Jan Mulders
2007-Apr-26 18:55 UTC
Error while "Deleting user chains..." - No chain/target/match by that name
Hello all,
I''m having some trouble getting Shorewall to play ball (or iptables,
more
particularly) on a Virtual Machine running Xen 3.0.2-2, with a homegrown
kernel.
Please find below a link to a nice shorewall trace :-)
http://www.vpntunnel.co.uk/trace.txt.gz
To summarise:
....[insert healthy shorewall activity here].....
Clearing Traffic Control/QOS
Deleting user chains...
iptables: No chain/target/match by that name
ERROR: Command "/sbin/iptables -A FORWARD -m state --state
ESTABLISHED,RELATED -j ACCEPT" Failed
Processing /etc/shorewall/stop ...
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
IP Forwarding Enabled
Processing /etc/shorewall/stopped ...
/sbin/shorewall: line 500: 9106 Terminated $SHOREWALL_SHELL
${VARDIR}/.restart $debugging restart
-bash-3.00#
...iptables cries wolf about something not existing.
-bash-3.00# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
-bash-3.00#
...iptables works...
-bash-3.00# uname -a
Linux tree.forest.mysupersecretdomain.co.uk 2.6.16-xenU #4 SMP Thu Apr 26
18:28:21 BST 2007 i686 i686 i386 GNU/Linux
-bash-3.00#
... my kernel sits there looking nice...
#
# Core Netfilter Configuration
#
CONFIG_NETFILTER_NETLINK=m
CONFIG_NETFILTER_NETLINK_QUEUE=m
CONFIG_NETFILTER_NETLINK_LOG=m
CONFIG_NETFILTER_XTABLES=m
CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
# CONFIG_NETFILTER_XT_TARGET_CONNMARK is not set
CONFIG_NETFILTER_XT_TARGET_MARK=m
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
# CONFIG_NETFILTER_XT_TARGET_NOTRACK is not set
CONFIG_NETFILTER_XT_MATCH_COMMENT=m
# CONFIG_NETFILTER_XT_MATCH_CONNBYTES is not set
# CONFIG_NETFILTER_XT_MATCH_CONNMARK is not set
# CONFIG_NETFILTER_XT_MATCH_CONNTRACK is not set
CONFIG_NETFILTER_XT_MATCH_DCCP=m
# CONFIG_NETFILTER_XT_MATCH_HELPER is not set
CONFIG_NETFILTER_XT_MATCH_LENGTH=m
CONFIG_NETFILTER_XT_MATCH_LIMIT=m
CONFIG_NETFILTER_XT_MATCH_MAC=m
CONFIG_NETFILTER_XT_MATCH_MARK=m
CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m
CONFIG_NETFILTER_XT_MATCH_REALM=m
CONFIG_NETFILTER_XT_MATCH_SCTP=m
# CONFIG_NETFILTER_XT_MATCH_STATE is not set
CONFIG_NETFILTER_XT_MATCH_STRING=m
CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
#
# IP: Netfilter Configuration
#
CONFIG_IP_NF_CONNTRACK=m
CONFIG_IP_NF_CT_ACCT=y
CONFIG_IP_NF_CONNTRACK_MARK=y
# CONFIG_IP_NF_CONNTRACK_EVENTS is not set
# CONFIG_IP_NF_CONNTRACK_NETLINK is not set
# CONFIG_IP_NF_CT_PROTO_SCTP is not set
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_IRC=m
# CONFIG_IP_NF_NETBIOS_NS is not set
CONFIG_IP_NF_TFTP=m
CONFIG_IP_NF_AMANDA=m
CONFIG_IP_NF_PPTP=m
# CONFIG_IP_NF_QUEUE is not set
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_IPRANGE=m
CONFIG_IP_NF_MATCH_MULTIPORT=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_DSCP=m
CONFIG_IP_NF_MATCH_AH_ESP=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_MATCH_ADDRTYPE=m
CONFIG_IP_NF_MATCH_HASHLIMIT=m
CONFIG_IP_NF_MATCH_POLICY=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_LOG=m
# CONFIG_IP_NF_TARGET_ULOG is not set
CONFIG_IP_NF_TARGET_TCPMSS=m
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_IP_NF_TARGET_SAME=m
# CONFIG_IP_NF_NAT_SNMP_BASIC is not set
CONFIG_IP_NF_NAT_IRC=m
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_NAT_TFTP=m
CONFIG_IP_NF_NAT_AMANDA=m
CONFIG_IP_NF_NAT_PPTP=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_DSCP=m
CONFIG_IP_NF_TARGET_TTL=m
# CONFIG_IP_NF_TARGET_CLUSTERIP is not set
CONFIG_IP_NF_RAW=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m
...And options are being compiled into my kernel.
Anyone see anything blindingly obvious?
The configuration files are transferred from a previously working install on
the same OS.
Thanks all (especially Tom, for doing a great job maintaining Shorewall)!
Jan
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
Tom Eastep
2007-Apr-26 18:59 UTC
Re: Error while "Deleting user chains..." - No chain/target/match by that name
Jan Mulders wrote:> > Hello all, > > I''m having some trouble getting Shorewall to play ball (or iptables, > more particularly) on a Virtual Machine running Xen 3.0.2-2, with a > homegrown kernel. > > Please find below a link to a nice shorewall trace :-) > > http://www.vpntunnel.co.uk/trace.txt.gz > > To summarise: > > > ....[insert healthy shorewall activity here]..... > Clearing Traffic Control/QOS > Deleting user chains... > iptables: No chain/target/match by that name > ERROR: Command "/sbin/iptables -A FORWARD -m state --state--------> ESTABLISHED,RELATED -j ACCEPT" Failed> # CONFIG_NETFILTER_XT_MATCH_STATE is not set----------------------> > Anyone see anything blindingly obvious? >I think the above is pretty obvious ;-) -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Jan Mulders
2007-Apr-26 19:31 UTC
Re: Error while "Deleting user chains..." - No chain/target/match by that name
Oh, I hate it when the answer is staring me in the face :-) Thanks for the reality check Tom! Jan ERROR: Command "/sbin/iptables -A FORWARD -m state --state> -------- > ESTABLISHED,RELATED -j ACCEPT" Failed > > # CONFIG_NETFILTER_XT_MATCH_STATE is not set > ---------------------- > > Anyone see anything blindingly obvious? > > > > I think the above is pretty obvious ;-) > > -TomOn 26/04/07, Tom Eastep <teastep@shorewall.net> wrote:> > Jan Mulders wrote: > > > > Hello all, > > > > I''m having some trouble getting Shorewall to play ball (or iptables, > > more particularly) on a Virtual Machine running Xen 3.0.2-2, with a > > homegrown kernel. > > > > Please find below a link to a nice shorewall trace :-) > > > > http://www.vpntunnel.co.uk/trace.txt.gz > > > > To summarise: > > > > > > ....[insert healthy shorewall activity here]..... > > Clearing Traffic Control/QOS > > Deleting user chains... > > iptables: No chain/target/match by that name > > ERROR: Command "/sbin/iptables -A FORWARD -m state --state > -------- > > ESTABLISHED,RELATED -j ACCEPT" Failed > > > # CONFIG_NETFILTER_XT_MATCH_STATE is not set > ---------------------- > > > > Anyone see anything blindingly obvious? > > > > I think the above is pretty obvious ;-) > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > >------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/