Shorewall users - Feb 2013 - 'shorewall trace restart' errors

shorewall-4.5.8.2 is running fine but when I ''shorewall trace
restart''
I can see numerous errors in the output.  Should these be tracked down
and fixed if shorewall is working fine?

- Grant

------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb

> shorewall-4.5.8.2 is running fine but when I ''shorewall trace
restart''
> I can see numerous errors in the output.  Should these be tracked down
> and fixed if shorewall is working fine?
Can anyone offer advice with this?

- Grant

------------------------------------------------------------------------------
The Go Parallel Website, sponsored by Intel - in partnership with Geeknet, 
is your hub for all things parallel software development, from weekly thought 
leadership blogs to news, videos, case studies, tutorials, tech docs, 
whitepapers, evaluation guides, and opinion stories. Check out the most 
recent posts - join the conversation now. http://goparallel.sourceforge.net/

On Saturday 16 February 2013 12:11:22 Grant wrote:
> > shorewall-4.5.8.2 is running fine but when I ''shorewall trace
restart''
> > I can see numerous errors in the output.  Should these be tracked 
down
> > and fixed if shorewall is working fine?
> 
> Can anyone offer advice with this?
> 
> - Grant
Grant, I think you will probably be more likely to get some advice if you 
go ahead and post details of the errors you are seeing.  As it stands at 
the moment there is not really enough information to allow people to 
even determine if they might be able to help or not which may explain 
the lack of a reply.
> 
>
----------------------------------------------------------------------------
> -- The Go Parallel Website, sponsored by Intel - in partnership with
> Geeknet, is your hub for all things parallel software development, 
from
> weekly thought leadership blogs to news, videos, case studies, 
tutorials,
> tech docs, whitepapers, evaluation guides, and opinion stories. 
Check out
> the most recent posts - join the conversation now.
> http://goparallel.sourceforge.net/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
The Go Parallel Website, sponsored by Intel - in partnership with Geeknet, 
is your hub for all things parallel software development, from weekly thought 
leadership blogs to news, videos, case studies, tutorials, tech docs, 
whitepapers, evaluation guides, and opinion stories. Check out the most 
recent posts - join the conversation now. http://goparallel.sourceforge.net/

On 2/16/13 12:38 PM, "Matt Joyce" <mjoyce@mttjocy.co.uk> wrote:
>On Saturday 16 February 2013 12:11:22 Grant wrote:
>> > shorewall-4.5.8.2 is running fine but when I ''shorewall
trace restart''
>> > I can see numerous errors in the output.  Should these be tracked
>down
>> > and fixed if shorewall is working fine?
>> 
>> Can anyone offer advice with this?
>> 
>> - Grant
>
>Grant, I think you will probably be more likely to get some advice if you
>go ahead and post details of the errors you are seeing.  As it stands at
>the moment there is not really enough information to allow people to
>even determine if they might be able to help or not which may explain
>the lack of a reply.
I second what Matt wrote. Please forward the evidence.

-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
The Go Parallel Website, sponsored by Intel - in partnership with Geeknet, 
is your hub for all things parallel software development, from weekly thought 
leadership blogs to news, videos, case studies, tutorials, tech docs, 
whitepapers, evaluation guides, and opinion stories. Check out the most 
recent posts - join the conversation now. http://goparallel.sourceforge.net/

>> > shorewall-4.5.8.2 is running fine but when I ''shorewall
trace restart''
>> > I can see numerous errors in the output.  Should these be tracked
> down
>> > and fixed if shorewall is working fine?
>>
>> Can anyone offer advice with this?
>>
>> - Grant
>
> Grant, I think you will probably be more likely to get some advice if you
> go ahead and post details of the errors you are seeing.  As it stands at
> the moment there is not really enough information to allow people to
> even determine if they might be able to help or not which may explain
> the lack of a reply.
Sure, sorry about that.  I''ve already cleared up a multitude of these
by adding stuff to the kernel I know I''m not using
(NF_CONNTRACK_AMANDA for example):

"iptables: No chain/target/match by that name."

Here are the errors from only the first 15% of the output of
''shorewall trace restart'':

iptables v1.4.16.3: Couldn''t load match `ipp2p'':No such file
or directory

SYS----> /sbin/iptables -t mangle -A fooX26647 -j IPMARK --addr src
iptables v1.4.16.3: unknown option "--addr"

SYS----> /sbin/iptables -t rawpost -L -n
iptables v1.4.16.3: can''t initialize iptables table `rawpost'':
Table
does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

SYS----> /sbin/iptables -A fooX26647 -j LOGMARK
iptables v1.4.16.3: Couldn''t load target `LOGMARK'':No such
file or directory

SYS----> /sbin/iptables -A fooX26647 -j ACCOUNT --addr 192.168.1.0/29
--tname fooX26647
iptables v1.4.16.3: unknown option "--addr"

SYS----> /sbin/iptables -A fooX26647 -m condition --condition foo
iptables v1.4.16.3: Couldn''t load match `condition'':No such
file or directory

SYS----> /sbin/iptables -t mangle -A fooX26647 -j IMQ --todev 0
iptables v1.4.16.3: unknown option "--todev"

SYS----> /sbin/iptables -A fooX26647 -m geoip --src-cc US
iptables v1.4.16.3: Couldn''t load match `geoip'':No such file
or directory

SYS----> nfacct add fooX26647
Can''t exec "nfacct": No such file or directory at
/usr/share/shorewall/Shorewall/Config.pm line 2997.

I''m a little puzzled by all of this because shorewall seems to work
fine and at least some of the errors reference stuff I know I''m not
using.

- Grant

------------------------------------------------------------------------------
The Go Parallel Website, sponsored by Intel - in partnership with Geeknet, 
is your hub for all things parallel software development, from weekly thought 
leadership blogs to news, videos, case studies, tutorials, tech docs, 
whitepapers, evaluation guides, and opinion stories. Check out the most 
recent posts - join the conversation now. http://goparallel.sourceforge.net/

On 2/17/13 11:16 AM, "Grant" <emailgrant@gmail.com> wrote:
>>> > shorewall-4.5.8.2 is running fine but when I
''shorewall trace
>>>restart''
>>> > I can see numerous errors in the output.  Should these be
tracked
>> down
>>> > and fixed if shorewall is working fine?
>>>
>>> Can anyone offer advice with this?
>>>
>>> - Grant
>>
>> Grant, I think you will probably be more likely to get some advice if
>>you
>> go ahead and post details of the errors you are seeing.  As it stands
at
>> the moment there is not really enough information to allow people to
>> even determine if they might be able to help or not which may explain
>> the lack of a reply.
>
>Sure, sorry about that.  I''ve already cleared up a multitude of
these
>by adding stuff to the kernel I know I''m not using
>(NF_CONNTRACK_AMANDA for example):
>
>"iptables: No chain/target/match by that name."
>
>Here are the errors from only the first 15% of the output of
>''shorewall trace restart'':
>
>iptables v1.4.16.3: Couldn''t load match `ipp2p'':No such
file or directory
>
>SYS----> /sbin/iptables -t mangle -A fooX26647 -j IPMARK --addr src
>iptables v1.4.16.3: unknown option "--addr"
>
>SYS----> /sbin/iptables -t rawpost -L -n
>iptables v1.4.16.3: can''t initialize iptables table
`rawpost'': Table
>does not exist (do you need to insmod?)
>Perhaps iptables or your kernel needs to be upgraded.
>
>SYS----> /sbin/iptables -A fooX26647 -j LOGMARK
>iptables v1.4.16.3: Couldn''t load target `LOGMARK'':No such
file or
>directory
>
>SYS----> /sbin/iptables -A fooX26647 -j ACCOUNT --addr 192.168.1.0/29
>--tname fooX26647
>iptables v1.4.16.3: unknown option "--addr"
>
>SYS----> /sbin/iptables -A fooX26647 -m condition --condition foo
>iptables v1.4.16.3: Couldn''t load match `condition'':No
such file or
>directory
>
>SYS----> /sbin/iptables -t mangle -A fooX26647 -j IMQ --todev 0
>iptables v1.4.16.3: unknown option "--todev"
>
>SYS----> /sbin/iptables -A fooX26647 -m geoip --src-cc US
>iptables v1.4.16.3: Couldn''t load match `geoip'':No such
file or directory
>
>SYS----> nfacct add fooX26647
>Can''t exec "nfacct": No such file or directory at
>/usr/share/shorewall/Shorewall/Config.pm line 2997.
>
>I''m a little puzzled by all of this because shorewall seems to work
>fine and at least some of the errors reference stuff I know I''m not
>using.
Those are harmless -- they are produced when Shorewall is probing your
system to determine its capabilities. You can eliminate them (and speed up
start/restart) by using a capabilities file.

Shorewall show -f capabilities > /etc/shorewall/capabilities.

Now, the compiler will simply read the capabilities file rather than probe.

-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
The Go Parallel Website, sponsored by Intel - in partnership with Geeknet, 
is your hub for all things parallel software development, from weekly thought 
leadership blogs to news, videos, case studies, tutorials, tech docs, 
whitepapers, evaluation guides, and opinion stories. Check out the most 
recent posts - join the conversation now. http://goparallel.sourceforge.net/

>>I''m a little puzzled by all of this because shorewall seems to
work
>>fine and at least some of the errors reference stuff I know I''m
not
>>using.
>
> Those are harmless -- they are produced when Shorewall is probing your
> system to determine its capabilities. You can eliminate them (and speed up
> start/restart) by using a capabilities file.
>
> Shorewall show -f capabilities > /etc/shorewall/capabilities.
>
> Now, the compiler will simply read the capabilities file rather than probe.
Thank you, that''s perfect.  Is there a good way to determine which
kernel options I need for my shorewall config?  I''m sure I have a lot
of stuff compiled in that I don''t need.

- Grant

------------------------------------------------------------------------------
The Go Parallel Website, sponsored by Intel - in partnership with Geeknet, 
is your hub for all things parallel software development, from weekly thought 
leadership blogs to news, videos, case studies, tutorials, tech docs, 
whitepapers, evaluation guides, and opinion stories. Check out the most 
recent posts - join the conversation now. http://goparallel.sourceforge.net/

>>I''m a little puzzled by all of this because shorewall seems to
work
>>fine and at least some of the errors reference stuff I know I''m
not
>>using.
>
> Those are harmless -- they are produced when Shorewall is probing your
> system to determine its capabilities. You can eliminate them (and speed up
> start/restart) by using a capabilities file.
>
> Shorewall show -f capabilities > /etc/shorewall/capabilities.
>
> Now, the compiler will simply read the capabilities file rather than probe.
Am I setting myself up for some type of failure if the kernel config
changes in some significant way and I don''t regenerate the
capabilities file?

- Grant

------------------------------------------------------------------------------
The Go Parallel Website, sponsored by Intel - in partnership with Geeknet, 
is your hub for all things parallel software development, from weekly thought 
leadership blogs to news, videos, case studies, tutorials, tech docs, 
whitepapers, evaluation guides, and opinion stories. Check out the most 
recent posts - join the conversation now. http://goparallel.sourceforge.net/

On 02/17/2013 06:09 PM, Grant wrote:
>>> I''m a little puzzled by all of this because shorewall
seems to work
>>> fine and at least some of the errors reference stuff I know
I''m not
>>> using.
>>
>> Those are harmless -- they are produced when Shorewall is probing your
>> system to determine its capabilities. You can eliminate them (and speed
up
>> start/restart) by using a capabilities file.
>>
>> Shorewall show -f capabilities > /etc/shorewall/capabilities.
>>
>> Now, the compiler will simply read the capabilities file rather than
probe.
> 
> Thank you, that''s perfect.  Is there a good way to determine which
> kernel options I need for my shorewall config?  I''m sure I have a
lot
> of stuff compiled in that I don''t need.
If you use a modular kernel and a capabilities file, then simply re-boot
and see which modules are loaded.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The Go Parallel Website, sponsored by Intel - in partnership with Geeknet, 
is your hub for all things parallel software development, from weekly thought 
leadership blogs to news, videos, case studies, tutorials, tech docs, 
whitepapers, evaluation guides, and opinion stories. Check out the most 
recent posts - join the conversation now. http://goparallel.sourceforge.net/

On 02/17/2013 06:11 PM, Grant wrote:
>>> I''m a little puzzled by all of this because shorewall
seems to work
>>> fine and at least some of the errors reference stuff I know
I''m not
>>> using.
>>
>> Those are harmless -- they are produced when Shorewall is probing your
>> system to determine its capabilities. You can eliminate them (and speed
up
>> start/restart) by using a capabilities file.
>>
>> Shorewall show -f capabilities > /etc/shorewall/capabilities.
>>
>> Now, the compiler will simply read the capabilities file rather than
probe.
> 
> Am I setting myself up for some type of failure if the kernel config
> changes in some significant way and I don''t regenerate the
> capabilities file?
When you build a new kernel, I suggest also re-generating your
capabilities file.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The Go Parallel Website, sponsored by Intel - in partnership with Geeknet, 
is your hub for all things parallel software development, from weekly thought 
leadership blogs to news, videos, case studies, tutorials, tech docs, 
whitepapers, evaluation guides, and opinion stories. Check out the most 
recent posts - join the conversation now. http://goparallel.sourceforge.net/

On 02/18/2013 08:17 AM, Tom Eastep wrote:
> On 02/17/2013 06:09 PM, Grant wrote:
>>>> I''m a little puzzled by all of this because shorewall
seems to work
>>>> fine and at least some of the errors reference stuff I know
I''m not
>>>> using.
>>>
>>> Those are harmless -- they are produced when Shorewall is probing
your
>>> system to determine its capabilities. You can eliminate them (and
speed up
>>> start/restart) by using a capabilities file.
>>>
>>> Shorewall show -f capabilities > /etc/shorewall/capabilities.
>>>
>>> Now, the compiler will simply read the capabilities file rather
than probe.
>>
>> Thank you, that''s perfect.  Is there a good way to determine
which
>> kernel options I need for my shorewall config?  I''m sure I
have a lot
>> of stuff compiled in that I don''t need.
> 
> If you use a modular kernel and a capabilities file, then simply re-boot
> and see which modules are loaded.
The above also assumes, of course, that you use module auto-loading.

In Shorewall 4.5.14, the compiler will produce a report as follows:

Configuration uses these capabilities (''*'' denotes required):
   ACCOUNT_TARGET*
   ADDRTYPE
   AMANDA_HELPER
   COMMENTS
   CONNMARK*
   CONNMARK_MATCH*
   CONNTRACK_MATCH
   ENHANCED_REJECT
   EXMARK
   FTP_HELPER
   FWMARK_RT_MASK
   GEOIP_MATCH*
   GOTO_TARGET
   H323_HELPER
   HASHLIMIT_MATCH*
   IRC_HELPER
   LOG_OPTIONS
   LOG_TARGET*
   MANGLE_ENABLED
   MANGLE_FORWARD
   MARK*
   MULTIPORT
   NAT_ENABLED*
   NEW_CONNTRACK_MATCH
   NFLOG_TARGET*
   OWNER_MATCH*
   POLICY_MATCH
   PPTP_HELPER
   RAW_TABLE*
   RECENT_MATCH*
   SANE_HELPER
   SIP_HELPER
   SNMP_HELPER
   STATISTIC_MATCH*
   TCPMSS_MATCH
   TFTP_HELPER
   XCONNMARK*
   XMULTIPORT*
Shorewall configuration verified

There is a close correlation between these capabilities and kernel
options, but that correlation is kernel-version dependent.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The Go Parallel Website, sponsored by Intel - in partnership with Geeknet, 
is your hub for all things parallel software development, from weekly thought 
leadership blogs to news, videos, case studies, tutorials, tech docs, 
whitepapers, evaluation guides, and opinion stories. Check out the most 
recent posts - join the conversation now. http://goparallel.sourceforge.net/