Shorewall users - Sep 2003 - OT: Mismatched Kernel Source / IPTables (Was: Shorewall will not start under linux)

I''m kinda jumping in the middle of this, but it has nothing to do with
what
version of iptables you are running with which kernel.

It has EVERYTHING to do with which kernel iptables was compiled against.  

If you are using Redhat-provided iptables RPMS, you are pretty much stuck
with Redhat-provided kernels. (Meaning no rolling your own 2.4.22 from
kernel.org and expecting to run whatever the latest RH IPTables RPM is
available)
>From the IPTables 1.2.8 makefile:  
ifndef KERNEL_DIR
KERNEL_DIR=/usr/src/linux
endif
IPTABLES_VERSION:=1.2.8
OLD_IPTABLES_VERSION:=1.2.7a

If you are trying to compile iptables from source, it is hardcoded to use
/usr/src/linux for its source folder--and this usually points to whatever
kernel-source package you last installed. Change it to point to whatever
kernel source you have compiled and plan to use.  Then make...

Rolling RPMS is a bit more involved...


Also, this has been covered in the past (when I first got stuck trying to
roll my own)...searching the list archive for "invalid argument" turns
up
many hits--

Levi Masterson
HCOCNTF.ORG

----------------------------------------------------------------------------

	Message: 10
	Date: Thu, 11 Sep 2003 07:16:25 -0700 (PDT)
	From: Joshua Banks <l0f33t@yahoo.com>
	Subject: Re: [Shorewall-users] Shorewall will not start under linux
		2.4.21
	To: Shorewall Users Mailing List
<shorewall-users@lists.shorewall.net>
	Message-ID: <20030911141625.87262.qmail@web42004.mail.yahoo.com>
	Content-Type: text/plain; charset=us-ascii
	
	Hi Phil,
	
	You went to the newer Kernel, correct, if I remember correctly?
	 
	You were running iptables 1.2.7 correct? When you went to the new
Kernel what version of iptables
	do you have installed now?
	
	JBanks

--- Levi Masterson <lmasterson@hcocntf.org> wrote:
> I''m kinda jumping in the middle of this, but it has nothing to do
with what
> version of iptables you are running with which kernel.
> 
> It has EVERYTHING to do with which kernel iptables was compiled against.  
> 
> If you are using Redhat-provided iptables RPMS, you are pretty much stuck
> with Redhat-provided kernels. (Meaning no rolling your own 2.4.22 from
> kernel.org and expecting to run whatever the latest RH IPTables RPM is
> available)
> 
> >From the IPTables 1.2.8 makefile:  
> 
> ifndef KERNEL_DIR
> KERNEL_DIR=/usr/src/linux
> endif
> IPTABLES_VERSION:=1.2.8
> OLD_IPTABLES_VERSION:=1.2.7a
> 
> If you are trying to compile iptables from source, it is hardcoded to use
> /usr/src/linux for its source folder--and this usually points to whatever
> kernel-source package you last installed. Change it to point to whatever
> kernel source you have compiled and plan to use.  Then make...
> 
> Rolling RPMS is a bit more involved...
> 
> 
> Also, this has been covered in the past (when I first got stuck trying to
> roll my own)...searching the list archive for "invalid argument"
turns up
> many hits--
Thats cool Levi,

I myself was just fishing for info trying to make sense of and understand what
my problem was
initially. This makes the problem they had somewhat clearer. I believe that Phil
must of come
acrossed the same info that your speaking of.

I came from having Mandrake installed to blowing that away and installing Gentoo
kernel-2.4.20-gentoo-r6. I used Gentoo''s "genkernel" and
Gentoo-Sources when compiling because I''m
a somewhat of a noob when it comes to linux.

My problem was that I when I went to start shorewall it couldn''t find
any of the iptables modules
needed. This is where the fun began. I couldn''t tell exactly what
needed to be done in the kernel.
Meaning, I couldn''t tell what needed to be "*"ed or
"m"ed. When I used someones reference .config
references for how they had thier "network options" and
"netfilter options" kernel setup, I hosed
my system in a sense. Got "kernel panic: killing initd...or something like
that and I couldn''t get
passed that. They were using a 2.6 Kernel though. 

I Had to use the Gentoo LiveCD to boot off of and chroot in and reconfigure the
kernel settings. I
tried to follow Tom''s Kernel .config examples on the Shorewall site. At
this point I didn''t really
know what to choose because I seemed to have a ton more choices to enable and I
wasn''t sure again
what to "*" and what to "m"..so I just enabled the network
options and netfilter options as close
to how Tom''s .config options looked and this seemed to do the trick.

After the recompile, I rebooted and was able to Start shorewall. 

How do you know when to "*" and when to "m" when messing
with the Kernel settings? Because at
first, like I said in the beginning I followed someones example that was running
a 2.6 kernel and
almost all of thier network and netfilter options where "*"ed. 

Thanks Levi..

JBanks


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

On Thu, Sep 11, 2003 at 09:08:54AM -0700, Joshua Banks
wrote:
> 
> How do you know when to "*" and when to "m" when
messing with the Kernel settings? Because at
> first, like I said in the beginning I followed someones example that was
running a 2.6 kernel and
> almost all of thier network and netfilter options where "*"ed. 
> 
> Thanks Levi..
> 
> JBanks
> 
> 

Just like Levi, I''m jumping in the middle of this.

As far as I know it''s up to you as to what you want compiled into the
kernel and what you want loaded into the kernel via modules.  I
usually keep everything as builtin (i.e. "*"ed), but am considering
moving most things to modules to save on diskspace.  I would assume
that stuff like filesystems should be compiled in at the least.  From
my past experience, it is sort of a crap shoot (at least on my NuBus
based PowerMac) as to which combination of things that are compiled as
modules and which are built into the kernel, though I think thats
platform dependent rather then a fault with the kernel.


Just my $0.02


mehul

-- 
Mehul N. Sanghvi                  email: mehul@kirsun.com
Superior software is always free!   URL: http://kirsun.com/~mehul

Well I guess then that my noobness is my shortcuming here. 

I don''t understand the meaning of whats compiled into the kernel and
compiling modules into the
kernel. Is there a description thats written in a form that a noob would
understand. I would like
to understand this and know that I need to do but I''m finding it
difficult to understand these
terms reading man pages. Albeit, I''m sure that I will understand this
at some point, but right now
at the stage that I''m at in my knowlege of linux, reading man pages
appears to be written by
engineers for engineers. Not trying to knock man pages what so ever.
It''s just hard to find
documentation out there that I can follow. I feel that I''ll really be
doing myself a disfavor if I
don''t understand the basics of Kernel compulation. 
This is one of the reasons that I opt''ed to Compile Gentoo using
"Genkernel" and "Gentoo-Sources".
Basically it takes care of compiling for me. 

I saw a link on Tom''s Shorewall site that I will take a look at. He
usually has everthing needed
there it seems. Just not looking in the right places for the info that fits
where I''m at knowledge
wise. 

Thanks for the response none the less.

JBanks  
--- "Mehul N. Sanghvi" <mehul@kirsun.com>
wrote:
> On Thu, Sep 11, 2003 at 09:08:54AM -0700, Joshua Banks wrote:
> > 
> > How do you know when to "*" and when to "m" when
messing with the Kernel settings? Because at
> > first, like I said in the beginning I followed someones example that
was running a 2.6 kernel
> and
> > almost all of thier network and netfilter options where
"*"ed.
> > 
> > Thanks Levi..
> > 
> > JBanks
> > 
> > 
> 
> 
> Just like Levi, I''m jumping in the middle of this.
> 
> As far as I know it''s up to you as to what you want compiled into
the
> kernel and what you want loaded into the kernel via modules.  I
> usually keep everything as builtin (i.e. "*"ed), but am
considering
> moving most things to modules to save on diskspace.  I would assume
> that stuff like filesystems should be compiled in at the least.  From
> my past experience, it is sort of a crap shoot (at least on my NuBus
> based PowerMac) as to which combination of things that are compiled as
> modules and which are built into the kernel, though I think thats
> platform dependent rather then a fault with the kernel.
> 
> 
> Just my $0.02
> 
> 
> mehul
> 
> -- 
> Mehul N. Sanghvi                  email: mehul@kirsun.com
> Superior software is always free!   URL: http://kirsun.com/~mehul
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

Am Don, 2003-09-11 um 21.20 schrieb Joshua Banks:
> I feel that I''ll really be doing myself a disfavor if I
> don''t understand the basics of Kernel compulation. 
> This is one of the reasons that I opt''ed to Compile Gentoo using
"Genkernel" and "Gentoo-Sources".
> Basically it takes care of compiling for me. 
I''d strongly advice you to throw an eye on Mandrake''s Distro -
9.1
running here with iptables 1.2.7 and Shorewall 1.4.6c without compiling
or changing anything in Kernel 2.4.21. This configuration can be build
from Mandrake''s Distro - the only thing to do is add Shorewall itself. 

With one exception: I cannot use ICMP port lists with 1.4.6c as I could
with 1.4.5 (see my post on Wed, 10 Sep 2003 19:41:15 +0200), which is no
real failure but a simple annoyance to me - I have to split up ICMP port
lists in the file ''rules''.

Regards,

Robert Kehl

Thanks for the responses. I believe its best that I take this (my questions) off
list since at
this point doesn''t have anything to do with Shorewall. I know how Tom
is so I will bow out and do
my research. Feel free to email me personally if you would like. At this point
it isn''t which
distro to use but learning and experimenting. I started with ManDrake 9.0 and
liked it very much.
I don''t like rpm based distro''s though. Nothing against
ManDrake or RedHat. But, I must say that
Gentoo, by far rocks for my situation. 
It''s actually making me learn how to tell linux what I want it to do
instead of things being done
for me in a sense. Anyways, thanks again for your kind responses. 

Joshua Banks
--- Robert Kehl <mailinglists@robertkehl.de>
wrote:
> Am Don, 2003-09-11 um 21.20 schrieb Joshua Banks:
> 
> > I feel that I''ll really be doing myself a disfavor if I
> > don''t understand the basics of Kernel compulation. 
> > This is one of the reasons that I opt''ed to Compile Gentoo
using "Genkernel" and
> "Gentoo-Sources".
> > Basically it takes care of compiling for me. 
> 
> I''d strongly advice you to throw an eye on Mandrake''s
Distro - 9.1
> running here with iptables 1.2.7 and Shorewall 1.4.6c without compiling
> or changing anything in Kernel 2.4.21. This configuration can be build
> from Mandrake''s Distro - the only thing to do is add Shorewall
itself.
> 
> With one exception: I cannot use ICMP port lists with 1.4.6c as I could
> with 1.4.5 (see my post on Wed, 10 Sep 2003 19:41:15 +0200), which is no
> real failure but a simple annoyance to me - I have to split up ICMP port
> lists in the file ''rules''.
> 
> Regards,
> 
> Robert Kehl
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com