernel release that won''t be in any distribution for months and that happened two days after you announced your first release candidate? I chose not to. Linus roundly chastised the Netfilter team for renaming kernel configuration options and module names the way that they did but the Netfilter team apparently isn''t changing anything. So expect more pain in the future and use a modules file when needed. That''s why it is there... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tom Eastep wrote:> > The answer is ''No''. >...> > I chose not to. >I sense some offence being taken there. I wasn''t criticizing Shorewall, or you, (or anyone else for that matter). Most of us are just users of your software who haven''t much time to monitor what''s going on behind the scenes. I look to this ML for early warnings of glitches as much as for solutions to problems and I suspect others do too. Hopefully, this thread will serve as an early warning to others.> Linus roundly chastised the Netfilter team for renaming kernel > configuration options and module names the way that they did but the > Netfilter team apparently isn''t changing anything. So expect more pain > in the future and use a modules file when needed. >Comparing the netfilter modules in 2.6.20-1.2925.fc6 with those in 2.6.19-1.2911.6.5.fc6 shows many modules have had their names changed - I''m assuming it''s only a name change and that the functionality has been maintained. The following modules don''t exist 2.6.20-1.2925.fc6 ip_conntrack_amanda.ko ip_conntrack_ftp.ko ip_conntrack_h323.ko ip_conntrack_irc.ko ip_conntrack.ko ip_conntrack_netbios_ns.ko ip_conntrack_netlink.ko ip_conntrack_pptp.ko ip_conntrack_proto_sctp.ko ip_conntrack_sip.ko ip_conntrack_tftp.ko ip_nat_amanda.ko ip_nat_ftp.ko ip_nat_h323.ko ip_nat_irc.ko ip_nat.ko ip_nat_pptp.ko ip_nat_sip.ko ip_nat_snmp_basic.ko ip_nat_tftp.ko ipt_hashlimit.ko Instead, there are: nf_conntrack_ipv4.ko nf_nat_amanda.ko nf_nat_ftp.ko nf_nat_h323.ko nf_nat_irc.ko nf_nat.ko nf_nat_pptp.ko nf_nat_proto_gre.ko nf_nat_sip.ko nf_nat_snmp_basic.ko nf_nat_tftp.ko nf_conntrack_amanda.ko nf_conntrack_ftp.ko nf_conntrack_h323.ko nf_conntrack_irc.ko nf_conntrack.ko nf_conntrack_netbios_ns.ko nf_conntrack_netlink.ko nf_conntrack_pptp.ko nf_conntrack_proto_gre.ko nf_conntrack_proto_sctp.ko nf_conntrack_sip.ko nf_conntrack_tftp.ko xt_hashlimit.ko xt_NFLOG.ko I suppose as a first approximation one could just add the nf_/xt_ modules to the modules file. Is that likely screw anything up? (Tom?) Another problem with 2.6.20-1.2925.fc6 is that there is no /proc/net/ip_conntrack but I assume that file is provided by nf_conntrack.ko The conclusion is don''t update past 2.6.19-1.2911.6.5.fc6, or be prepared for messing around with module loading. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
shorewall@aanet.com.au wrote:> > I sense some offence being taken there. I wasn''t criticizing > Shorewall, or you, (or anyone else for that matter). Most of us > are just users of your software who haven''t much time to monitor > what''s going on behind the scenes.My annoyance is more with the Netfilter team for making these capricious name changes. But I must also admit that at the moment, I have neither the time nor the computer resources to be able to test Shorewall against new kernel releases.> > I look to this ML for early warnings of glitches as much as for > solutions to problems and I suspect others do too. Hopefully, > this thread will serve as an early warning to others.Indeed.> > Comparing the netfilter modules in 2.6.20-1.2925.fc6 with those in > 2.6.19-1.2911.6.5.fc6 shows many modules have had their names changed - > I''m assuming it''s only a name change and that the functionality has > been maintained. > > The following modules don''t exist 2.6.20-1.2925.fc6<details snipped>> > > I suppose as a first approximation one could just add the nf_/xt_ > modules to the modules file. Is that likely screw anything up? (Tom?)This is getting pretty unwieldy with the massive renaming of modules that has gone on in the last several kernel releases but I''ve hacked up a /usr/share/shorewall/modules file based on your input and I''ve attached it. Please give it a try (ignore the version of the file -- the ''modules'' files for all supported releases are the same except for the version number in the comments). I don''t know if I got the load order correct since I don''t have access to "lsmod" output to see the module dependencies.> > Another problem with 2.6.20-1.2925.fc6 is that there is no /proc/net/ip_conntrack > but I assume that file is provided by nf_conntrack.koIf you load that module, does /proc/net/ip_conntrack suddenly appear?> > The conclusion is don''t update past 2.6.19-1.2911.6.5.fc6, or be prepared for > messing around with module loading. >Note also that all bridge configurations built using the instructions at http://www.shorewall.net/bridge.html also stop working with 2.6.20 and later kernels. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tom Eastep wrote:>Note also that all bridge configurations built using the instructions at >http://www.shorewall.net/bridge.html also stop working with 2.6.20 and later >kernels.Do you have any pointers where I can read up on this ? Or can you give any hints ? ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tom Eastep wrote:> comments). I don''t know if I got the load order correct since I don''t have > access to "lsmod" output to see the module dependencies. >I replaced loadmodule with modprobe and ran it. Result was (see attached file typescript)>> Another problem with 2.6.20-1.2925.fc6 is that there is no /proc/net/ip_conntrack >> but I assume that file is provided by nf_conntrack.ko > > If you load that module, does /proc/net/ip_conntrack suddenly appear? >No, but no prizes for guessing what does - /proc/net/nf_conntrack Methinks the NF guys need a big kick up the backside. Taso ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
shorewall@aanet.com.au wrote:> Tom Eastep wrote: > > >> comments). I don''t know if I got the load order correct since I don''t >> have >> access to "lsmod" output to see the module dependencies. >> > > I replaced loadmodule with modprobe and ran it. > Result was (see attached file typescript)That looks fine -- thanks.> No, but no prizes for guessing what does - /proc/net/nf_conntrack > > Methinks the NF guys need a big kick up the backside.I wholeheartedly agree.... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Simon Hobson wrote:> Tom Eastep wrote: > >> Note also that all bridge configurations built using the instructions at >> http://www.shorewall.net/bridge.html also stop working with 2.6.20 and later >> kernels. > > Do you have any pointers where I can read up on this ? Or can you > give any hints ?Did you think of looking at http://www.shorewall.net/bridge.html?? It has some explanation of the situation and a link to an article showing an alternative way to configure bridges using Shorewall 3.4. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tom Eastep wrote:> >> Note also that all bridge configurations built using the instructions at >>> http://www.shorewall.net/bridge.html also stop working with >>>2.6.20 and later > >> kernels.> > Do you have any pointers where I can read up on this ? Or can you >> give any hints ?>Did you think of looking at http://www.shorewall.net/bridge.html?? It >has some explanation of the situation and a link to an article showing >an alternative way to configure bridges using Shorewall 3.4.I hadn''t - I now see that you have added an extra bit since I last looked at it. Comparing the two, am I right in thinking that it''s the ability to define zones based on physical device that is removed ? Hence the change from :>#ZONE HOST(S) OPTIONS >net br0:eth0 >loc br0:eth1 >#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVEto>#ZONE HOST(S) OPTIONS >loc br0:192.168.1.0/24!192.168.1.10/31,192.168.1.254 >#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Simon Hobson wrote:> > Comparing the two, am I right in thinking that it''s the ability to > define zones based on physical device that is removed ? Hence the > change from : > >> #ZONE HOST(S) OPTIONS >> net br0:eth0 >> loc br0:eth1 >> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE > > to > >> #ZONE HOST(S) OPTIONS >> loc br0:192.168.1.0/24!192.168.1.10/31,192.168.1.254 >> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVEYou are correct. In kernel 2.6.20, the Netfilter Physdev Match capability has been scaled back to the point that it is no longer suitable for use in defining Shorewall zones. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
For info No more ftp connection throught shorewall with the 2.6.20 (fc6 kernel!) I have loading the previous kernel and all is good DV ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Shorewall Users" <shorewall-users@lists.sourceforge.net> Sent: Sunday, March 18, 2007 4:10 AM Subject: Re: [Shorewall-users] 2.6.20 & bridging (Was: Modules not loading)> ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net''s Techsay panel and you''ll get the chance to shareyour> opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV---------------------------------------------------------------------------- ----> _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
lpa du morvan wrote:> For info > > No more ftp connection throught shorewall with the 2.6.20 (fc6 kernel!) > > I have loading the previous kernel and all is goodI sure hope that every list subscriber isn''t going to report this problem individually rather than looking at the "Known Problems" and/or recent list postings... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Fixing the archive link in the mailman interface would help a lot, I think. SCNR Tom Eastep <teastep@shorewall.net> [19.03.2007 18:34]:> I sure hope that every list subscriber isn''t going to report this problem > individually rather than looking at the "Known Problems" and/or recent list > postings...------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
>> >> If you load that module, does /proc/net/ip_conntrack suddenly appear? >> > > No, but no prizes for guessing what does - /proc/net/nf_conntrack >In case the significance of this is not obvious, it means that ''shorewall show connections'' is now broken (maybe other things too). IMO, it''s best to not install 2.6.20 on key systems until the full extent of the damage wreaked by the NF guys becomes apparent. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Taso Hatzi wrote:>>> If you load that module, does /proc/net/ip_conntrack suddenly appear? >>> >> No, but no prizes for guessing what does - /proc/net/nf_conntrack >> > > > In case the significance of this is not obvious, it means that > ''shorewall show connections'' is now broken (maybe other things > too).It also breaks ''shorewall[-lite] dump''.> > IMO, it''s best to not install 2.6.20 on key systems until the > full extent of the damage wreaked by the NF guys becomes apparent. >I''ve also posted (untested) patches to fix these commands. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV