As suggested here:
http://lists.shorewall.net/pipermail/shorewall-users/2004-October/015097.html
I''ve run:
adam@shrike:~$ /sbin/iptables -m policy --help
iptables v1.2.11
Usage: iptables -[AD] chain rule-specification [options]
iptables -[RI] chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
--snip--
And:
adam@shrike:~$ sudo /sbin/iptables -N foo
adam@shrike:~$ sudo /sbin/iptables -N foo -m policy --pol none
iptables v1.2.11: policy match: neither --in nor --out specified
Try `iptables -h'' or ''iptables --help'' for more
information.
This looks about right, but shorewall still tells me
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Connection Tracking Match: Available
Packet Type Match: Available
Policy Match: Not available
Physdev Match: Available
IP range Match: Available
Verifying Configuration...
Determining Zones...
Zones: ocm net loc
Validating interfaces file...
Validating hosts file...
Error: Your kernel and/or iptables does not support policy match: ipsec
Before putting a bunch of effort into figuring out the packaging of the
Debian iptables package and patching the kernel, I''d like to verify
that
Debian hasn''t patched appropriately. Any ideas?
Versions:
iptables 1.2.11-8
kernel-image-2.6.9-1-686 2.6.9-3
Thanks,
A.
--
Adam Sherman
Technologist
http://www.sherman.ca/
On Wed, 2004-12-08 at 09:11 -0500, Adam Sherman wrote:> > adam@shrike:~$ sudo /sbin/iptables -N foo > adam@shrike:~$ sudo /sbin/iptables -N foo -m policy --pol none > iptables v1.2.11: policy match: neither --in nor --out specified > Try `iptables -h'' or ''iptables --help'' for more information. > > This looks about right, but shorewall still tells me > > Shorewall has detected the following iptables/netfilter capabilities: > NAT: Available > Packet Mangling: Available > Multi-port Match: Available > Connection Tracking Match: Available > Packet Type Match: Available > Policy Match: Not available > Physdev Match: Available > IP range Match: Available > Verifying Configuration... > Determining Zones... > Zones: ocm net loc > Validating interfaces file... > Validating hosts file... > Error: Your kernel and/or iptables does not support policy match: ipsecI''m betting that your iptables has policy match support and your kernel does not. Try this: ursa:~ # ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_policy* /lib/modules/2.6.8-24.5-default/kernel/net/ipv4/netfilter/ipt_policy.ko ursa:~ # If you get ''No such file or directory'', then your kernel is missing policy match. FWIW, the command that Shorewall uses to detect this capability is: iptables -A foo -m policy --pol ipsec --dir in -j ACCEPT -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> I''m betting that your iptables has policy match support and your kernel > does not.You are correct. Thanks for the quick reply. I''m off to patch the kernel. A. -- Adam Sherman Technologist http://www.sherman.ca/
On Wed, 2004-12-08 at 10:23 -0500, Adam Sherman wrote:> Tom Eastep wrote: > > I''m betting that your iptables has policy match support and your kernel > > does not. > > You are correct. Thanks for the quick reply. > > I''m off to patch the kernel.Be sure to also apply the 4 Netfilter-ipsec patches as well... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:>>>I''m betting that your iptables has policy match support and your kernel >>>does not. >> >>You are correct. Thanks for the quick reply. >> >>I''m off to patch the kernel. > > Be sure to also apply the 4 Netfilter-ipsec patches as well...I see the following patches. For the kernel: nf_reset/ (Seems to already be applied.) ipsec-01-output-hooks/ ipsec-02-input-hooks/ ipsec-03-policy-lookup/ ipsec-04-policy-checks/ For iptables: policy (Seems to already be applied.) Thanks for your help, A. -- Adam Sherman Technologist http://www.sherman.ca/
Adam Sherman wrote:> ipsec-01-output-hooks/ > ipsec-02-input-hooks/ > ipsec-03-policy-lookup/ > ipsec-04-policy-checks/Well, I grabbed the latest versions of the above from nefilter CVS and am quite pained to see that they do not apply cleanly. I know this is getting off-topic, but does anyone have patches for 2.6.9? I need some VLAN fixes that are in 2.6.9, so I don''t really want to be using something older... Thanks, A. -- Adam Sherman Technologist http://www.sherman.ca/
On Wed, 2004-12-08 at 10:44 -0500, Adam Sherman wrote:> Tom Eastep wrote: > >>>I''m betting that your iptables has policy match support and your kernel > >>>does not. > >> > >>You are correct. Thanks for the quick reply. > >> > >>I''m off to patch the kernel. > > > > Be sure to also apply the 4 Netfilter-ipsec patches as well... > > I see the following patches. > > For the kernel: > > nf_reset/ (Seems to already be applied.) > ipsec-01-output-hooks/ > ipsec-02-input-hooks/ > ipsec-03-policy-lookup/ > ipsec-04-policy-checks/You need those for Shorewall''s 2.6 ipsec support to work.> > For iptables: > > policy (Seems to already be applied.)Yet "-m policy" doesn''t work??? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:>>For iptables: >> >>policy (Seems to already be applied.) > > Yet "-m policy" doesn''t work???Doesn''t this indicate that it is? $ sudo iptables -m policy iptables v1.2.11: policy match: no parameters given Try `iptables -h'' or ''iptables --help'' for more information. Also, "/lib/iptables/libipt_policy.so" is present. Thanks, A. -- Adam Sherman Technologist http://www.sherman.ca/
On Wed, 2004-12-08 at 12:07 -0500, Adam Sherman wrote:> Tom Eastep wrote: > >>For iptables: > >> > >>policy (Seems to already be applied.) > > > > Yet "-m policy" doesn''t work??? > > Doesn''t this indicate that it is? > > $ sudo iptables -m policy > iptables v1.2.11: policy match: no parameters given > Try `iptables -h'' or ''iptables --help'' for more information. > > Also, "/lib/iptables/libipt_policy.so" is present. >It indicates that it is working *in iptables*. The output from Shorewall indicates that it isn''t in your kernel (and in one of your earlier posts, you agreed). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> On Wed, 2004-12-08 at 12:07 -0500, Adam Sherman wrote: > >>Tom Eastep wrote: >> >>>>For iptables: >>>> >>>>policy (Seems to already be applied.) >>> >>>Yet "-m policy" doesn''t work??? >> >>Doesn''t this indicate that it is? >> >>$ sudo iptables -m policy >>iptables v1.2.11: policy match: no parameters given >>Try `iptables -h'' or ''iptables --help'' for more information. >> >>Also, "/lib/iptables/libipt_policy.so" is present. > > It indicates that it is working *in iptables*. The output from Shorewall > indicates that it isn''t in your kernel (and in one of your earlier > posts, you agreed).Ah, I misunderstood you. Not sure why I thought that the policy patch was *only* for the userland tools. Thanks! A. -- Adam Sherman Technologist http://www.sherman.ca/