Shorewall users - May 2004 - iptables: No chain/target/match by that name

I''m getting a "No Chain/target/match by that name" error. 
I''ve read through
some other posts and things and i know some of these problems are caused by not
having phsdev support.  I have the 2.6.2 kernel running so i believe
i''m fine.
Let me note that when i run shorewall in ''normal'' mode it
works fine.  I am
trying to set up a bridge between loc (eth1) and vpn (tap1) {which goes to
another house}  and this is when i''m getting the error.  Here is the
debug..

++ physdev_echo ''--physdev-out eth1''
++ ''['' -f /tmp/shorewall-5025/physdev '']''
++ echo -m physdev --physdev-out eth1
+ run_iptables -A eth0_fwd -s 0.0.0.0/0 -o br0 -m physdev --physdev-out eth1 -j
net2loc
+ ''['' -n Yes '']''
+ ''['' -f /tmp/shorewall-5025/physdev '']''
+ rm -f /tmp/shorewall-5025/physdev
+ iptables -A eth0_fwd -s 0.0.0.0/0 -o br0 -m physdev --physdev-out eth1 -j
net2loc
iptables: No chain/target/match by that name
+ ''['' -z '''' '']''
+ stop_firewall
+ set +x
Processing /etc/shorewall/stop ...
IP Forwarding Enabled
Processing /etc/shorewall/stopped ...
Terminated

My interfaces file contains
#
-       br0     detect
#

My zones file contains
#
net     Net             Internet
loc     Local           Local networks
vpn     VPN
#

My hosts file contains
#
loc     br0:eth1
vpn     br0:tap1
#

My masq file contains
#
eth0 br0
#

My tunels file contains
#
openvpn         net     address
#

my policy file contains
#
loc             net             ACCEPT
loc             vpn             ACCEPT
vpn             loc             ACCEPT
net             all             DROP            info
all             all             REJECT          info
#


Let me know if you need any more info.

davenews@thebarnums.net wrote:
> I''m getting a "No Chain/target/match by that name"
error.  I''ve read through
> some other posts and things and i know some of these problems are caused by
not
> having phsdev support.  I have the 2.6.2 kernel running so i believe
i''m fine.
So ''lsmod'' shows the physdev match module as in the following?

wookie:~ # lsmod | grep physdev
ipt_physdev              984  23  (autoclean)
...
wookie:~ #

And:

wookie:~ # ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/*physdev*
/lib/modules/2.6.5/kernel/net/ipv4/netfilter/ipt_physdev.o
wookie:~

and "modprobe ipt_physdev" works?
> Let me note that when i run shorewall in ''normal'' mode it
works fine.  I am
> trying to set up a bridge between loc (eth1) and vpn (tap1) {which goes to
> another house}  and this is when i''m getting the error.  Here is
the debug..
> 
> ++ physdev_echo ''--physdev-out eth1''
> ++ ''['' -f /tmp/shorewall-5025/physdev
'']''
> ++ echo -m physdev --physdev-out eth1
> + run_iptables -A eth0_fwd -s 0.0.0.0/0 -o br0 -m physdev --physdev-out
eth1 -j
> net2loc
> + ''['' -n Yes '']''
> + ''['' -f /tmp/shorewall-5025/physdev
'']''
> + rm -f /tmp/shorewall-5025/physdev
> + iptables -A eth0_fwd -s 0.0.0.0/0 -o br0 -m physdev --physdev-out eth1 -j
> net2loc
> iptables: No chain/target/match by that name
Then your kernel doesn''t have physdev match support.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote:
> davenews@thebarnums.net wrote:
>
>> I''m getting a "No Chain/target/match by that name"
error.  I''ve read
>> through
>> some other posts and things and i know some of these problems are 
>> caused by not
>> having phsdev support.  I have the 2.6.2 kernel running so i believe 
>> i''m fine.
>
>
> So ''lsmod'' shows the physdev match module as in the
following?
>
> wookie:~ # lsmod | grep physdev
> ipt_physdev              984  23  (autoclean)
> ...
> wookie:~ #
>
> And:
>
> wookie:~ # ls /lib/modules/$(uname 
> -r)/kernel/net/ipv4/netfilter/*physdev*
> /lib/modules/2.6.5/kernel/net/ipv4/netfilter/ipt_physdev.o
> wookie:~
>
> and "modprobe ipt_physdev" works?
>
>> Let me note that when i run shorewall in ''normal''
mode it works
>> fine.  I am
>> trying to set up a bridge between loc (eth1) and vpn (tap1) {which 
>> goes to
>> another house}  and this is when i''m getting the error.  Here
is the
>> debug..
>>
>> ++ physdev_echo ''--physdev-out eth1''
>> ++ ''['' -f /tmp/shorewall-5025/physdev
'']''
>> ++ echo -m physdev --physdev-out eth1
>> + run_iptables -A eth0_fwd -s 0.0.0.0/0 -o br0 -m physdev 
>> --physdev-out eth1 -j
>> net2loc
>> + ''['' -n Yes '']''
>> + ''['' -f /tmp/shorewall-5025/physdev
'']''
>> + rm -f /tmp/shorewall-5025/physdev
>> + iptables -A eth0_fwd -s 0.0.0.0/0 -o br0 -m physdev --physdev-out 
>> eth1 -j
>> net2loc
>> iptables: No chain/target/match by that name
>
>
> Then your kernel doesn''t have physdev match support.
>
> -Tom
Ok... it doesn''t.  lsmod doesn''t show physdev support...  I
thought it
was standard in the 2.6?  What did i do wrong to exclude it?  More 
importantly.. where do i look in the make menuconfig to make sure i 
build it in?

On Sun, 2 May 2004, davenews@thebarnums.net wrote:
>
> Ok... it doesn''t.  lsmod doesn''t show physdev support... 
I thought it
> was standard in the 2.6?
You still have to include it in your kernel configuration!!
> What did i do wrong to exclude it?  More
> importantly.. where do i look in the make menuconfig to make sure i
> build it in?
Device Drivers->Networking Support->Networking Options->Network Packet
Filtering->Physdev match support

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Hello,

See:
http://www.shorewall.net/kernel.htm

On a 2.6.4 kernel, I believe that the only stuff you need to configure 
correctly for iptables/shorewall are in:

device drivers->networking subsystem->networking options->

and:
device drivers->networking subsystem->networking options->network
packet
filtering-> IP: Netfilter Configuration	

and QOS if you need it:
device drivers->networking subsystem->networking options->QoS and/or 
fair queueing

I looked through mine but I didnt see exactly what I was looking for.
See: http://www.rettc.com/pub/rettc/conf/2.6.4.config

This is my config for a happy shorewall box.
Maybe you will see a difference between your config in the above three 
areas.

Mostly, you can modularize all of the stuff in the IP: netfilter 
configuration section, and networking options follow my example, I think 
it will solve you problem.
http://www.rettc.com/pub/rettc/conf/2.6.4.config.net.opt

If not, whenever someone can verify my kernel config, I will get it on 
the shorewall website at the above (top) link.

Alex Martin
http://www.rettc.com



davenews@thebarnums.net wrote:
> Tom Eastep wrote:
> 
>> davenews@thebarnums.net wrote:
>>
>>> I''m getting a "No Chain/target/match by that
name" error.  I''ve read
>>> through
>>> some other posts and things and i know some of these problems are 
>>> caused by not
>>> having phsdev support.  I have the 2.6.2 kernel running so i
believe
>>> i''m fine.
>>
>>
>>
>> So ''lsmod'' shows the physdev match module as in the
following?
>>
>> wookie:~ # lsmod | grep physdev
>> ipt_physdev              984  23  (autoclean)
>> ...
>> wookie:~ #
>>
>> And:
>>
>> wookie:~ # ls /lib/modules/$(uname 
>> -r)/kernel/net/ipv4/netfilter/*physdev*
>> /lib/modules/2.6.5/kernel/net/ipv4/netfilter/ipt_physdev.o
>> wookie:~
>>
>> and "modprobe ipt_physdev" works?
>>
>>> Let me note that when i run shorewall in ''normal''
mode it works
>>> fine.  I am
>>> trying to set up a bridge between loc (eth1) and vpn (tap1) {which 
>>> goes to
>>> another house}  and this is when i''m getting the error. 
Here is the
>>> debug..
>>>
>>> ++ physdev_echo ''--physdev-out eth1''
>>> ++ ''['' -f /tmp/shorewall-5025/physdev
'']''
>>> ++ echo -m physdev --physdev-out eth1
>>> + run_iptables -A eth0_fwd -s 0.0.0.0/0 -o br0 -m physdev 
>>> --physdev-out eth1 -j
>>> net2loc
>>> + ''['' -n Yes '']''
>>> + ''['' -f /tmp/shorewall-5025/physdev
'']''
>>> + rm -f /tmp/shorewall-5025/physdev
>>> + iptables -A eth0_fwd -s 0.0.0.0/0 -o br0 -m physdev --physdev-out
>>> eth1 -j
>>> net2loc
>>> iptables: No chain/target/match by that name
>>
>>
>>
>> Then your kernel doesn''t have physdev match support.
>>
>> -Tom
> 
> 
> Ok... it doesn''t.  lsmod doesn''t show physdev support... 
I thought it
> was standard in the 2.6?  What did i do wrong to exclude it?  More 
> importantly.. where do i look in the make menuconfig to make sure i 
> build it in?
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe: 
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

[This email is either empty or too large to be displayed at this time]

[This email is either empty or too large to be displayed at this time]

davenews@thebarnums.net wrote:
> OK, i''ve installed physdev support into the kernel.  I still
can''t get
> shorewall too start with my bridging configuration.. I''m getting
an odd
> Invalid Argument error now.  Check it out..
> 
> <chopped>
> ++ echo eth0_fwd
> + chain1=eth0_fwd
> + interface1=br0
> + networks1=eth1
> + ''['' eth0:0.0.0.0/0 ''!='' br0:eth1
'']''
> ++ match_source_hosts 0.0.0.0/0
> ++ ''['' -n Yes '']''
> ++ echo -s 0.0.0.0/0
> ++ match_dest_hosts eth1
> ++ ''['' -n Yes '']''
> ++ physdev_echo ''--physdev-out eth1''
> ++ ''['' -f /tmp/shorewall-11223/physdev
'']''
> ++ echo -m physdev --physdev-out eth1
> + run_iptables -A eth0_fwd -s 0.0.0.0/0 -o br0 -m physdev --physdev-out 
> eth1 -j net2loc
> + ''['' -n Yes '']''
> + ''['' -f /tmp/shorewall-11223/physdev
'']''
> + rm -f /tmp/shorewall-11223/physdev
> + iptables -A eth0_fwd -s 0.0.0.0/0 -o br0 -m physdev --physdev-out eth1 
> -j net2loc
> iptables: Invalid argument
> + ''['' -z '''' '']''
> + stop_firewall
> + set +x
> Processing /etc/shorewall/stop ...
> IP Forwarding Enabled
> Processing /etc/shorewall/stopped ...
> Terminated
99.99% of the time, "Invalid argument" is corrected by rebuilding 
iptables against your current kernel. The iptables<->kernel interface 
has no versioning mechanism!! Maybe the 2.8 kernel will correct that...

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

OK, i''ve installed physdev support into the kernel.  I still
can''t get
shorewall too start with my bridging configuration.. I''m getting an odd
Invalid Argument error now.  Check it out..

<chopped>
++ echo eth0_fwd
+ chain1=eth0_fwd
+ interface1=br0
+ networks1=eth1
+ ''['' eth0:0.0.0.0/0 ''!='' br0:eth1
'']''
++ match_source_hosts 0.0.0.0/0
++ ''['' -n Yes '']''
++ echo -s 0.0.0.0/0
++ match_dest_hosts eth1
++ ''['' -n Yes '']''
++ physdev_echo ''--physdev-out eth1''
++ ''['' -f /tmp/shorewall-11223/physdev '']''
++ echo -m physdev --physdev-out eth1
+ run_iptables -A eth0_fwd -s 0.0.0.0/0 -o br0 -m physdev --physdev-out 
eth1 -j net2loc
+ ''['' -n Yes '']''
+ ''['' -f /tmp/shorewall-11223/physdev '']''
+ rm -f /tmp/shorewall-11223/physdev
+ iptables -A eth0_fwd -s 0.0.0.0/0 -o br0 -m physdev --physdev-out eth1 
-j net2loc
iptables: Invalid argument
+ ''['' -z '''' '']''
+ stop_firewall
+ set +x
Processing /etc/shorewall/stop ...
IP Forwarding Enabled
Processing /etc/shorewall/stopped ...
Terminated



Alex Martin wrote:
> Hello,
>
> See:
> http://www.shorewall.net/kernel.htm
>
> On a 2.6.4 kernel, I believe that the only stuff you need to configure 
> correctly for iptables/shorewall are in:
>
> device drivers->networking subsystem->networking options->
>
> and:
> device drivers->networking subsystem->networking options->network 
> packet filtering-> IP: Netfilter Configuration   
>
> and QOS if you need it:
> device drivers->networking subsystem->networking options->QoS
and/or
> fair queueing
>
> I looked through mine but I didnt see exactly what I was looking for.
> See: http://www.rettc.com/pub/rettc/conf/2.6.4.config
>
> This is my config for a happy shorewall box.
> Maybe you will see a difference between your config in the above three 
> areas.
>
> Mostly, you can modularize all of the stuff in the IP: netfilter 
> configuration section, and networking options follow my example, I 
> think it will solve you problem.
> http://www.rettc.com/pub/rettc/conf/2.6.4.config.net.opt
>
> If not, whenever someone can verify my kernel config, I will get it on 
> the shorewall website at the above (top) link.
>
> Alex Martin
> http://www.rettc.com
>
>
>
> davenews@thebarnums.net wrote:
>
>> Tom Eastep wrote:
>>
>>> davenews@thebarnums.net wrote:
>>>
>>>> I''m getting a "No Chain/target/match by that
name" error.  I''ve
>>>> read through
>>>> some other posts and things and i know some of these problems
are
>>>> caused by not
>>>> having phsdev support.  I have the 2.6.2 kernel running so i 
>>>> believe i''m fine.
>>>
>>>
>>>
>>>
>>> So ''lsmod'' shows the physdev match module as in
the following?
>>>
>>> wookie:~ # lsmod | grep physdev
>>> ipt_physdev              984  23  (autoclean)
>>> ...
>>> wookie:~ #
>>>
>>> And:
>>>
>>> wookie:~ # ls /lib/modules/$(uname 
>>> -r)/kernel/net/ipv4/netfilter/*physdev*
>>> /lib/modules/2.6.5/kernel/net/ipv4/netfilter/ipt_physdev.o
>>> wookie:~
>>>
>>> and "modprobe ipt_physdev" works?
>>>
>>>> Let me note that when i run shorewall in
''normal'' mode it works
>>>> fine.  I am
>>>> trying to set up a bridge between loc (eth1) and vpn (tap1)
{which
>>>> goes to
>>>> another house}  and this is when i''m getting the
error.  Here is
>>>> the debug..
>>>>
>>>> ++ physdev_echo ''--physdev-out eth1''
>>>> ++ ''['' -f /tmp/shorewall-5025/physdev
'']''
>>>> ++ echo -m physdev --physdev-out eth1
>>>> + run_iptables -A eth0_fwd -s 0.0.0.0/0 -o br0 -m physdev 
>>>> --physdev-out eth1 -j
>>>> net2loc
>>>> + ''['' -n Yes '']''
>>>> + ''['' -f /tmp/shorewall-5025/physdev
'']''
>>>> + rm -f /tmp/shorewall-5025/physdev
>>>> + iptables -A eth0_fwd -s 0.0.0.0/0 -o br0 -m physdev
--physdev-out
>>>> eth1 -j
>>>> net2loc
>>>> iptables: No chain/target/match by that name
>>>
>>>
>>>
>>>
>>> Then your kernel doesn''t have physdev match support.
>>>
>>> -Tom
>>
>>
>>
>> Ok... it doesn''t.  lsmod doesn''t show physdev
support...  I thought
>> it was standard in the 2.6?  What did i do wrong to exclude it?  More 
>> importantly.. where do i look in the make menuconfig to make sure i 
>> build it in?
>> _______________________________________________
>> Shorewall-users mailing list
>> Post: Shorewall-users@lists.shorewall.net
>> Subscribe/Unsubscribe: 
>> https://lists.shorewall.net/mailman/listinfo/shorewall-users
>> Support: http://www.shorewall.net/support.htm
>> FAQ: http://www.shorewall.net/FAQ.htm
>
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe: 
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>
>
>

Tom Eastep wrote:
>>
>
> 99.99% of the time, "Invalid argument" is corrected by rebuilding
> iptables against your current kernel. The iptables<->kernel interface
> has no versioning mechanism!! Maybe the 2.8 kernel will correct that...
>
> -Tom
Thanks Tom, i''ll see if i can do  that.

Compiled and installed iptables 1.2.9 from source, rebooted and tried to 
run shorewall w/ bridging config  -- same problem.


davenews@thebarnums.net wrote:
> Tom Eastep wrote:
>
>>>
>>
>> 99.99% of the time, "Invalid argument" is corrected by
rebuilding
>> iptables against your current kernel. The iptables<->kernel
interface
>> has no versioning mechanism!! Maybe the 2.8 kernel will correct that...
>>
>> -Tom
>
>
> Thanks Tom, i''ll see if i can do  that.
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe: 
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>
>
>

Iptables will install in /usr/local/sbin/iptables unless you changed it at
complile time. I had this problem until I noticed that I still had the old
version in /sbin. Copy or create a link to the new version.

-----Original Message-----
From: shorewall-users-bounces@lists.shorewall.net
[mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of
davenews@thebarnums.net
Sent: Thursday, May 06, 2004 12:21 AM
To: Mailing List for Shorewall Users
Subject: Re: [Shorewall-users] iptables: No chain/target/match by that name


Compiled and installed iptables 1.2.9 from source, rebooted and tried to 
run shorewall w/ bridging config  -- same problem.


davenews@thebarnums.net wrote:
> Tom Eastep wrote:
>
>>>
>>
>> 99.99% of the time, "Invalid argument" is corrected by
rebuilding
>> iptables against your current kernel. The iptables<->kernel
interface
>> has no versioning mechanism!! Maybe the 2.8 kernel will correct that...
>>
>> -Tom
>
>
> Thanks Tom, i''ll see if i can do  that. 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>
>
>
_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm

Bert Beaudin wrote:
> Iptables will install in /usr/local/sbin/iptables unless you changed it at
> complile time. I had this problem until I noticed that I still had the old
> version in /sbin. Copy or create a link to the new version.
Or adjust the PATH variable in shorwall.conf so that /usr/local/sbin is 
before /sbin.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Thanks, I never thought of that. 

-----Original Message-----
From: shorewall-users-bounces@lists.shorewall.net
[mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom Eastep
Sent: Thursday, May 06, 2004 8:11 AM
To: Mailing List for Shorewall Users
Subject: Re: [Shorewall-users] iptables: No chain/target/match by that name


Bert Beaudin wrote:
> Iptables will install in /usr/local/sbin/iptables unless you changed 
> it at complile time. I had this problem until I noticed that I still 
> had the old version in /sbin. Copy or create a link to the new 
> version.
Or adjust the PATH variable in shorwall.conf so that /usr/local/sbin is 
before /sbin.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm