Shorewall users - Jun 2009 - Problem when adding 'track' option to providers

Hi all,

I have shorewall (4.2.10 on Centos 4.5) configured with two external
networks (ppp0, ppp1) and an internal (eth2) and DMZ (eth3) networks.

Everything worked up to the point where I wanted to set up policy
routing (to force all http traffic over one interface) and added
''track''
as an option to both providers in /etc/shorewall/providers. Shorewall
failed to restart and reported the following :

Jun 30 18:29:43 fw shorewall: iptables: No chain/target/match by that name
Jun 30 18:29:43 fw shorewall:    ERROR: Command "/sbin/iptables -t
mangle -A PREROUTING -m connmark ! --mark 0/0xFF -j CONNMARK
--restore-mark --mask 0xFF" Failed

As far as I know I have all necessary kernel modules loaded (list below,
along with content of providers and tcrules files). Does anyone have any
ideas what I need to do to fix this ?

Cheers,

P

/etc/interfaces
net     ppp0            detect          tcpflags,dhcp,nosmurfs,logmartians
net     ppp1            detect          tcpflags,dhcp,nosmurfs,logmartians
dmz     eth2            detect
int     eth3            detect          tcpflags,nosmurfs

/etc/providers
SHDSL   1       1       main            ppp0            -       balance
ADSL    2       2       main            ppp1            -       balance

/etc/tcrules
1:P     10.0.0.0/8      0.0.0.0/0       tcp     80

[root@fw shorewall]# lsmod | grep ipt | awk ''{print $1}'' |
sort
ip_conntrack
iptable_filter
iptable_mangle
iptable_nat
iptable_raw
ip_tables
ipt_addrtype
ipt_ah
ipt_CLASSIFY
ipt_comment
ipt_conntrack
ipt_dscp
ipt_DSCP
ipt_ecn
ipt_ECN
ipt_esp
ipt_helper
ipt_iprange
ipt_length
ipt_limit
ipt_LOG
ipt_mac
ipt_mark
ipt_MARK
ipt_MASQUERADE
ipt_multiport
ipt_NETMAP
ipt_NOTRACK
ipt_owner
ipt_physdev
ipt_pkttype
ipt_realm
ipt_recent
ipt_REDIRECT
ipt_REJECT
ipt_SAME
ipt_sctp
ipt_state
ipt_tcpmss
ipt_TCPMSS
ipt_tos
ipt_TOS
ipt_ttl
ipt_ULOG

Cheers,

P


-- 
peter skipworth
argo open solutions

mob 0413 962 064
ph  03 9820 0536
fax 03 8610 0379
em  pete@argoinf.com


------------------------------------------------------------------------------

Peter Skipworth wrote:
> Hi all,
> 
> I have shorewall (4.2.10 on Centos 4.5) configured with two external
> networks (ppp0, ppp1) and an internal (eth2) and DMZ (eth3) networks.
> 
> Everything worked up to the point where I wanted to set up policy
> routing (to force all http traffic over one interface) and added
''track''
> as an option to both providers in /etc/shorewall/providers. Shorewall
> failed to restart and reported the following :
> 
> Jun 30 18:29:43 fw shorewall: iptables: No chain/target/match by that name
> Jun 30 18:29:43 fw shorewall:    ERROR: Command "/sbin/iptables -t
> mangle -A PREROUTING -m connmark ! --mark 0/0xFF -j CONNMARK
> --restore-mark --mask 0xFF" Failed
> 
> As far as I know I have all necessary kernel modules loaded (list below,
> along with content of providers and tcrules files). Does anyone have any
> ideas what I need to do to fix this ?
Look at the output of "shorewall show capabilities". You neet both
CONNMARK Target support and connmark match support for that rule to be
usable. From the module list you posted, you are missing both. With
ancient distributions such as you are running, it is likely that the
kernel was built without the capability (even modularized).

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------