Hi all, I''m currently using ipsec with Shorewall 3.0.7 on a patched 2.6.10 kernel. Having heard that ipsec support was in the standard kernel starting from 2.6.16, I tried to upgrade to the last kernel. My problem is that shorewall won''t start anymore. I get this output in /var/log/shorewall-init.log: Starting Shorewall... Initializing... Shorewall has detected the following iptables/netfilter capabilities: NAT: Available Packet Mangling: Available Multi-port Match: Available Extended Multi-port Match: Available Connection Tracking Match: Available Packet Type Match: Available Policy Match: Not available Physdev Match: Not available IP range Match: Available Recent Match: Available Owner Match: Available Ipset Match: Not available CONNMARK Target: Available Connmark Match: Available Raw Table: Available CLASSIFY Target: Available FORWARD Mangle Chain: Not available Determining Zones... ERROR: Your kernel and/or iptables does not support policy match and I get this error in the output: ipt_policy: matchsize 116 != 308 The POLICY is compiled in the kernel : marelle /usr/src/linux $ grep POLICY .config CONFIG_IP_NF_MATCH_POLICY=y CONFIG_IP6_NF_MATCH_POLICY=y Do anyone knows what this error might be? -- Benjamin Lerman ------------------------------------------------------- All the advantages of Linux Managed Hosting--Without the Cost and Risk! Fully trained technicians. The highest number of Red Hat certifications in the hosting industry. Fanatical Support. Click to learn more http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
Benjamin Lerman wrote:> Policy Match: Not available > Physdev Match: Not available > IP range Match: Available > Recent Match: Available > Owner Match: Available > Ipset Match: Not available > CONNMARK Target: Available > Connmark Match: Available > Raw Table: Available > CLASSIFY Target: Available > FORWARD Mangle Chain: Not available > Determining Zones... > ERROR: Your kernel and/or iptables does not support policy match > > and I get this error in the output: > > ipt_policy: matchsize 116 != 308 > > The POLICY is compiled in the kernel : > > marelle /usr/src/linux $ grep POLICY .config > CONFIG_IP_NF_MATCH_POLICY=y > CONFIG_IP6_NF_MATCH_POLICY=y > > Do anyone knows what this error might be? >The commands that Shorewall uses to detect policy match are: iptables -N fooX1234 iptables -A fooX1234 -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT What is the result of those commands on your system? I''m guessing that the problem is an incompatibility between your iptables and your new kernel. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> I''m guessing that the > problem is an incompatibility between your iptables and your new kernel. >A little code reading turns that guess into near certainty. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> A little code reading turns that guess into near certainty.Thanks for your answer, I cannot give you right now the output of the commands you asked, but I''ll try to upgrade iptable. -- Benjamin Lerman ------------------------------------------------------- All the advantages of Linux Managed Hosting--Without the Cost and Risk! Fully trained technicians. The highest number of Red Hat certifications in the hosting industry. Fanatical Support. Click to learn more http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
> What is the result of those commands on your system? I''m guessing that the > problem is an incompatibility between your iptables and your new kernel.You were right. I updated iptables and shorewall is running fine. -- Benjamin Lerman ------------------------------------------------------- All the advantages of Linux Managed Hosting--Without the Cost and Risk! Fully trained technicians. The highest number of Red Hat certifications in the hosting industry. Fanatical Support. Click to learn more http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642