a.shubnik@btis.by wrote:> Hello Tom!
Aleksandr,
In the future, please don''t send your Shorewall support requests
directly to
me. Please see http://www.shorewall.net/support.htm:
> I try to start last version of shorewall-4.0.2 under openvz environment
> in virtual server and get follow error messages:
>
> gate ~ # shorewall check
> Checking...
>
> Checking...
> FATAL: Error inserting nfnetlink
> (/lib/modules/2.6.18-028stab035/kernel/net/netfilter/nfnetlink.ko):
> Operation not permitted
< endless list of similar error messages discarded>
> Operation not permitted
> Checking /etc/shorewall/zones...
> Determining Hosts in Zones...
> Preprocessing Action Files...
> Pre-processing /usr/share/shorewall/action.Drop...
> Pre-processing /usr/share/shorewall/action.Reject...
> Checking Kernel Route Filtering...
> Checking Martian Logging...
> Checking MAC Filtration -- Phase 1...
> Checking /etc/shorewall/rules...
> Generating Transitive Closure of Used-action List...
> Processing /usr/share/shorewall/action.Reject for chain Reject...
> Processing /usr/share/shorewall/action.Drop for chain Drop...
> Checking MAC Filtration -- Phase 2...
> Applying Policies...
> Generating Rule Matrix...
> Shorewall configuration verified
>
>
> I have all iptables modules (that supported by OpenVZ) installed,
> loaded and working but under virtual
> server its are invisible (if i correct understand). This is parameter in
> vz.conf:
>
> IPTABLES="iptable_filter iptable_mangle ipt_limit ipt_multiport
ipt_tos
> ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length
> ip_conntrack ipt_state ipt_helper iptable_nat ip_nat_ftp ip_nat_irc
> ipt_REDIRECT xt_mac"
>
> On the host node all OK:
>
> vserver1 / # shorewall check
> Checking...
> Checking /etc/shorewall/zones...
> Determining Hosts in Zones...
> Preprocessing Action Files...
> Pre-processing /usr/share/shorewall/action.Drop...
> Pre-processing /usr/share/shorewall/action.Reject...
> Checking Kernel Route Filtering...
> Checking Martian Logging...
> Checking MAC Filtration -- Phase 1...
> Checking /etc/shorewall/rules...
> Generating Transitive Closure of Used-action List...
> Processing /usr/share/shorewall/action.Reject for chain Reject...
> Processing /usr/share/shorewall/action.Drop for chain Drop...
> Checking MAC Filtration -- Phase 2...
> Applying Policies...
> Generating Rule Matrix...
> Shorewall configuration verified
>
> Shorewall-4.0.2 really needed all iptables modules?
Please see Shorewall FAQ 59. It describes how to limit the set of modules
that Shorewall tries to load.
> Shorewall-3.2.9 checked without any errors.
> Can i disable shorewall check modules or there is other solve for
> this problem?
Again, please see Shorewall FAQ 59. In your case, you could probably just
create an empty /etc/shorewall/modules in the virtual server.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/