I am not even sure this is a shorewall issue as kernel, iptables, and shorewall have all recently been updated. Shorewall Version: 4.2.9 Iptables Version: v1.4.3.2 Kernel Version: 2.6.30-rc8 OS: Centos 4.7 X86_64 I see the following on std-output and /var/log/messages Jun 4 22:17:27 firewall shorewall: Compiling... Jun 4 22:17:29 firewall kernel: Netfilter messages via NETLINK v0.30. Jun 4 22:17:29 firewall kernel: nf_conntrack version 0.5.0 (16384 buckets, 65536 max) Jun 4 22:17:29 firewall kernel: CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Please use Jun 4 22:17:29 firewall kernel: nf_conntrack.acct=1 kernel paramater, acct=1 nf_conntrack module option or Jun 4 22:17:29 firewall kernel: sysctl net.netfilter.nf_conntrack_acct=1 to enable it. Jun 4 22:17:29 firewall kernel: ctnetlink v0.93: registering with nfnetlink. Jun 4 22:17:30 firewall kernel: ClusterIP Version 0.8 loaded successfully Jun 4 22:17:30 firewall kernel: xt_time: kernel timezone is -0700 Jun 4 22:17:31 firewall shorewall: Compiling /etc/shorewall/zones... Jun 4 22:17:31 firewall shorewall: Compiling /etc/shorewall/interfaces... Jun 4 22:17:31 firewall shorewall: Determining Hosts in Zones... I have added nf_conntrack.acct=1 to /etc/sysctl.conf, but I still get that message. I did not find CONFIG_NF_CT_ACCT in the kernel Makefile, or in any of the shorewall files. A google search pulls up bug reports and other patches, but nothing definitive on the cause or the fix. This appears to just be a warning message and does not negatively impact the system, but I was wondering if anyone here knows the root cause. Thanks. ------------------------------------------------------------------------------ OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get
Scott Ruckh wrote:> I am not even sure this is a shorewall issue as kernel, iptables, and > shorewall have all recently been updated.It has nothing to do with Shorewall.> > Shorewall Version: 4.2.9 > Iptables Version: v1.4.3.2 > Kernel Version: 2.6.30-rc8 > OS: Centos 4.7 X86_64 > > I see the following on std-output and /var/log/messages > > Jun 4 22:17:27 firewall shorewall: Compiling... > Jun 4 22:17:29 firewall kernel: Netfilter messages via NETLINK v0.30. > Jun 4 22:17:29 firewall kernel: nf_conntrack version 0.5.0 (16384 buckets, > 65536 max) > Jun 4 22:17:29 firewall kernel: CONFIG_NF_CT_ACCT is deprecated and will be > removed soon. Please use > Jun 4 22:17:29 firewall kernel: nf_conntrack.acct=1 kernel paramater, > acct=1 nf_conntrack module option or > Jun 4 22:17:29 firewall kernel: sysctl net.netfilter.nf_conntrack_acct=1 to > enable it. > Jun 4 22:17:29 firewall kernel: ctnetlink v0.93: registering with > nfnetlink. > Jun 4 22:17:30 firewall kernel: ClusterIP Version 0.8 loaded successfully > Jun 4 22:17:30 firewall kernel: xt_time: kernel timezone is -0700 > Jun 4 22:17:31 firewall shorewall: Compiling /etc/shorewall/zones... > Jun 4 22:17:31 firewall shorewall: Compiling /etc/shorewall/interfaces... > Jun 4 22:17:31 firewall shorewall: Determining Hosts in Zones... > > I have added nf_conntrack.acct=1 to /etc/sysctl.conf, but I still get that > message. > > I did not find CONFIG_NF_CT_ACCT in the kernel Makefile, or in any of the > shorewall files.It is set in your .config file though. It is listed in the ''Core Netfilter Configuration'' page under "Connection tracking flow accounting". A google search pulls up bug reports and other patches,> but nothing definitive on the cause or the fix. > > This appears to just be a warning message and does not negatively impact the > system, but I was wondering if anyone here knows the root cause.Read the help text for the option as well as Documentation/feature-removal-schedule.txt. The entire issue is explained there. The CONFIG_NF_CT_ACCT option is being removed; the feature will always be included. You control the feature using the /proc flag that you are now setting. The reason that you see the message during Shorewall compilation is that Shorewall is loading all of the modules specified in /usr/share/shorewall/modules before assessing your iptables/kernel capabilities. Of course the conntrack module gets loaded at that time. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get
On Sat, 2009-06-06 at 11:52 -0700, Tom Eastep wrote:> Scott Ruckh wrote: > > I am not even sure this is a shorewall issue as kernel, iptables, and > > shorewall have all recently been updated. > > It has nothing to do with Shorewall. > > > > > Shorewall Version: 4.2.9 > > Iptables Version: v1.4.3.2 > > Kernel Version: 2.6.30-rc8 > > OS: Centos 4.7 X86_64 > > > > I see the following on std-output and /var/log/messages > > > > Jun 4 22:17:27 firewall shorewall: Compiling... > > Jun 4 22:17:29 firewall kernel: Netfilter messages via NETLINK v0.30. > > Jun 4 22:17:29 firewall kernel: nf_conntrack version 0.5.0 (16384 buckets, > > 65536 max) > > Jun 4 22:17:29 firewall kernel: CONFIG_NF_CT_ACCT is deprecated and will be > > removed soon. Please use > > Jun 4 22:17:29 firewall kernel: nf_conntrack.acct=1 kernel paramater, > > acct=1 nf_conntrack module option or > > Jun 4 22:17:29 firewall kernel: sysctl net.netfilter.nf_conntrack_acct=1 to > > enable it. > > Jun 4 22:17:29 firewall kernel: ctnetlink v0.93: registering with > > nfnetlink. > > Jun 4 22:17:30 firewall kernel: ClusterIP Version 0.8 loaded successfully > > Jun 4 22:17:30 firewall kernel: xt_time: kernel timezone is -0700 > > Jun 4 22:17:31 firewall shorewall: Compiling /etc/shorewall/zones... > > Jun 4 22:17:31 firewall shorewall: Compiling /etc/shorewall/interfaces... > > Jun 4 22:17:31 firewall shorewall: Determining Hosts in Zones... > > > > I have added nf_conntrack.acct=1 to /etc/sysctl.conf, but I still get that > > message. > > > > I did not find CONFIG_NF_CT_ACCT in the kernel Makefile, or in any of the > > shorewall files. > > It is set in your .config file though. It is listed in the ''Core > Netfilter Configuration'' page under "Connection tracking flow accounting". > > A google search pulls up bug reports and other patches, > > but nothing definitive on the cause or the fix. > > > > This appears to just be a warning message and does not negatively impact the > > system, but I was wondering if anyone here knows the root cause. > > Read the help text for the option as well as > Documentation/feature-removal-schedule.txt. The entire issue is > explained there. > > The CONFIG_NF_CT_ACCT option is being removed; the feature will always > be included. You control the feature using the /proc flag that you are > now setting. > > The reason that you see the message during Shorewall compilation is that > Shorewall is loading all of the modules specified in > /usr/share/shorewall/modules before assessing your iptables/kernel > capabilities. Of course the conntrack module gets loaded at that time.Thank you for the valuable response! ------------------------------------------------------------------------------ OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get