Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] Firehol: No chain/target/match by that name.
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
devlaam
n00b
n00b


Joined: 22 Oct 2009
Posts: 49
Location: Alkmaar, Netherlands

PostPosted: Thu Feb 21, 2013 12:18 pm    Post subject: [SOLVED] Firehol: No chain/target/match by that name. Reply with quote

After a kernel upgrade (well, it was a new install, namely x86, 3.5.7) i have problems with firehol on a configuration that worked flawlessly on the previous kernel. This is the message:
Code:
octy ~ # /etc/init.d/firehol start
 * Starting FireHOL ...

--------------------------------------------------------------------------------
ERROR   : # 1.
WHAT    : A runtime command failed to execute (returned error 1).
SOURCE  : line 29 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A pr_internet_fragments -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=\'PACKET\ FRAGMENTS:\'
OUTPUT  :

iptables: No chain/target/match by that name.

and the latter is repeated many times (24) more for almost all rules.

My suspicion is that some kernel module is missing, (see also: https://forums.gentoo.org/viewtopic-t-652568-highlight-firehol.html) but i think i checked most relevant ones:
Code:
CONFIG_NF_CONNTRACK=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_PACKET=y
where the last option was needed to get dhcpcd running correctly in ipv4 mode (see: https://forums.gentoo.org/viewtopic-t-951848.html) The modules seem loaded all right:
Code:
> lsmod
Module                  Size  Used by
iptable_mangle          1040  0
nf_nat_ftp              1072  0
nf_nat_irc               890  0
nf_conntrack_ftp        4001  1 nf_nat_ftp
nf_conntrack_irc        2359  1 nf_nat_irc
ipt_MASQUERADE          1106  8
iptable_nat             2748  1
nf_nat                  9792  4 nf_nat_ftp,nf_nat_irc,ipt_MASQUERADE,iptable_nat
ipv6                  192906  24
ipt_REJECT              1521  0
xt_tcpudp               1643  0
xt_conntrack            2281  0
xt_limit                1028  0
nf_conntrack_ipv4       7802  3 iptable_nat,nf_nat
nf_conntrack           40968  9 nf_nat_ftp,nf_nat_irc,nf_conntrack_ftp,nf_conntrack_irc,ipt_MASQUERADE,iptable_nat,nf_nat,xt_conntrack,nf_conntrack_ipv4
nf_defrag_ipv4           815  1 nf_conntrack_ipv4
iptable_filter           928  0
ip_tables               7511  3 iptable_mangle,iptable_nat,iptable_filter
x_tables                9058  9 iptable_mangle,ipt_MASQUERADE,iptable_nat,ipt_REJECT,xt_tcpudp,xt_conntrack,xt_limit,iptable_filter,ip_tables
snd_via82xx            15163  0
...

Also, i (re)emerged iptables after i emerged the gentoo-sources, and recompiled the kernel after that. What am i missing?

For the record, here are the complete lsmod and config files:
http://www.betaresearch.nl/tmp/config-dump
http://www.betaresearch.nl/tmp/lsmod-dump

Thank you for any ideas!


Last edited by devlaam on Thu Feb 21, 2013 7:20 pm; edited 1 time in total
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6227
Location: Room 101

PostPosted: Thu Feb 21, 2013 12:45 pm    Post subject: Reply with quote

devlaam ...

At a quick glance it seems as though the issue is that you are missing xt_LOG (IPv4/IPv6 packet logging). The error shows the command '-j LOG', but no xt_LOG is listed in the output of lsmod.

best ... khayyam
Back to top
View user's profile Send private message
devlaam
n00b
n00b


Joined: 22 Oct 2009
Posts: 49
Location: Alkmaar, Netherlands

PostPosted: Thu Feb 21, 2013 1:34 pm    Post subject: Reply with quote

Thanks for the tip, i assume you are referring to the symbol:
Code:
# CONFIG_NETFILTER_XT_TARGET_LOG is not set

since
Code:
CONFIG_NETFILTER_XT_TARGET_NFLOG=m

I give this a try and report the result (compiling takes 5 hours so this may take a while ;-) )
Preliminary research indicates that -j LOG is t least related to the problem, since if i remove all logging from the generated iptable commands and run them, they are (with a lot of warnings) accepted.
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6227
Location: Room 101

PostPosted: Thu Feb 21, 2013 2:18 pm    Post subject: Reply with quote

devlaam wrote:
Thanks for the tip, i assume you are referring to the symbol:
Code:
# CONFIG_NETFILTER_XT_TARGET_LOG is not set

devlaam ... yes, xt_LOG.

devlaam wrote:
Code:
CONFIG_NETFILTER_XT_TARGET_NFLOG=m

This is nfnetlink_log for logging to userspace, ie for logging to something like ulogd (app-admin/ulogd), whereas NETFILTER_XT_TARGET_LOG is for the LOG target used by the firehol rules (-j TARGET ... ie: -j LOG).

devlaam wrote:
[...] Preliminary research indicates that -j LOG is t least related to the problem, since if i remove all logging from the generated iptable commands and run them, they are (with a lot of warnings) accepted.

hmmmm .... well, warnings suggest something else may also be missing, but I can only guess wtihout further info.

best ... khay
Back to top
View user's profile Send private message
devlaam
n00b
n00b


Joined: 22 Oct 2009
Posts: 49
Location: Alkmaar, Netherlands

PostPosted: Thu Feb 21, 2013 7:19 pm    Post subject: Reply with quote

khayyam .... you rule! The tip you gave was correct and now the firewall starts without any troubles.

Thanks a lot!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum