Shorewall users - Jan 2005 - Cannot restart shorewall

Hi Tom and other gurus,

I modified SHOREWALL (version 2.0.15) for bridging and I cannot restart it.
I got the following error

...
Processing /etc/shorewall/policy...
   Policy ACCEPT for fw to net using chain fw2net
   Policy REJECT for fw to loc using chain all2all
   Policy DROP for net to fw using chain net2all
   Policy ACCEPT for loc to fw using chain loc2fw
   Policy ACCEPT for loc to net using chain loc2net
Masqueraded Networks and Hosts:
Processing /etc/shorewall/tos...
   Rule "all all tcp - ssh 16" added.
   Rule "all all tcp ssh - 16" added.
   Rule "all all tcp - ftp 16" added.
   Rule "all all tcp ftp - 16" added.
   Rule "all all tcp ftp-data - 8" added.
   Rule "all all tcp - ftp-data 8" added.
Processing /etc/shorewall/ecn...
Setting up Traffic Control Rules...
Activating Rules...

iptables: No chain/target/match by that name
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^   <=== The error is here

Processing /etc/shorewall/stop ...
IP Forwarding Enabled
Processing /etc/shorewall/stopped ...
Terminated


I am sure that must be my fault but I could not find out which file could
contain the error after checking all files three times. 

Any suggestions?

Thank you.

M Lu

Sorry. I forgot to list some configs.

- shorewall.conf
..
BRIDGING=Yes
..

- hosts
..
#ZONE           HOST(S)                         OPTIONS
net             br0:eth0
loc             br0:ath0
..

- interfaces
..
#ZONE    INTERFACE      BROADCAST       OPTIONS
#
-       br0             10.9.9.255
..

- policy
..
loc             fw              ACCEPT
loc             net             ACCEPT
fw             net             ACCEPT
#
net             all             DROP            ULOG
#
# THE FOLLOWING POLICY MUST BE LAST
#
all             all             REJECT          ULOG
..

- routestopped
..
br0             10.9.9.0/24     routeback
..

- rules
..
ACCEPT          net             fw              tcp     53
ACCEPT          net             fw              udp     53
ACCEPT          net             fw              tcp     22
ACCEPT          net             fw              icmp    8
ACCEPT          fw              loc             icmp    8
ACCEPT          fw              net             icmp    8

- zones
..
net     Net             Internet
loc     Local           Local networks
..


My ''masq'' file is empty. I even removed
''rules'' but the still same error. If
I set BRIDGING=No,
then ''shorewall restart'' hangs after the ouput

Activating Rules...

I do not know if this info is relevant, but below is my network config and 
it looks it comes up OK,
I got all interfaces ''eth0'', ''ath0'' and
''br0'' up with only ''br0'' having IP

/etc/network/interfaces.

# Loopback interface.
auto lo
iface lo inet loopback
#
auto br0
iface br0 inet static
        address 10.9.9.199
        netmask 255.255.255.0
        broadcast 10.9.9.255
        network 10.9.9.0
        gateway 10.9.9.254
        bridge_ports ath0 eth0
        up /usr/sbin/iwpriv ath0 mode 0
        up /usr/sbin/iwconfig ath0 essid "access" mode master rate 11M
enc
off



----- Original Message ----- 
From: "M Lu" <mlu919@hotmail.com>
To: "''Mailing List for Shorewall Users''" 
<shorewall-users@lists.shorewall.net>
Sent: Thursday, January 20, 2005 11:47 PM
Subject: [Shorewall-users] Cannot restart shorewall

> Hi Tom and other gurus,
>
> I modified SHOREWALL (version 2.0.15) for bridging and I cannot restart 
> it.
> I got the following error
>
> ...
> Processing /etc/shorewall/policy...
>   Policy ACCEPT for fw to net using chain fw2net
>   Policy REJECT for fw to loc using chain all2all
>   Policy DROP for net to fw using chain net2all
>   Policy ACCEPT for loc to fw using chain loc2fw
>   Policy ACCEPT for loc to net using chain loc2net
> Masqueraded Networks and Hosts:
> Processing /etc/shorewall/tos...
>   Rule "all all tcp - ssh 16" added.
>   Rule "all all tcp ssh - 16" added.
>   Rule "all all tcp - ftp 16" added.
>   Rule "all all tcp ftp - 16" added.
>   Rule "all all tcp ftp-data - 8" added.
>   Rule "all all tcp - ftp-data 8" added.
> Processing /etc/shorewall/ecn...
> Setting up Traffic Control Rules...
> Activating Rules...
>
> iptables: No chain/target/match by that name
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^   <=== The error is here
>
> Processing /etc/shorewall/stop ...
> IP Forwarding Enabled
> Processing /etc/shorewall/stopped ...
> Terminated
>
>
> I am sure that must be my fault but I could not find out which file could
> contain the error after checking all files three times.
>
> Any suggestions?
>
> Thank you.
>
> M Lu
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe: 
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>

M Lu wrote:
> Processing /etc/shorewall/ecn...
> Setting up Traffic Control Rules...
> Activating Rules...
> 
> iptables: No chain/target/match by that name
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^   <=== The error is here
> 
> Processing /etc/shorewall/stop ...
> IP Forwarding Enabled
> Processing /etc/shorewall/stopped ...
> Terminated
> 
> 
> I am sure that must be my fault but I could not find out which file could
> contain the error after checking all files three times. 
> 
> Any suggestions?
> 
Yes -- follow the procedure outlined in the Troubleshooting Guide''s
section entitled

	"shorewall start" and "shorewall restart" Errors

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Thank you Tom,

I did that and here is part of the output where error occurs and I still do 
not know the reason.

.......

+ physdev_echo --physdev-out eth0
+ [ -f /tmp/shorewall-16704/physdev ]
+ echo -m physdev --physdev-out eth0
+
+ run_iptables -A OUTPUT -o br0 -m physdev --physdev-out eth0 -j fw2net
+ [ -n Yes ]
+ [ -f /tmp/shorewall-16704/physdev ]
+ rm -f /tmp/shorewall-16704/physdev
+ iptables -A OUTPUT -o br0 -m physdev --physdev-out eth0 -j fw2net
iptables: No chain/target/match by that name
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+ [ -z  ]
+ stop_firewall
+ [ -n /var/lib/shorewall/shorewall-16704 ]
+ rm -f /var/lib/shorewall/shorewall-16704
+ set +x

...




----- Original Message ----- 
From: "Tom Eastep" <teastep@shorewall.net>
To: "Mailing List for Shorewall Users"
<shorewall-users@lists.shorewall.net>
Sent: Friday, January 21, 2005 10:56 AM
Subject: Re: [Shorewall-users] Cannot restart shorewall

>
> Yes -- follow the procedure outlined in the Troubleshooting
Guide''s
> section entitled
>
> "shorewall start" and "shorewall restart" Errors
>
> -Tom
> --

M Lu wrote:
> Thank you Tom,
> 
> I did that and here is part of the output where error occurs and I still
> do not know the reason.
> 
> .......
> 
> + physdev_echo --physdev-out eth0
> + [ -f /tmp/shorewall-16704/physdev ]
> + echo -m physdev --physdev-out eth0
> +
> + run_iptables -A OUTPUT -o br0 -m physdev --physdev-out eth0 -j fw2net
> + [ -n Yes ]
> + [ -f /tmp/shorewall-16704/physdev ]
> + rm -f /tmp/shorewall-16704/physdev
> + iptables -A OUTPUT -o br0 -m physdev --physdev-out eth0 -j fw2net
> iptables: No chain/target/match by that name
>                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> + [ -z  ]
> + stop_firewall
> + [ -n /var/lib/shorewall/shorewall-16704 ]
> + rm -f /var/lib/shorewall/shorewall-16704
> + set +x
Looks like your kernel doesn''t have physdev match support or you
haven''t
loaded the ipt_physdev module.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom,

I am very sorry for not RTFM-ingcarefully. I have your docs on
''Bridge''  in
front of me but I just read on the configuration and I ignored the very 
clear sentence:

  b.. Your kernel must contain Netfilter physdev match support 
(CONFIG_IP_NF_MATCH_PHYSDEV=m or CONFIG_IP_NF_MATCH_PHYSDEV=y). Physdev 
match is standard in the 2.6 kernel series but must be patched into the 2.4 
kernels (see http://bridge.sf.net). Bering and Bering uCLibc users must find 
and install ipt_physdev.o for their distribution and add "ipt_physdev"
to
/etc/modules.

Actually I search for ''ipt_physdev'' in LEAF Bering mail
archive and did not
get a hit. So I CC this to LEAF in case somebody got the same mistake.

Thanks.



----- Original Message ----- 
From: "Tom Eastep" <teastep@shorewall.net>
To: "Mailing List for Shorewall Users"
<shorewall-users@lists.shorewall.net>
Sent: Friday, January 21, 2005 3:26 PM
Subject: Re: [Shorewall-users] Cannot restart shorewall

>M Lu wrote:
>> Thank you Tom,
>>
>> I did that and here is part of the output where error occurs and I
still
>> do not know the reason.
>>
>> .......
>>
>> + physdev_echo --physdev-out eth0
>> + [ -f /tmp/shorewall-16704/physdev ]
>> + echo -m physdev --physdev-out eth0
>> +
>> + run_iptables -A OUTPUT -o br0 -m physdev --physdev-out eth0 -j fw2net
>> + [ -n Yes ]
>> + [ -f /tmp/shorewall-16704/physdev ]
>> + rm -f /tmp/shorewall-16704/physdev
>> + iptables -A OUTPUT -o br0 -m physdev --physdev-out eth0 -j fw2net
>> iptables: No chain/target/match by that name
>>                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>> + [ -z  ]
>> + stop_firewall
>> + [ -n /var/lib/shorewall/shorewall-16704 ]
>> + rm -f /var/lib/shorewall/shorewall-16704
>> + set +x
>
> Looks like your kernel doesn''t have physdev match support or you
haven''t
> loaded the ipt_physdev module.
>