I have added the pptp module in my kernel and then when i try to start shorewall with this new kernel i get this: iptables: libiptc/libip4tc.c:384: do_check: Assertion `h->info.valid_hooks == (1 << 0 | 1 << 3)'' failed. Aborted iptables: libiptc/libip4tc.c:384: do_check: Assertion `h->info.valid_hooks == (1 << 0 | 1 << 3)'' failed. Aborted Terminated I think this is a netfilter problem but i don''t now what the shorewall script do to get this so i post it here. /Rickard
> I think this is a netfilter problem but i don''t now what the shorewall > script do to get this so i post it here.As I am sure Tom will tell you in a few moments "Did you even read the errata before posting?"
Jan Johansson wrote:>>I think this is a netfilter problem but i don''t now what the shorewall >>script do to get this so i post it here. >> >> > >As I am sure Tom will tell you in a few moments "Did you even read the >errata before posting?" > >But i don''t use redhats iptables i have upgraded to 1.2.7a. But that can have been a bad ide...?!
The problem is : yes you have upgraded but it''s RH iptables which is used delete /sbin/iptables* (even after rpm -e they are still there) or (in the last shorewall script) specify where are the binaries (ie : /usr/local/sbin) ----- Original Message ----- From: "Rickard Eriksson" <riceri@home.se> To: "Jan Johansson" <jan.johansson@nwl.se> Cc: <shorewall-users@shorewall.net> Sent: Friday, October 11, 2002 11:47 AM Subject: Re: [Shorewall-users] PPTP> Jan Johansson wrote: > > >>I think this is a netfilter problem but i don''t now what the shorewall > >>script do to get this so i post it here. > >> > >> > > > >As I am sure Tom will tell you in a few moments "Did you even read the > >errata before posting?" > > > > > But i don''t use redhats iptables i have upgraded to 1.2.7a. > But that can have been a bad ide...?! > > > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users >
Rickard Eriksson wrote:> Jan Johansson wrote: > >>> I think this is a netfilter problem but i don''t now what the shorewall >>> script do to get this so i post it here. >>> >> >> >> As I am sure Tom will tell you in a few moments "Did you even read the >> errata before posting?" >> > But i don''t use redhats iptables i have upgraded to 1.2.7a. > But that can have been a bad ide...?!Regardless of whether you got your iptables from RedHat or from the guy next door, the iptables binary that Shorewall is running is compiled with debugging and it won''t work with the kernel version that you just installed. Make sure that Shorewall is REALLY running 1.2.7a -- if you compiled and installed iptables yourself, it got installed in /usr/local/sbin; if you still have an old copy in /sbin, THAT is the one that Shorewall will use because Shorewall uses the following PATH: PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
If you receive this mailing since 3/10 you should find information in the thread "Extending Shorewall" else look for> since iptables 1.1.1 thru 1.2.5 this line was in the Makefile fromiptables> COPT_FLAGS:=-O2 -DNDEBUG > > in 1.2.7a I have this... > COPT_FLAGS:=-O2this flags in the Makefile of iptables (you NEED to put -DNDEBUG and then recompile) also remove /sbin/iptables* or (better) statically link them with /usr/local/sbin/iptables*, you can look for a PATH command in shorewall.conf (reverse /sbin with /usr/local/sbin) Shame on me :)
Tom Eastep wrote:> > > Rickard Eriksson wrote: > >> Jan Johansson wrote: >> >>>> I think this is a netfilter problem but i don''t now what the shorewall >>>> script do to get this so i post it here. >>>> >>> >>> >>> >>> As I am sure Tom will tell you in a few moments "Did you even read the >>> errata before posting?" >> >> But i don''t use redhats iptables i have upgraded to 1.2.7a. >> But that can have been a bad ide...?! > > > Regardless of whether you got your iptables from RedHat or from the > guy next door, the iptables binary that Shorewall is running is > compiled with debugging and it won''t work with the kernel version that > you just installed. > > Make sure that Shorewall is REALLY running 1.2.7a -- if you compiled > and installed iptables yourself, it got installed in /usr/local/sbin; > if you still have an old copy in /sbin, THAT is the one that Shorewall > will use because Shorewall uses the following PATH: > > > PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin > > -TomOk, now that works then i get a new error. Masqueraded Subnets and Hosts: iptables: Invalid argument Terminated I see that there have been the same problem with nat but i can''t see any info about this. BTW, thanks for all your help. /Rickard
Rickard Eriksson wrote:> > Ok, now that works then i get a new error. > > Masqueraded Subnets and Hosts: > iptables: Invalid argument > Terminated > > I see that there have been the same problem with nat but i can''t see any > info about this. >This problem is described in the Errata (along with a solution). -Tom - Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom Eastep wrote:> > > Rickard Eriksson wrote: > >> >> Ok, now that works then i get a new error. >> >> Masqueraded Subnets and Hosts: >> iptables: Invalid argument >> Terminated >> >> I see that there have been the same problem with nat but i can''t see >> any info about this. >> > > This problem is described in the Errata (along with a solution). >Sorry -- didn''t read the post carefully enough (happens when I''m trying to answer questions and do my real job at the same time). Try "shorewall debug start 2> /tmp/trace" and look at the /tmp/trace file to see if you can figure out at least what command is failing. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom Eastep wrote:> > > Rickard Eriksson wrote: > >> >> Ok, now that works then i get a new error. >> >> Masqueraded Subnets and Hosts: >> iptables: Invalid argument >> Terminated >> >> I see that there have been the same problem with nat but i can''t see >> any info about this. >> > > This problem is described in the Errata (along with a solution). > >I find the problem with nat and it looks just like mine, but mine is with masq. At the moment my masq file is like "eth0 eth1" but i have tested with "eth0 192.168.0.1/24" to but it makes the same problem.
Rickard Eriksson wrote:> Tom Eastep wrote: > >> >> >> Rickard Eriksson wrote: >> >>> >>> Ok, now that works then i get a new error. >>> >>> Masqueraded Subnets and Hosts: >>> iptables: Invalid argument >>> Terminated >>> >>> I see that there have been the same problem with nat but i can''t see >>> any info about this. >>> >> >> This problem is described in the Errata (along with a solution). >> >> > > I find the problem with nat and it looks just like mine, but mine is > with masq. > > At the moment my masq file is like "eth0 eth1" but i have tested with > "eth0 192.168.0.1/24" to but it makes the same problem. > >You did build MASQUERADE support into your new kernel, right? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom Eastep wrote:> > > Rickard Eriksson wrote: > >> Tom Eastep wrote: >> >>> >>> >>> Rickard Eriksson wrote: >>> >>>> >>>> Ok, now that works then i get a new error. >>>> >>>> Masqueraded Subnets and Hosts: >>>> iptables: Invalid argument >>>> Terminated >>>> >>>> I see that there have been the same problem with nat but i can''t >>>> see any info about this. >>>> >>> >>> This problem is described in the Errata (along with a solution). >>> >>> >> >> I find the problem with nat and it looks just like mine, but mine is >> with masq. >> >> At the moment my masq file is like "eth0 eth1" but i have tested with >> "eth0 192.168.0.1/24" to but it makes the same problem. >> >> > > You did build MASQUERADE support into your new kernel, right? > > -TomI think i have added all that you have on the http://www.shorewall.net/kernel.htm page. "CONFIG_IP_NF_TARGET_MASQUERADE=y" shall do it right?
Rickard Eriksson wrote:> > I think i have added all that you have on the > http://www.shorewall.net/kernel.htm page. > > "CONFIG_IP_NF_TARGET_MASQUERADE=y" shall do it right? >Should work -- did you get a trace? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Rickard Eriksson wrote:> Tom Eastep wrote:>> >> Should work -- did you get a trace? >> >> -Tom > > > Yes, but it don''t tell me alot... > > Here you have it, i hope it helps >+ run_iptables -t nat -A eth0_masq -s 192.168.0.1/24 -d 0.0.0.0/0 -j MASQUERADE ++ echo -t nat -A eth0_masq -s 192.168.0.1/24 -d 0.0.0.0/0 -j MASQUERADE ++ sed ''s/!/! /g'' + iptables -t nat -A eth0_masq -s 192.168.0.1/24 -d 0.0.0.0/0 -j MASQUERADE iptables: Invalid argument Unfortunately (for you) the iptables command is valid -- looks like you have a problem with your kernel or iptables. Sorry I can''t be more specific but when valid commands return an error, that is about all I can tell you. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom Eastep wrote:> > > Rickard Eriksson wrote: > >> Tom Eastep wrote: > > >>> >>> Should work -- did you get a trace? >>> >>> -Tom >> >> >> >> Yes, but it don''t tell me alot... >> >> Here you have it, i hope it helps >> > > + run_iptables -t nat -A eth0_masq -s 192.168.0.1/24 -d 0.0.0.0/0 -j > MASQUERADE > ++ echo -t nat -A eth0_masq -s 192.168.0.1/24 -d 0.0.0.0/0 -j MASQUERADE > ++ sed ''s/!/! /g'' > + iptables -t nat -A eth0_masq -s 192.168.0.1/24 -d 0.0.0.0/0 -j > MASQUERADE > iptables: Invalid argument > > Unfortunately (for you) the iptables command is valid -- looks like > you have a problem with your kernel or iptables. Sorry I can''t be more > specific but when valid commands return an error, that is about all I > can tell you. > > -TomThanks for all help, i shall try to reinstall iptables or something. /Rickard
Hi there,> Rickard Eriksson wrote: > > + run_iptables -t nat -A eth0_masq -s 192.168.0.1/24 -d 0.0.0.0/0 -j > MASQUERADE > ++ echo -t nat -A eth0_masq -s 192.168.0.1/24 -d 0.0.0.0/0 -j MASQUERADE > ++ sed ''s/!/! /g'' > + iptables -t nat -A eth0_masq -s 192.168.0.1/24 -d 0.0.0.0/0 -j MASQUERADE > iptables: Invalid argumentI''ve seen the same thing before: the iptables command fails with "Invalid argument" when passed the "-j MASQUERADE" option. Would you by any chance have PPTP connection tracking enabled? I''m not sure if this applies to your case, but my similar problems went away after I removed the extra/pptp-conntrack-nat.patch (from iptables patch-o-matic). Also you might be able to find some information by checking the netfilter mailing lists. --eric
Eric E. Bowles wrote:> Hi there, > > >>Rickard Eriksson wrote: >> >>+ run_iptables -t nat -A eth0_masq -s 192.168.0.1/24 -d 0.0.0.0/0 -j >>MASQUERADE >>++ echo -t nat -A eth0_masq -s 192.168.0.1/24 -d 0.0.0.0/0 -j MASQUERADE >>++ sed ''s/!/! /g'' >>+ iptables -t nat -A eth0_masq -s 192.168.0.1/24 -d 0.0.0.0/0 -j MASQUERADE >>iptables: Invalid argument > > > I''ve seen the same thing before: the iptables command fails with > "Invalid argument" when passed the "-j MASQUERADE" option. Would > you by any chance have PPTP connection tracking enabled? > > I''m not sure if this applies to your case, but my similar problems went > away after I removed the extra/pptp-conntrack-nat.patch (from iptables > patch-o-matic). > > Also you might be able to find some information by checking the netfilter > mailing lists. >Thanks Eric -- as the thread title indicates, I believe that Rickard is trying to implement the PPTP nat/conntrack patches. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net