sean mathews
2008-Dec-02 14:40 UTC
ERROR: the provider ''track'' option requires Connmark Match in your kernel and iptables
Hay Tom.
Long time no talk...
finally like 5 years later I am starting the process of upgrading some of my
network appliances.
I am moving from Shorewall 1.4 to 4.0 mainly for the multi isp support.
In my testing under QEMU with my flash drive housing all of my LRP based
packages I am getting an
error starting Shorewall with a multiple providers configuration.
Again my system is embeded running on a diskless low power board with 4 ethernet
ports. It is using
busybox and my own init process so its not exactly standard and already in the
past I found some
issues with the "arp" command as I recall that you patched into 1.4
back in the day.
So here is the error.
ERROR: the provider ''track'' option requires Connmark Match in
your kernel and iptables
At the end of this email is some info that will help figure out whats up. I have
looked it over for a few days and to
me it seems that my kernel and iptables should support the Connmark module.
I updated the kernel with what is as best I can tell all that is needed from the
docs, but I have
__NOT__ yet updated my iptables but its my next target.
Ideas?
Thanks for your time hope all is well up north enjoying the rain today here in
Portland.
Regards
Sean Mathews Nu Tech CTO
Nu Tech Software Solutions, inc.
Tigard Oregon.
struct SoftwareProfessional {
double salary;
long lunches;
float jobs;
char unstable;
void work;
short tempers;
};
shorcap reports
CONNMARK=
XCONNMAR=
CONNMARK_MATCH=
XCONNMARK_MATCH=
[root@UFO]# iptables -N foobar123
[root@UFO]# iptables -A foobar123 -m connmark --mark 2 -j ACCEPT
[root@UFO]# iptables: No chain/target/match by that name
Shorewall-4.2.2
iptables v1.3.4: no command specified
Try `iptables -h'' or ''iptables --help'' for more
information.
Linux Kernel v2.4.32-bs-ebtables-grsec Configuration
=========================================================================================================================
+============================================= QoS and/or fair queueing
=============================================+
| Arrow keys navigate the menu. <Enter> selects submenus --->.
Highlighted letters are hotkeys. Pressing <Y> |
| includes, <N> excludes, <M> modularizes features. Press
<Esc><Esc> to exit, <?> for Help. Legend: [*] built-in |
| [ ] e|cluded <M> module < > module capable
|
|
|
|
+================================================================================================================+
|
| | [*] QoS and/or fair queueing
| |
| | < > CBQ packet scheduler
| |
| | <*> HTB packet scheduler
| |
| | < > CSZ packet scheduler
| |
| | < > H-FSC packet scheduler
| |
| | < > ATM pseudo-scheduler
| |
| | <*> The simplest PRIO
pseudoscheduler | |
| | < > RED queue
| |
| | <*> SFQ queue
| |
| | < > TEQL queue
| |
| | < > TBF queue
| |
| | < > GRED queue
| |
| | < > Network emulator
| |
| | < > Diffserv field marker
| |
| | <*> Ingress Qdisc
| |
| | [*] QoS support
| |
| | [*] Rate estimator
| |
| | [*] Packet classifier API
| |
| | < > TC inde| classifier
| |
| | < > Routing table based classifier
| |
| | <*> Firewall based classifier
| |
| | <*> U32 classifier
| |
| | < > Special RSVP classifier
| |
| | < > Special RSVP classifier for
IPv6 | |
| | [*] Traffic policing (needed for
in/egress) | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
|
+================================================================================================================+
|
+====================================================================================================================+
| <Select> < E|it >
< Help > |
+====================================================================================================================+
Linux Kernel v2.4.32-bs-ebtables-grsec Configuration
========================================================================================================================
+==============================================q Networking options
================================================+
| Arrow keys navigate the menu. <Enter> selects submenus --->.
Highlighted letters are hotkeys. Pressing <Y> |
| includes, <N> excludes, <M> modularizes features. Press
<Esc><Esc> to exit, <?> for Help. Legend: [*] built-in |
| [ ] e|cluded <M> module < > module capable
|
|
|
|
+===============================================================================================================+
|
| | <*> Packet socket
| |
| | [ ] Packet socket: mmapped IO
| |
| | < > Netlink device emulation
| |
| | [*] Network packet filtering (replaces ipchains)
| |
| | [ ] Network packet filtering debugging
| |
| | [*] Socket Filtering
| |
| | <*> Uni| domain sockets
| |
| | [*] TCP/IP networking
| |
| | [*] IP: multicasting
| |
| | [*] IP: advanced router
| |
| | [*] IP: policy routing
| |
| | [*] IP: use netfilter MARK value as
routing key | |
| | [*] IP: fast network address translation
| |
| | [*] IP: equal cost multipath
| |
| | [*] IP: use TOS value as routing key
| |
| | [*] IP: verbose route monitoring
| |
| | [ ] IP: kernel level autoconfiguration
| |
| | <*> IP: tunneling
| |
| | <*> IP: GRE tunnels over IP
| |
| | [ ] IP: broadcast GRE over IP
| |
| | [ ] IP: multicast routing
| |
| | [ ] IP: ARP daemon support (EXPERIMENTAL)
| |
| | [*] IP: TCP E|plicit Congestion Notification
support | |
| | [*] IP: TCP syncookie support (disabled per
default) | |
| | IP: Netfilter Configuration --->
| |
| | IP: Virtual Server Configuration --->
| |
| | < > The IPv6 protocol (EXPERIMENTAL)
| |
| | < > Kernel httpd acceleration
(EXPERIMENTAL) | |
| | SCTP Configuration (EXPERIMENTAL) --->
| |
| | <*> Asynchronous Transfer Mode (ATM)
(EXPERIMENTAL) | |
| | <*> Classical IP over ATM
| |
| | [ ] Do NOT send ICMP if no neighbour
| |
| | < > LAN Emulation (LANE) support
| |
| | < > RFC1483/2684 Bridged protocols
| |
| | <*> 802.1Q VLAN Support
| |
| | ---
| |
| | < > The IP| protocol
| |
| | < > Appletalk protocol support
| |
| | < > DECnet Support
| |
| | <*> 802.1d Ethernet Bridging
| |
| | <*> Bridge: ebtables
| |
| | <*> ebt: filter table support
| |
| | <*> ebt: nat table support
| |
| | <*> ebt: broute table support
| |
| | <*> ebt: log support
| |
| | <*> ebt: ulog support
| |
| | <*> ebt: IP filter support
| |
| | <*> ebt: ARP filter support
| |
| | <*> ebt: among filter support
| |
| | <*> ebt: limit filter support
| |
| | <*> ebt: 802.1Q VLAN filter support
| |
| | <*> ebt: 802.3 filter support
| |
| | <*> ebt: packet type filter support
| |
| | <*> ebt: STP filter support
| |
| | <*> ebt: mark filter support
| |
| | <*> ebt: arp reply target support
| |
| | <*> ebt: snat target support
| |
| | <*> ebt: dnat target support
| |
| | <*> ebt: redirect target support
| |
| | <*> ebt: mark target support
| |
| | < > CCITT |.25 Packet Layer (EXPERIMENTAL)
| |
|
+===========================v(+)================================================================================+
|
+===================================================================================================================+
| <Select> < E|it >
< Help > |
+===================================================================================================================+
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
Shorewall Geek
2008-Dec-02 23:35 UTC
Re: ERROR: the provider ''track'' option requires Connmark Match in your kernel and iptables
sean mathews wrote:> So here is the error. > > ERROR: the provider ''track'' option requires Connmark Match in your kernel and iptables > > At the end of this email is some info that will help figure out whats up. I have looked it over for a few days and to > me it seems that my kernel and iptables should support the Connmark module. > > I updated the kernel with what is as best I can tell all that is needed from the docs, but I have > __NOT__ yet updated my iptables but its my next target. >You almost certainly need to update your iptables. You will know that your iptables is correct when you can enter this command: iptables -m conntrack -h and you don''t get an error.> > Ideas? >Don''t know about your kernel -- the config info you posted didn''t include anything about your netfilter configuration and I haven''t built a 2.4 kernel in years. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Sean Mathews
2008-Dec-05 18:37 UTC
Re: ERROR: the provider ''track'' option requires Connmark Match in your kernel and iptables
Ok after a week of trying I think its time to call this turkey cooked. iptables -m conntrack -h was never a problem I can also call iptables -m connmark -h with no problem but if I try to use the rule as it is used in shorecap it failes. I can see so far no way to get connmark match support to work iptables -A foo123 -m connmark --mark 2 -j ACCEPT I don''t see any stock support in the 2.4.33 kernel for connmark match support. I don''t see any support in patch-o-matic or patch-o-matic-ng. I did find a few patches out in the wild for this but even after applying them and fixing a few issues in the patch I was not able to get iptables to agree with connmark match being installed. I tried 1.3.8 and 1.4 series iptables. I was however able to use a freshly compiled 2.6.22 kernel and with a few mods boot it up on my cf disk and it did support connmark match. It seems that support for iptables on 2.4 kernel''s is going away :( I still prefer the 2.4 kernel for its small footprint and superior reliability. I have production firewalls with uptimes over 3 years with an average traffic load over 20mbits to the world on a 2.4 kernel. I have my doubts that a 2.6 kernel is as reliable, but we shall see. This is not the definitive answer to this but it warrants a little more study and if it is conclude that the ability to use connmark match and multi ISP support is not "stock" in 2.4.x kernels then maybe an update on the Shorewall docs is in order to deter others from wasting a week : c ) If however ANYONE did get this module to work on a 2.4 kernel please post back how and where the patches are maintained for your kernel. Re Sean M> -----Original Message----- > From: Shorewall Geek [mailto:shorewalljunky@comcast.net] > Sent: Tuesday, December 02, 2008 3:35 PM > To: Sean Mathews; Shorewall Users > Subject: Re: [Shorewall-users] ERROR: the provider ''track'' optionrequires> Connmark Match in your kernel and iptables > > > sean mathews wrote: > > So here is the error. > > > > ERROR: the provider ''track'' option requires Connmark Match in your > kernel and iptables > > > > At the end of this email is some info that will help figure outwhats> up. I have looked it over for a few days and to > > me it seems that my kernel and iptables should support the Connmark > module. > > > > I updated the kernel with what is as best I can tell all that isneeded> from the docs, but I have > > __NOT__ yet updated my iptables but its my next target. > > > > You almost certainly need to update your iptables. You will know that > your iptables is correct when you can enter this command: > > iptables -m conntrack -h > > and you don''t get an error. > > > > > Ideas? > > > > Don''t know about your kernel -- the config info you posted didn''t > include anything about your netfilter configuration and I haven''tbuilt> a 2.4 kernel in years.------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
Shorewall Geek
2008-Dec-05 19:11 UTC
Re: ERROR: the provider ''track'' option requires Connmark Match in your kernel and iptables
Sean Mathews wrote:> > This is not the definitive answer to this but it warrants a little more > study and if it is conclude that the ability to use connmark match and > multi ISP support is not "stock" in 2.4.x kernels then maybe an update > on the Shorewall docs is in order to deter others from wasting a week : > c ) > > If however ANYONE did get this module to work on a 2.4 kernel please > post back how and where the patches are maintained for your kernel.You might post on leaf-user@lists.sourceforge.net; Leaf Bering-uClibc is still running on a 2.4 kernel and uses Shorewall as its standard firewall configuration tool. ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
Shorewall Geek
2008-Dec-09 16:15 UTC
Re: ERROR: the provider ''track'' option requires Connmark Match in your kernel and iptables
sean mathews wrote:> Again my system is embeded running on a diskless low power board with 4 ethernet ports. It is using > busybox and my own init process so its not exactly standard and already in the past I found some > issues with the "arp" command as I recall that you patched into 1.4 back in the day.As part of this migration, I would urge you to install Shorewall-lite on the routers and run Shorewall-perl on an administrative system within your network. ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/