Am trying to setup shorewall on a new installed Gentoo box running kernel 2.6.4. Shorewall start shows normal output up untill: Mangled/Invalid Packet filtering enabled on: iptables: No chain/target/match by that name I checked the faq which pointed me to kernel modules. I followed the faq and selected the kernel modules required (built as modules) but still the error persists. These are the loaded modules: Module Size Used by ipt_LOG 5248 0 ipt_REJECT 5632 0 ipt_pkttype 1536 0 ipt_state 1664 2 ip_nat_ftp 4208 0 ip_conntrack_ftp 71220 1 ip_nat_ftp ipt_multiport 1920 0 ipt_conntrack 2176 0 iptable_filter 2432 1 iptable_mangle 2304 0 iptable_nat 20908 1 ip_nat_ftp ip_conntrack 27440 5 ipt_state,ip_nat_ftp,ip_conntrack_ftp,ipt_conntrack,iptable_nat ppp_deflate 5120 0 bsd_comp 5504 0 ppp_async 9856 1 ppp_generic 20624 7 ppp_deflate,bsd_comp,ppp_async slhc 6912 1 ppp_generic via_agp 6016 1 agpgart 26408 1 via_agp 3c59x 35240 0 via_rhine 18056 0 mii 4224 1 via_rhine ip_tables is missing in the list but iptables -L does show some output. Is this normal kernel 2.6 behaviour? I cannot insmod or modprobe ip_tables, this tells me the module is not found. The other iptable modules loaded correctly. Is there any way of finding out exactly what is stopping shorewall from starting? I checked the gentoo forum but this is mostly about kernel 2.4 stuff and doesn''t help much. I did not include much info about my shorewall setup, I simply copied a working setup over from a box running kernel 2.4 therefore assume the problem is not in the configs. Thanks!! Remco
Remco Barendse wrote:> Am trying to setup shorewall on a new installed Gentoo box running kernel > 2.6.4. > > Shorewall start shows normal output up untill: > Mangled/Invalid Packet filtering enabled on: > iptables: No chain/target/match by that namePlease follow the instructions at http://shorewall.net/troubleshoot.htm under the topic "shorewall start" and "shorewall restart" errors. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Remco Barendse wrote:> Am trying to setup shorewall on a new installed Gentoo box running kernel > 2.6.4. > > Shorewall start shows normal output up untill: > Mangled/Invalid Packet filtering enabled on: > iptables: No chain/target/match by that nameI just realized what the problem is -- You have ''logunclean'' or ''dropunclean'' specified on one of your interfaces. Those options aren''t supported on the 2.6 kernel (the underlying Netfilter support for them has been removed). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Thanks!! Indeed I dropunclean specified in my interfaces file, unfortunately the box dropped it''s internet connection therefore cannot try it now, but that must be it. Maybe it''s a good idea to put a warning about this in shorewall for boxes running 2.6 or have shorewall ignore the option on a 2.6 box? Thanks again!! Remco On Tue, 6 Apr 2004, Tom Eastep wrote:> Remco Barendse wrote: > > Am trying to setup shorewall on a new installed Gentoo box running kernel > > 2.6.4. > > > > Shorewall start shows normal output up untill: > > Mangled/Invalid Packet filtering enabled on: > > iptables: No chain/target/match by that name > > I just realized what the problem is -- You have ''logunclean'' or > ''dropunclean'' specified on one of your interfaces. Those options aren''t > supported on the 2.6 kernel (the underlying Netfilter support for them > has been removed). > > -Tom >
Remco Barendse wrote:> Thanks!! > > Indeed I dropunclean specified in my interfaces file, unfortunately the box > dropped it''s internet connection therefore cannot try it now, but that > must be it. > > Maybe it''s a good idea to put a warning about this in shorewall for boxes > running 2.6 or have shorewall ignore the option on a 2.6 box? > > Thanks again!! > Remco > > > On Tue, 6 Apr 2004, Tom Eastep wrote: > > >>Remco Barendse wrote: >> >>>Am trying to setup shorewall on a new installed Gentoo box running kernel >>>2.6.4. >>> >>>Shorewall start shows normal output up untill: >>>Mangled/Invalid Packet filtering enabled on: >>>iptables: No chain/target/match by that name >> >>I just realized what the problem is -- You have ''logunclean'' or >>''dropunclean'' specified on one of your interfaces. Those options aren''t >>supported on the 2.6 kernel (the underlying Netfilter support for them >>has been removed).The current version of Shorewall (2.0.1) doesn''t support the option at all. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> > > The current version of Shorewall (2.0.1) doesn''t support the option at all. >IOW, Shorewall 2.0.1 does not support either ''dropunclean'' or ''logunclean'' and the Upgrade Issues make that very clear. Furthermore, I have been advertising this fact on this list for months in my "Planning for 2.0" posts. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hmmm, I should have known then. I''m just a n00b with gentoo, and just emerged the version standard included with gentoo which is still 1.4. Sorry for the trouble, I''ll post it on the gentoo forum too so others can find it On Tue, 6 Apr 2004, Tom Eastep wrote:> Tom Eastep wrote: > > > > > > The current version of Shorewall (2.0.1) doesn''t support the option at all. > > > > IOW, Shorewall 2.0.1 does not support either ''dropunclean'' or > ''logunclean'' and the Upgrade Issues make that very clear. Furthermore, I > have been advertising this fact on this list for months in my "Planning > for 2.0" posts. > > -Tom >
Remco Barendse wrote:> Hmmm, I should have known then. > > I''m just a n00b with gentoo, and just emerged the version standard > included with gentoo which is still 1.4. > > Sorry for the trouble, I''ll post it on the gentoo forum too so others can > find it >When I get a few minutes, I''ll write up a 2.6 Kernel article and post it on the web site. We had another poster asking about that recently. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> > When I get a few minutes, I''ll write up a 2.6 Kernel article and post it > on the web site. We had another poster asking about that recently. >I''ve added a note to the FAQs -- http://shorewall.net/FAQ.htm#faq36 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net