View previous topic :: View next topic |
Author |
Message |
Fred Krogh Veteran
Joined: 07 Feb 2005 Posts: 1036 Location: Tujunga, CA
|
Posted: Sat Jan 19, 2013 12:11 am Post subject: Problems with shorewall-4.5.11.2 |
|
|
It seems I have a love/hate relationship with shorewall. I get this error Quote: | iptables: No chain/target/match by that name. | All I have found to account for this kind of error is Quote: | In this case, the user had compiled his own kernel and had forgotten to include REJECT target support. | But that is not the case for me. So I have backed out of this new shorewall, and reverted to shorewall-4.5.8.2-r1 and shorewall-core-4.5.8.2. But even after doing this and restarting shorewall I get the same error which goes away after rebooting! I'm even more confused that usual and unclear whether the problem is me or something in the new shorewall. I'm curious if anyone might have an idea of what is going on. I'd also be interested to know of others have shorewall-4.5.11.2 working. Thanks,
Fred |
|
Back to top |
|
|
massimo Veteran
Joined: 22 Jun 2003 Posts: 1226
|
Posted: Mon Jan 21, 2013 10:44 am Post subject: |
|
|
What does your kernel configuration file look like (especially the Netfilter Configuration)? _________________ Hello 911? How are you? |
|
Back to top |
|
|
Fred Krogh Veteran
Joined: 07 Feb 2005 Posts: 1036 Location: Tujunga, CA
|
Posted: Mon Jan 21, 2013 1:06 pm Post subject: |
|
|
Not sure if this gets what you are looking for, but below is the output from
grep -i _nf_ .config|grep -v "#"
Note that CONFIG_IP_NF_TARGET_REJECT=m is 9 lines from the bottom.
Quote: | CONFIG_NF_CONNTRACK=y
CONFIG_NF_CONNTRACK_MARK=y
CONFIG_NF_CONNTRACK_SECMARK=y
CONFIG_NF_CT_PROTO_GRE=m
CONFIG_NF_CONNTRACK_FTP=m
CONFIG_NF_CONNTRACK_IRC=m
CONFIG_NF_CONNTRACK_BROADCAST=m
CONFIG_NF_CONNTRACK_NETBIOS_NS=m
CONFIG_NF_CONNTRACK_PPTP=m
CONFIG_NF_CONNTRACK_SIP=m
CONFIG_NF_CONNTRACK_TFTP=m
CONFIG_NF_CT_NETLINK=m
CONFIG_NF_NAT=m
CONFIG_NF_NAT_NEEDED=y
CONFIG_NF_NAT_FTP=m
CONFIG_NF_NAT_IRC=m
CONFIG_NF_NAT_SIP=m
CONFIG_NF_NAT_TFTP=m
CONFIG_NF_DEFRAG_IPV4=m
CONFIG_NF_CONNTRACK_IPV4=m
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_AH=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_NF_NAT_IPV4=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_NF_NAT_PROTO_GRE=m
CONFIG_NF_NAT_PPTP=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_TTL=m
CONFIG_IP_NF_RAW=m
| Thanks for looking at this. |
|
Back to top |
|
|
massimo Veteran
Joined: 22 Jun 2003 Posts: 1226
|
Posted: Tue Jan 22, 2013 6:43 am Post subject: |
|
|
Have a look at [1] and compare it to your configuration.
[1] http://www.shorewall.net/kernel.htm _________________ Hello 911? How are you? |
|
Back to top |
|
|
Bones McCracker Veteran
Joined: 14 Mar 2006 Posts: 1611 Location: U.S.A.
|
Posted: Thu Jan 24, 2013 10:14 am Post subject: |
|
|
Shorewall has an active mailing list where you can get good support.
I've been seeing this same warning, but I think it started with 4.5.8. The firewall tests fine, so I treated it as a harmless glitch and haven't got around to looking into it. _________________
patrix_neo wrote: | The human thought: I cannot win.
The ratbrain in me : I can only go forward and that's it. |
|
|
Back to top |
|
|
Climber11 n00b
Joined: 21 Jun 2005 Posts: 17
|
Posted: Mon Jan 28, 2013 1:42 am Post subject: |
|
|
I'd be willing to bet it has something to do with the 3.7.x kernel changes around the NetFilter options. Support for IPv6 was added and the NAT configuration was tweaked as a result. If you downgraded to a 3.6.x kernel, it'd probably be fine; or, compile the NetFilter items into the kernel (rather than as modules). Just learned this after upgrading to 3.7.4 from 3.6.3 when iptables wouldn't start.
I'd bet Shorewall will fix this at some point, but the kernel mods may be ahead of Shorewall's updates. |
|
Back to top |
|
|
Bernhard n00b
Joined: 12 Jul 2004 Posts: 21
|
Posted: Sat Mar 23, 2013 7:08 pm Post subject: |
|
|
Hi,
got a similar error.
Code: |
* Starting firewall ...
ERROR: Log level INFO requires LOG Target in your kernel and iptables [ !! ]
* ERROR: shorewall failed to start
|
But: in .config i got CONFIG_NETFILTER_XT_TARGET_LOG=m
and lsmod shows
Code: |
~ # lsmod | grep xt_
xt_DSCP 1404 0
xt_dscp 1064 0
xt_statistic 844 0
xt_CT 2383 0
xt_NFLOG 703 0
nfnetlink_log 5246 1 xt_NFLOG
xt_time 1460 0
xt_connlimit 2131 0
xt_realm 600 0
xt_NFQUEUE 1469 0
xt_tcpmss 930 0
xt_tcpudp 1628 0
xt_pkttype 664 0
xt_CLASSIFY 666 0
xt_mark 734 0
xt_hashlimit 5517 0
xt_comment 580 0
xt_length 765 0
xt_connmark 1226 0
xt_owner 800 0
xt_iprange 1133 0
xt_physdev 1225 0
xt_policy 1755 0
xt_multiport 1179 0
xt_conntrack 2396 0
nf_conntrack 42376 16 xt_CT,nf_conntrack_netbios_ns,nf_conntrack_proto_gre,xt_connlimit,xt_conntrack,nf_conntrack_amanda,ipt_CLUSTERIP,nf_conntrack_broadcast,xt_connmark,nf_conntrack_ftp,nf_conntrack_irc,nf_conntrack_sip,nf_conntrack_ipv4,nf_conntrack_pptp,nf_conntrack_sane,nf_conntrack_tftp
x_tables 9145 33 xt_physdev,xt_pkttype,xt_statistic,xt_DSCP,xt_dscp,xt_iprange,xt_mark,xt_time,xt_CT,xt_length,xt_comment,ipt_ULOG,xt_policy,ip_tables,xt_tcpmss,xt_tcpudp,ipt_ah,xt_NFQUEUE,xt_NFLOG,xt_owner,xt_realm,xt_connlimit,xt_conntrack,ipt_CLUSTERIP,xt_hashlimit,xt_multiport,iptable_filter,xt_CLASSIFY,xt_connmark,ipt_REJECT,iptable_mangle,ipt_ECN,iptable_raw
|
Code: |
uname -r
3.7.10-gentoo
shorewall version
4.5.11.2
|
Any hints?
Thanks Bernhard _________________ Bernhard Boxhorn |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|