Shorewall users - Aug 2007 - Re: shorewall-4.0.2 & openvz

a.shubnik@btis.by wrote:
>     Hello Tom!
Aleksandr,

In the future, please don''t send your Shorewall support requests
directly to
me. Please see http://www.shorewall.net/support.htm:
>     I try to start last version of shorewall-4.0.2 under openvz environment
> in virtual server and get follow error messages:
> 
> gate ~ # shorewall check
> Checking...
> 
> Checking...
> FATAL: Error inserting nfnetlink
> (/lib/modules/2.6.18-028stab035/kernel/net/netfilter/nfnetlink.ko):
> Operation not permitted
< endless list of similar error messages discarded>

> Operation not permitted
> Checking /etc/shorewall/zones...
> Determining Hosts in Zones...
> Preprocessing Action Files...
>    Pre-processing /usr/share/shorewall/action.Drop...
>    Pre-processing /usr/share/shorewall/action.Reject...
> Checking Kernel Route Filtering...
> Checking Martian Logging...
> Checking MAC Filtration -- Phase 1...
> Checking /etc/shorewall/rules...
> Generating Transitive Closure of Used-action List...
> Processing /usr/share/shorewall/action.Reject for chain Reject...
> Processing /usr/share/shorewall/action.Drop for chain Drop...
> Checking MAC Filtration -- Phase 2...
> Applying Policies...
> Generating Rule Matrix...
> Shorewall configuration verified
> 
> 
>      I have all iptables modules (that supported by OpenVZ) installed,
> loaded and working but under virtual
> server its are invisible (if i correct understand). This is parameter in
> vz.conf:
> 
> IPTABLES="iptable_filter iptable_mangle ipt_limit ipt_multiport
ipt_tos
> ipt_TOS ipt_REJECT  ipt_TCPMSS  ipt_tcpmss ipt_ttl ipt_LOG ipt_length
> ip_conntrack ipt_state ipt_helper iptable_nat ip_nat_ftp ip_nat_irc
> ipt_REDIRECT xt_mac"
> 
>      On the host node all OK:
> 
> vserver1 / # shorewall check
> Checking...
> Checking /etc/shorewall/zones...
> Determining Hosts in Zones...
> Preprocessing Action Files...
>    Pre-processing /usr/share/shorewall/action.Drop...
>    Pre-processing /usr/share/shorewall/action.Reject...
> Checking Kernel Route Filtering...
> Checking Martian Logging...
> Checking MAC Filtration -- Phase 1...
> Checking /etc/shorewall/rules...
> Generating Transitive Closure of Used-action List...
> Processing /usr/share/shorewall/action.Reject for chain Reject...
> Processing /usr/share/shorewall/action.Drop for chain Drop...
> Checking MAC Filtration -- Phase 2...
> Applying Policies...
> Generating Rule Matrix...
> Shorewall configuration verified
> 
>      Shorewall-4.0.2 really needed all iptables modules?
Please see Shorewall FAQ 59. It describes how to limit the set of modules
that Shorewall tries to load.
>      Shorewall-3.2.9 checked without any errors.
>      Can i disable shorewall check modules or there is other solve for
> this problem?
Again, please see Shorewall FAQ 59. In your case, you could probably just
create an empty /etc/shorewall/modules in the virtual server.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/