I just upgraded my kernel from 2.6.13-4 to 2.6.24 (x86_64). I also built iptables 4.0 and built the netfilter modules for 2.6.24. I remember reading a while back about the new naming convention netfilter was using for its modules with newer kernels, but I am having a hard time finding that thread when googling through the mail list archives. Now I am getting ''can''t load conntrack support for proto=2" errors, and shorewall dies with: Compiling /etc/shorewall/masq... ERROR: a non-empty masq file requires NAT in your kernel and iptables : /etc/shorewall/masq (line 222) I assume these errors are related to the new netfilter modules. While I am searching the archives, I was hoping someone else might remember this thread or have the solution. I am running shorewall-4.0.8-2, if it helps. I have attached the output from ''lsmod'' and the contents of my /lib64/iptables directory in case that might help. I appreciate your help. Thanks. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
This is what you said Scott Ruckh> I just upgraded my kernel from 2.6.13-4 to 2.6.24 (x86_64). I also built > iptables 4.0 and built the netfilter modules for 2.6.24. > > I remember reading a while back about the new naming convention netfilter > was using for its modules with newer kernels, but I am having a hard time > finding that thread when googling through the mail list archives. > > Now I am getting ''can''t load conntrack support for proto=2" errors, and > shorewall dies with: > > Compiling /etc/shorewall/masq... > ERROR: a non-empty masq file requires NAT in your kernel and iptables : > /etc/shorewall/masq (line 222) > > I assume these errors are related to the new netfilter modules. > > While I am searching the archives, I was hoping someone else might > remember this thread or have the solution. > > I am running shorewall-4.0.8-2, if it helps. > > I have attached the output from ''lsmod'' and the contents of my > /lib64/iptables directory in case that might help. > > I appreciate your help. > > Thanks. >Should have attached a shorewall dump too. I see from the output that Conntrack support is not available, but I am not quite sure why. I believe I have all of the modules built. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Scott Ruckh wrote:> I just upgraded my kernel from 2.6.13-4 to 2.6.24 (x86_64). I also built > iptables 4.0 and built the netfilter modules for 2.6.24. > > I remember reading a while back about the new naming convention netfilter > was using for its modules with newer kernels, but I am having a hard time > finding that thread when googling through the mail list archives. > > Now I am getting ''can''t load conntrack support for proto=2" errors, and > shorewall dies with: > > Compiling /etc/shorewall/masq... > ERROR: a non-empty masq file requires NAT in your kernel and iptables : > /etc/shorewall/masq (line 222) > > I assume these errors are related to the new netfilter modules. > > While I am searching the archives, I was hoping someone else might > remember this thread or have the solution. > > I am running shorewall-4.0.8-2, if it helps. >Scott, If you are incapable of solving this type of problem by yourself, then I recommend that you avoid running bleeding-edge software like kernel 2.6.24 and iptables 1.4 (which is what I presume that you meant). I no longer try to run such software because I don''t have the time to wrestle through these typical Alpha-release issues. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep wrote:> > Scott, > > If you are incapable of solving this type of problem by yourself, then I > recommend that you avoid running bleeding-edge software like kernel > 2.6.24 and iptables 1.4 (which is what I presume that you meant). I no > longer try to run such software because I don''t have the time to wrestle > through these typical Alpha-release issues. >That having been said, a case-insensitive search for ''nat'' in the output of ''lsmod'' fails to find a match. Under 2.6.22: gateway:~ # lsmod | grep -i nat iptable_nat 12292 1 nf_nat_tftp 6272 0 nf_nat_snmp_basic 14980 0 nf_nat_sip 9088 0 nf_nat_pptp 8192 0 nf_nat_proto_gre 7300 1 nf_nat_pptp nf_nat_irc 7168 0 nf_nat_h323 12160 0 nf_nat_ftp 7808 0 nf_nat_amanda 6784 0 nf_conntrack_amanda 9984 1 nf_nat_amanda nf_conntrack_tftp 11028 1 nf_nat_tftp nf_conntrack_sip 15764 1 nf_nat_sip nf_conntrack_pptp 11904 1 nf_nat_pptp nf_nat 25388 12 ipt_REDIRECT,ipt_MASQUERADE,iptable_nat,nf_nat_tftp,nf_nat_sip,nf_nat_pptp,nf_nat_proto_gre,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,nf_conntrack_netlink nf_conntrack_irc 12448 1 nf_nat_irc nf_conntrack_h323 58720 1 nf_nat_h323 nf_conntrack_ftp 15184 1 nf_nat_ftp nf_conntrack_ipv4 16528 19 iptable_nat nf_conntrack 71900 27 xt_conntrack,xt_CONNMARK,xt_connmark,ipt_MASQUERADE,iptable_nat,nf_nat_tftp,nf_nat_snmp_basic,nf_nat_sip,nf_nat_pptp,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,nf_conntrack_amanda,nf_conntrack_tftp,nf_conntrack_sip,nf_conntrack_proto_sctp,nf_conntrack_pptp,nf_conntrack_proto_gre,nf_conntrack_netlink,nf_nat,nf_conntrack_netbios_ns,nf_conntrack_irc,nf_conntrack_h323,nf_conntrack_ftp,nf_conntrack_ipv4,xt_state nfnetlink 10936 4 nf_conntrack_netlink,nf_nat,nf_conntrack_ipv4,nf_conntrack ip_tables 24792 4 iptable_mangle,iptable_nat,iptable_raw,iptable_filter x_tables 24584 27 xt_physdev,xt_TCPMSS,xt_tcpmss,ipt_REJECT,xt_conntrack,ipt_iprange,xt_limit,xt_multiport,xt_CLASSIFY,ipt_addrtype,ipt_LOG,xt_mac,ipt_recent,xt_mark,xt_CONNMARK,xt_connmark,xt_MARK,xt_tcpudp,ipt_REDIRECT,ipt_MASQUERADE,xt_realm,xt_comment,xt_policy,iptable_nat,xt_state,ip_tables,ip6_tables gateway:~ # Have you looked at http://www.shorewall.net/kernel.htm? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep wrote:> Tom Eastep wrote: >> >> Scott, >> >> If you are incapable of solving this type of problem by yourself, then >> I recommend that you avoid running bleeding-edge software like kernel >> 2.6.24 and iptables 1.4 (which is what I presume that you meant). I no >> longer try to run such software because I don''t have the time to >> wrestle through these typical Alpha-release issues. >> > > That having been said, a case-insensitive search for ''nat'' in the output > of ''lsmod'' fails to find a match.I''m talking about the output of ''lsmod'' that you posted -- you apparently have no NAT support in your kernel. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
This is what you said Tom Eastep> Tom Eastep wrote: >>> >>> Scott, >>> >>> If you are incapable of solving this type of problem by yourself, then >>> I recommend that you avoid running bleeding-edge software like kernel >>> 2.6.24 and iptables 1.4 (which is what I presume that you meant). I no >>> longer try to run such software because I don''t have the time to >>> wrestle through these typical Alpha-release issues. >>> >> >> That having been said, a case-insensitive search for ''nat'' in the output >> of ''lsmod'' fails to find a match. > > I''m talking about the output of ''lsmod'' that you posted -- you > apparently have no NAT support in your kernel. > > -Tom > --I was not trying to go bleeding edge, I am having some USB issues and was hoping a newer kernel might help resolve. I figured that if I had to upgrade I might as well go with the latest stable. I will have to go back and look at the config and see if I missed something simple. In the meantime I took your advice of your first message and went back and compiled 2.6.20.9 just to see what would happen (it appears to be working). I still went ahead and went with iptables-1.4.0 as I had already had it built. I just went back and compiled the modules for 2.6.20.9. If this helps my USB issues, I will probably just stay with 2.6.20.9. Thanks for taking a look, and posting the URL. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Scott Ruckh wrote:> > I will have to go back and look at the config and see if I missed > something simple.Check that you have at least: Full NAT MASQUERADE Target support REDIRECT Target support> > In the meantime I took your advice of your first message and went back and > compiled 2.6.20.9 just to see what would happen (it appears to be > working). > > I still went ahead and went with iptables-1.4.0 as I had already had it > built. I just went back and compiled the modules for 2.6.20.9. > > If this helps my USB issues, I will probably just stay with 2.6.20.9.Please let me know if you go back to 2.6.24 and still have problems. The netfilter team don''t seem to be very concerned about compatibility when it comes to kernel configuration and module naming. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> Scott, > > If you are incapable of solving this type of problem by yourself, then I > recommend that you avoid running bleeding-edge software like kernel > 2.6.24 and iptables 1.4 (which is what I presume that you meant). I no > longer try to run such software because I don''t have the time to wrestle > through these typical Alpha-release issues. > > -TomTurns out this is just a stupid human trick. I apparently missed some options when compiling 2.6.24. I was having problems seeing the trees in the forest. After going back for at least to 4th time and selecting the correct options, shorewall worked fine. I am still going to stick with 2.6.20.9 for now because I was having some other issues with 2.6.24 that I do not want to deal with right now. Sorry for wasting your time. Thanks for your quick responses, your exceptional tech support, and great product. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/