Shorewall users - Oct 2005 - ipt_owner: pid, sid and command matching not supported anymore

The following error shows up at boot up and shutdown:

ipt_owner: pid, sid and command matching not supported anymore

This is not the same SMP problem I have seen in the shorewall-list-archives.

I compiled a vanilla 2.6.14 kernel on CentOS x86_64.  It was after
utilizing this new kernel when the shorewall errors first started to
occur.

When running the stock CentOS kernel, 2.6.9-22.EL-x86_64, this error did
not show up.

I guess this is more of a warning rather then an error because everything
still appears to work, but I am interested to understand what the warning
means, if it is something I need to be concerned with, and what I should
do to prevent these errors.

Also to note is that I am running shorewall version 2.4.3-1 from the
CentOS rpm repository.

Thanks for your help

--



-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.
Get Certified Today * Register for a JBoss Training Course
Free Certification Exam for All Training Attendees Through End of 2005
Visit http://www.jboss.com/services/certification for more information

On Saturday 29 October 2005 14:16, Scott Ruckh wrote:
>
> I compiled a vanilla 2.6.14 kernel on CentOS x86_64.  It was after
> utilizing this new kernel when the shorewall errors first started to
> occur.
>
Sigh -- not two days ago, I told people on this list that I didn''t
recommend
upgrading to 2.6.14 because I was sure that it would break Shorewall.

Looks like my prediction was on target,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Bummer...Too bad for me...I just joined the list today.

Are these errors serious enough that I do not want to run with the 2.6.14
kernel?

-- 

http://photo-gallery.gemneye.org:1115/Gallery/

This is what you said Tom Eastep
> On Saturday 29 October 2005 14:16, Scott Ruckh wrote:
>
>>
>> I compiled a vanilla 2.6.14 kernel on CentOS x86_64.  It was after
>> utilizing this new kernel when the shorewall errors first started to
>> occur.
>>
>
> Sigh -- not two days ago, I told people on this list that I didn''t
> recommend
> upgrading to 2.6.14 because I was sure that it would break Shorewall.
>
> Looks like my prediction was on target,
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.
Get Certified Today * Register for a JBoss Training Course
Free Certification Exam for All Training Attendees Through End of 2005
Visit http://www.jboss.com/services/certification for more information

On Saturday 29 October 2005 17:46, Scott Ruckh wrote:
> Bummer...Too bad for me...I just joined the list today.
>
> Are these errors serious enough that I do not want to run with the 2.6.14
> kernel?
What makes you think that they are errors?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

> What makes you think that they are errors?
>
Actually my original post referred to these messages as Warnings. 
Unfortunately I am fairly new to netfilter/shorewall and I am not familiar
enough with all of the terms.

As I do not completely understand the "message", (sure the not
supported
is perfect english and makes sense), I do not know what actions to take.

Where in older kernels was ipt_owner configured?  What ill effects might I
encounter because ipt_owner: pid, sid, and command matching are no longer
supported? Are these messages serious enough that I should go back to
using a kernel that did not produce these messages?

Sould I be concerned with these messages?

connmark: only support 32bit mark
CONNMARK: Only supports 32bit mark

These too appear after upgrading the kernel.

What is the latest version of the 2.6 branch of the kernel that is known
to work with shorewall.

I am just trying to wrap my head around what these messages are really
trying to tell me and thought I would try this forum as a medium to get
these questions answered.

Thanks.



-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.
Get Certified Today * Register for a JBoss Training Course
Free Certification Exam for All Training Attendees Through End of 2005
Visit http://www.jboss.com/services/certification for more information

On Sunday 30 October 2005 07:46, Scott Ruckh wrote:
> > What makes you think that they are errors?
>
> Actually my original post referred to these messages as Warnings.
> Unfortunately I am fairly new to netfilter/shorewall and I am not familiar
> enough with all of the terms.
>
> As I do not completely understand the "message", (sure the not
supported
> is perfect english and makes sense), I do not know what actions to take.
>
> Where in older kernels was ipt_owner configured?  What ill effects might I
> encounter because ipt_owner: pid, sid, and command matching are no longer
> supported? Are these messages serious enough that I should go back to
> using a kernel that did not produce these messages?
>
> Sould I be concerned with these messages?
>
> connmark: only support 32bit mark
> CONNMARK: Only supports 32bit mark
>
> These too appear after upgrading the kernel.
>
> What is the latest version of the 2.6 branch of the kernel that is known
> to work with shorewall.
>
> I am just trying to wrap my head around what these messages are really
> trying to tell me and thought I would try this forum as a medium to get
> these questions answered.
a) Please go to the Shorewall home page (URL in my .sig below).
b) At the top of the page is a "Search Mailing List Archives" link --
please
follow it.
c) Search for "Kernel 2.6.14"
d) Read the first post from me that you see there.

Kernel 2.6.14 was released on Friday -- I have been out of town and just 
arrived home yesterday afternoon and I haven''t downloaded the source or
read
the release notes. I have rather been spending my time answering silly emails 
that have piled up while I was away. So if you want to run that kernel, you 
are going to have to make the determination yourself if what you are seeing 
is serious or not.

Kernel''s up through 2.6.13 generally work well with Shorewall with the 
exception that late 2.6.11 and early 2.6.12 kernel''s were broken with
respect
to bridging.

In the future, please refer to 
http://shorewall.net/shorewall_prerequisites.htm if you have questions about 
the latest kernel that is known to work with Shorewall. As I build and test 
new kernel versions with Shorewall, I update the first bullet in the list.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Sunday 30 October 2005 11:27, you wrote:
> Tom Eastep wrote:
> > On Sunday 30 October 2005 07:46, Scott Ruckh wrote:
> >
> > a) Please go to the Shorewall home page (URL in my .sig below).
> > b) At the top of the page is a "Search Mailing List
Archives" link --
> > please follow it.
> > c) Search for "Kernel 2.6.14"
> > d) Read the first post from me that you see there.
>
>   Tom :
> Since I m aware you follow the netfilter-devel lists.
> what [have] the netfilter developers done in the latest release, that
> we are
> seeing the first effects of the "upgrade" ???
a) The volume of changes in 2.6.14 is staggering (the change log is > 2MB!)
b) A new nfnetlink_conntrack interface has been added. While this is a good 
thing (allows manipulation of the connection tracking table via a
''conntrack''
user-space utility) it was a significant change. It is reported to be broken 
currently under on X64.
c) Many options from patch-o-matic have been moved into the standard kernel 
(including the brain-dead ''string match'' thingy).
d) Mark values have been changed from 64 bits to 32 bits. This
*shouldn''t*
affect Shorewall users since Shorewall restricts mark values to 8 bits 
(1-255). This change is reflected in two of the messages that are keeping 
Scott awake at night. 
d) A new logging interface has been added which has obsoleted ULOG (although 
ULOG is still supported) and will eventually replace LOG. There will soon be 
a replacement for ulogd available as well (Harald is currently working on 
it).
e) As reported in this thread, pid, sid and command matching has been 
eliminated from ''owner match''. This means that placing a
command name in the
OWNER/GROUP column of several Shorewall config files will no longer be 
supported (Hint to the webmaster: this means a documentation change is 
needed). I''ve commited CVS changes to both 2.4 and 3.0 to alter the
command
used to detect ''owner match'' in Shorewall. This eliminates the
first message
that Scott was wringing his hands over.

I''m sure that the above list is incomplete since it is from memory -- I
still
haven''t waded through the 2MB+ change log.

Since I know that Scott isn''t the only user who is going to upgrade to
2.6.14
then start posting madly on the list, I have built and installed a 2.6.14 
kernel on my own firewall so I will hopefully stumble into any other problems 
that are going to surface.

-Tom 
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Sunday 30 October 2005 12:30, Tom Eastep wrote:
> b) A new nfnetlink_conntrack interface has been added. While this is a good
> thing (allows manipulation of the connection tracking table via a
> ''conntrack'' user-space utility) it was a significant
change. It is reported
> to be broken currently under on X64.
I worked all afternoon and have finally produced a working copy of the 
''conntrack'' utility.

a) It must be built from svn -- the released code doesn''t work.
b) The libnfnetlink library is hard-coded for automake-1.6 -- you need to 
modify the autogen.sh file to fit your version which must be >= 1.6. Note 
that the Debian testing version of automake is 1.4.
c) You must build all of the components (three of them) from svn because the 
name of one of them has changed.

This stuff isn''t ready for general consumption yet.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key