Hello, Due to a Kernel Panic I decided to downgrade my freshly installed Mandrake 10 system with 2.6.3 kernel to a 2.4.25 kernel. After this shorewall did not start. It quited at the lines where the masq file was parsed. I had the following line in masq : eth0 eth1 I get an iptables parameter error I now changed the line in : eth0 192.168.0.0/24 and now it is working again. Rebuilding iptables myself did not make a difference. FYI, I know have iptables 1.29 as in distribution of Mandrake 10 Official. Is this a a shorewall or a an iptables problem? -- Groeten, Peter Well, it''s doing something..... - - Heb je een Dreambox 7000S ? - Kijk eens op http://www.dreamvcr.com - Kijk ook op http://www.lindeman.org - ICQ 22383596 - Uptime lindeman.org - 0 days, 0 hours and 14 minutes, 0 users logged in.
Peter Lindeman wrote:> > Rebuilding iptables myself did not make a difference > > FYI, I know have iptables 1.29 as in distribution of Mandrake 10 Official. > > Is this a a shorewall or a an iptables problem? >In 99.99% of cases, this is an incompatibility between iptables and the running kernel. Also, when you build and install your own iptables it is places in /usr/local/sbin so you need to modify your PATH (in shorewall.conf) accordingly. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:>> Rebuilding iptables myself did not make a difference >> >> FYI, I know have iptables 1.29 as in distribution of Mandrake 10 >> Official. >> >> Is this a a shorewall or a an iptables problem? >> > In 99.99% of cases, this is an incompatibility between iptables and the > running kernel. Also, when you build and install your own iptables it is > places in /usr/local/sbin so you need to modify your PATH (in > shorewall.conf) accordingly.I did. I also removed the RPM from MDK when I installed my own build IPtables so there was effectively only 1 iptables on te disk. When I read the description of the RPM it claims that it is compatible with both kernels. Because I have read more here about these incompatibilities I did a build of my own but it reacteed excactly the same. -- Groeten, Peter Cannot read the usage from the media .INI file. - - Heb je een Dreambox 7000S ? - Kijk eens op http://www.dreamvcr.com - Kijk ook op http://www.lindeman.org - ICQ 22383596 - Uptime lindeman.org - 0 days, 1 hours and 6 minutes, 0 users logged in.
Peter Lindeman wrote:> Tom Eastep wrote: > >>> Rebuilding iptables myself did not make a difference >>> >>> FYI, I know have iptables 1.29 as in distribution of Mandrake 10 >>> Official. >>> >>> Is this a a shorewall or a an iptables problem? >>> >> In 99.99% of cases, this is an incompatibility between iptables and >> the running kernel. Also, when you build and install your own iptables >> it is places in /usr/local/sbin so you need to modify your PATH (in >> shorewall.conf) accordingly. > > > I did. I also removed the RPM from MDK when I installed my own build > IPtables so there was effectively only 1 iptables on te disk. When I > read the description of the RPM it claims that it is compatible with > both kernels. Because I have read more here about these > incompatibilities I did a build of my own but it reacteed excactly the > same. >And you built it against the source for the 2.4 kernel that you are actually running? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:>> I did. I also removed the RPM from MDK when I installed my own build >> IPtables so there was effectively only 1 iptables on te disk. When I >> read the description of the RPM it claims that it is compatible with >> both kernels. Because I have read more here about these >> incompatibilities I did a build of my own but it reacteed excactly the >> same. >> > > And you built it against the source for the 2.4 kernel that you are > actually running?I do not have any kernel-source installed but it build without any complaints. I will install the kernel source of this kernel and rebuild iptables again. -- Groeten, Peter What the hell!? - - Heb je een Dreambox 7000S ? - Kijk eens op http://www.dreamvcr.com - Kijk ook op http://www.lindeman.org - ICQ 22383596 - Uptime lindeman.org - 0 days, 1 hours and 35 minutes, 1 user logged in.
Tom Eastep wrote:> Peter Lindeman wrote: > >> Tom Eastep wrote: >> >>>> Rebuilding iptables myself did not make a difference >>>> >>>> FYI, I know have iptables 1.29 as in distribution of Mandrake 10 >>>> Official. >>>> >>>> Is this a a shorewall or a an iptables problem? >>>> >>> In 99.99% of cases, this is an incompatibility between iptables and >>> the running kernel. Also, when you build and install your own >>> iptables it is places in /usr/local/sbin so you need to modify your >>> PATH (in shorewall.conf) accordingly. >> >> >> >> I did. I also removed the RPM from MDK when I installed my own build >> IPtables so there was effectively only 1 iptables on te disk. When I >> read the description of the RPM it claims that it is compatible with >> both kernels. Because I have read more here about these >> incompatibilities I did a build of my own but it reacteed excactly the >> same. >> > > And you built it against the source for the 2.4 kernel that you are > actually running? >If you want to prove to yourself that this is an iptables problem: iptables -t nat -A POSTROUTING -s xxx.xxx.xxx.xxx/yy -j MASQUERADE where xxx.xxx.xxx.xxx/yy is your internal network. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:>> I did. I also removed the RPM from MDK when I installed my own build >> IPtables so there was effectively only 1 iptables on te disk. When I >> read the description of the RPM it claims that it is compatible with >> both kernels. Because I have read more here about these >> incompatibilities I did a build of my own but it reacteed excactly the >> same. >> > > And you built it against the source for the 2.4 kernel that you are > actually running?I installed the kernel source and did a rebuild of iptables. You we''re right, the problem is gone. I am a bit surprised that a build of iptables was possible without having the kernelsource. I also can conclude that the iptables build of Mandrake 10 is not correct with a kernel 2.4.25 of the same install. Confusing ;-) I also installed 2.02c now through the install script and there are some text errors in it. The script says it installed the template files in /etc/shorewall but off course it did install in /usr/share/shorewall Not a big issue but I guess it can confuse people ;-) -- Groeten, Peter Hmmm, curious... - - Heb je een Dreambox 7000S ? - Kijk eens op http://www.dreamvcr.com - Kijk ook op http://www.lindeman.org - ICQ 22383596 - Uptime lindeman.org - 0 days, 3 hours and 31 minutes, 0 users logged in.
Peter Lindeman wrote:> > I also installed 2.02c now through the install script and there are some > text errors in it. The script says it installed the template files in > /etc/shorewall but off course it did install in /usr/share/shorewall Not > a big issue but I guess it can confuse people ;-) >Thanks -- I''ve corrected those for 2.0.3 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> Peter Lindeman wrote: > >> >> I also installed 2.02c now through the install script and there are >> some text errors in it. The script says it installed the template >> files in /etc/shorewall but off course it did install in >> /usr/share/shorewall Not a big issue but I guess it can confuse people >> ;-) >> > > Thanks -- I''ve corrected those for 2.0.3 >I say "those" because there were _two_ such errors... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Mon, 2004-05-24 at 23:33 +0200, Peter Lindeman wrote:> I installed the kernel source and did a rebuild of iptables. You we''re > right, the problem is gone. I am a bit surprised that a build of > iptables was possible without having the kernelsource. I also can > conclude that the iptables build of Mandrake 10 is not correct with a > kernel 2.4.25 of the same install. Confusing ;-) > > I also installed 2.02c now through the install script and there are some > text errors in it. The script says it installed the template files in > /etc/shorewall but off course it did install in /usr/share/shorewall Not > a big issue but I guess it can confuse people ;-) >If your kernel modifies the iptables structures in any way (from patch-o-matic patches normally), iptables needs to be built against those headers. If everything is stock, iptables can be built against any late 2.4 or 2.6 kernel and will interoperate. RedHat does not add any netfilter tweaks so their iptables package works with their 2.4 and their 2.6 kernels with no issues. If you use Gentoo and use one of the kernel packages with grsecurity, etc rolled into it, you need to re-emerge iptables so that it is built against those kernel sources. I don''t know what kinds of patches Mandrake uses with their kernels, so I don''t know if they have this issue. -- David T Hollis <dhollis@davehollis.com>
David T Hollis wrote:> > If your kernel modifies the iptables structures in any way (from > patch-o-matic patches normally), iptables needs to be built against > those headers. If everything is stock, iptables can be built against > any late 2.4 or 2.6 kernel and will interoperate. RedHat does not add > any netfilter tweaks so their iptables package works with their 2.4 and > their 2.6 kernels with no issues. If you use Gentoo and use one of the > kernel packages with grsecurity, etc rolled into it, you need to > re-emerge iptables so that it is built against those kernel sources. I > don''t know what kinds of patches Mandrake uses with their kernels, so I > don''t know if they have this issue.I understand that but Mandrake delivers both kernels and iptables on the installation CD. In the description inside the RPM of iptables they claim that it is for the 2.4 and for the 2.6 kernels. It is confusing stuff. -- Groeten, Peter One of your NetBIOS names is already registered on the remote network. - - Heb je een Dreambox 7000S ? - Kijk eens op http://www.dreamvcr.com - Kijk ook op http://www.lindeman.org - ICQ 22383596 - Uptime lindeman.org - 0 days, 4 hours and 6 minutes, 0 users logged in.
Peter Lindeman wrote:> > I understand that but Mandrake delivers both kernels and iptables on the > installation CD. In the description inside the RPM of iptables they > claim that it is for the 2.4 and for the 2.6 kernels. It is confusing > stuff. >I''ve found that Mandrake is always on the "bleeding" edge. While that''s fine if you want the latest and greatest stuff, initial stability and quality seem to suffer as a result. Consequently, I''m never in a big hurry to install a new Mandrake release; I order a cd set from the Mandrake store then sit back and wait a while. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:>> I understand that but Mandrake delivers both kernels and iptables on >> the installation CD. In the description inside the RPM of iptables >> they claim that it is for the 2.4 and for the 2.6 kernels. It is >> confusing stuff. >> > > I''ve found that Mandrake is always on the "bleeding" edge. While that''s > fine if you want the latest and greatest stuff, initial stability and > quality seem to suffer as a result. Consequently, I''m never in a big > hurry to install a new Mandrake release; I order a cd set from the > Mandrake store then sit back and wait a while.Hmm. Maybe not so bad idea :-) I was running 9.0 here and it was rock solid, I needed an up to glibc and since 9.0 wasn''t supported anymore I did the upgrade. Perhaps a bit too early. Now I know never to trust the software and in case of trouble first rebuild it before questioning. -- Groeten, Peter ERROR BAD CALLBACK NUMBER - - Heb je een Dreambox 7000S ? - Kijk eens op http://www.dreamvcr.com - Kijk ook op http://www.lindeman.org - ICQ 22383596 - Uptime lindeman.org - 0 days, 4 hours and 30 minutes, 1 user logged in.
On Mon, 2004-05-24 at 18:20, Tom Eastep wrote:> Peter Lindeman wrote: > > > > > I understand that but Mandrake delivers both kernels and iptables on the > > installation CD. In the description inside the RPM of iptables they > > claim that it is for the 2.4 and for the 2.6 kernels. It is confusing > > stuff. > > > > I''ve found that Mandrake is always on the "bleeding" edge. While that''s > fine if you want the latest and greatest stuff, initial stability and > quality seem to suffer as a result. Consequently, I''m never in a big > hurry to install a new Mandrake release; I order a cd set from the > Mandrake store then sit back and wait a while. > > -TomAs a longtime Mandrake enthusiast, I can tell you that you are dead on the money with this appraisal. I love em, but I still don''t have 10 yet. I''m still on 9.2 with all the latest updates. And I still won''t get the official 10 release until the update mirrors have two or three months time on them. LX