Shorewall users - Dec 2004 - Kernel/iptables question

As suggested here:

http://lists.shorewall.net/pipermail/shorewall-users/2004-October/015097.html

I''ve run:

adam@shrike:~$ /sbin/iptables -m policy --help
iptables v1.2.11

Usage: iptables -[AD] chain rule-specification [options]
        iptables -[RI] chain rulenum rule-specification [options]
        iptables -D chain rulenum [options]
--snip--

And:

adam@shrike:~$ sudo /sbin/iptables -N foo
adam@shrike:~$ sudo /sbin/iptables -N foo -m policy --pol none
iptables v1.2.11: policy match: neither --in nor --out specified
Try `iptables -h'' or ''iptables --help'' for more
information.

This looks about right, but shorewall still tells me

Shorewall has detected the following iptables/netfilter capabilities:
    NAT: Available
    Packet Mangling: Available
    Multi-port Match: Available
    Connection Tracking Match: Available
    Packet Type Match: Available
    Policy Match: Not available
    Physdev Match: Available
    IP range Match: Available
Verifying Configuration...
Determining Zones...
    Zones: ocm net loc
Validating interfaces file...
Validating hosts file...
    Error: Your kernel and/or iptables does not support policy match: ipsec

Before putting a bunch of effort into figuring out the packaging of the 
Debian iptables package and patching the kernel, I''d like to verify
that
Debian hasn''t patched appropriately. Any ideas?

Versions:
iptables 1.2.11-8
kernel-image-2.6.9-1-686 2.6.9-3

Thanks,

A.


-- 
Adam Sherman
Technologist
http://www.sherman.ca/

On Wed, 2004-12-08 at 09:11 -0500, Adam Sherman wrote:
> 
> adam@shrike:~$ sudo /sbin/iptables -N foo
> adam@shrike:~$ sudo /sbin/iptables -N foo -m policy --pol none
> iptables v1.2.11: policy match: neither --in nor --out specified
> Try `iptables -h'' or ''iptables --help'' for more
information.
> 
> This looks about right, but shorewall still tells me
> 
> Shorewall has detected the following iptables/netfilter capabilities:
>     NAT: Available
>     Packet Mangling: Available
>     Multi-port Match: Available
>     Connection Tracking Match: Available
>     Packet Type Match: Available
>     Policy Match: Not available
>     Physdev Match: Available
>     IP range Match: Available
> Verifying Configuration...
> Determining Zones...
>     Zones: ocm net loc
> Validating interfaces file...
> Validating hosts file...
>     Error: Your kernel and/or iptables does not support policy match: ipsec
I''m betting that your iptables has policy match support and your kernel
does not.

Try this:

ursa:~ # ls /lib/modules/$(uname
-r)/kernel/net/ipv4/netfilter/ipt_policy*
/lib/modules/2.6.8-24.5-default/kernel/net/ipv4/netfilter/ipt_policy.ko
ursa:~ #

If you get ''No such file or directory'', then your kernel is
missing
policy match.

FWIW, the command that Shorewall uses to detect this capability is:

iptables -A foo -m policy --pol ipsec --dir in -j ACCEPT

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
> I''m betting that your iptables has policy match support and your
kernel
> does not.
You are correct. Thanks for the quick reply.

I''m off to patch the kernel.

A.

-- 
Adam Sherman
Technologist
http://www.sherman.ca/

On Wed, 2004-12-08 at 10:23 -0500, Adam Sherman wrote:
> Tom Eastep wrote:
> > I''m betting that your iptables has policy match support and
your kernel
> > does not.
> 
> You are correct. Thanks for the quick reply.
> 
> I''m off to patch the kernel.
Be sure to also apply the 4 Netfilter-ipsec patches as well...

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
>>>I''m betting that your iptables has policy match support and
your kernel
>>>does not.
>>
>>You are correct. Thanks for the quick reply.
>>
>>I''m off to patch the kernel.
> 
> Be sure to also apply the 4 Netfilter-ipsec patches as well...
I see the following patches.

For the kernel:

nf_reset/ (Seems to already be applied.)
ipsec-01-output-hooks/
ipsec-02-input-hooks/
ipsec-03-policy-lookup/
ipsec-04-policy-checks/

For iptables:

policy (Seems to already be applied.)

Thanks for your help,

A.

-- 
Adam Sherman
Technologist
http://www.sherman.ca/

Adam Sherman wrote:
> ipsec-01-output-hooks/
> ipsec-02-input-hooks/
> ipsec-03-policy-lookup/
> ipsec-04-policy-checks/
Well, I grabbed the latest versions of the above from nefilter CVS and 
am quite pained to see that they do not apply cleanly. I know this is 
getting off-topic, but does anyone have patches for 2.6.9? I need some 
VLAN fixes that are in 2.6.9, so I don''t really want to be using 
something older...

Thanks,

A.

-- 
Adam Sherman
Technologist
http://www.sherman.ca/

On Wed, 2004-12-08 at 10:44 -0500, Adam Sherman wrote:
> Tom Eastep wrote:
> >>>I''m betting that your iptables has policy match
support and your kernel
> >>>does not.
> >>
> >>You are correct. Thanks for the quick reply.
> >>
> >>I''m off to patch the kernel.
> > 
> > Be sure to also apply the 4 Netfilter-ipsec patches as well...
> 
> I see the following patches.
> 
> For the kernel:
> 
> nf_reset/ (Seems to already be applied.)
> ipsec-01-output-hooks/
> ipsec-02-input-hooks/
> ipsec-03-policy-lookup/
> ipsec-04-policy-checks/
You need those for Shorewall''s 2.6 ipsec support to work.
> 
> For iptables:
> 
> policy (Seems to already be applied.)
Yet "-m policy" doesn''t work???

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
>>For iptables:
>>
>>policy (Seems to already be applied.)
> 
> Yet "-m policy" doesn''t work???
Doesn''t this indicate that it is?

$ sudo iptables -m policy
iptables v1.2.11: policy match: no parameters given
Try `iptables -h'' or ''iptables --help'' for more
information.

Also, "/lib/iptables/libipt_policy.so" is present.

Thanks,

A.

-- 
Adam Sherman
Technologist
http://www.sherman.ca/

On Wed, 2004-12-08 at 12:07 -0500, Adam Sherman wrote:
> Tom Eastep wrote:
> >>For iptables:
> >>
> >>policy (Seems to already be applied.)
> > 
> > Yet "-m policy" doesn''t work???
> 
> Doesn''t this indicate that it is?
> 
> $ sudo iptables -m policy
> iptables v1.2.11: policy match: no parameters given
> Try `iptables -h'' or ''iptables --help'' for more
information.
> 
> Also, "/lib/iptables/libipt_policy.so" is present.
> 
It indicates that it is working *in iptables*. The output from Shorewall
indicates that it isn''t in your kernel (and in one of your earlier
posts, you agreed).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
> On Wed, 2004-12-08 at 12:07 -0500, Adam Sherman wrote:
> 
>>Tom Eastep wrote:
>>
>>>>For iptables:
>>>>
>>>>policy (Seems to already be applied.)
>>>
>>>Yet "-m policy" doesn''t work???
>>
>>Doesn''t this indicate that it is?
>>
>>$ sudo iptables -m policy
>>iptables v1.2.11: policy match: no parameters given
>>Try `iptables -h'' or ''iptables --help'' for
more information.
>>
>>Also, "/lib/iptables/libipt_policy.so" is present.
> 
> It indicates that it is working *in iptables*. The output from Shorewall
> indicates that it isn''t in your kernel (and in one of your earlier
> posts, you agreed).
Ah, I misunderstood you. Not sure why I thought that the policy patch 
was *only* for the userland tools. Thanks!

A.

-- 
Adam Sherman
Technologist
http://www.sherman.ca/