View previous topic :: View next topic |
Author |
Message |
devlaam n00b
Joined: 22 Oct 2009 Posts: 49 Location: Alkmaar, Netherlands
|
Posted: Thu Feb 21, 2013 12:18 pm Post subject: [SOLVED] Firehol: No chain/target/match by that name. |
|
|
After a kernel upgrade (well, it was a new install, namely x86, 3.5.7) i have problems with firehol on a configuration that worked flawlessly on the previous kernel. This is the message:
Code: | octy ~ # /etc/init.d/firehol start
* Starting FireHOL ...
--------------------------------------------------------------------------------
ERROR : # 1.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 29 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A pr_internet_fragments -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=\'PACKET\ FRAGMENTS:\'
OUTPUT :
iptables: No chain/target/match by that name. |
and the latter is repeated many times (24) more for almost all rules.
My suspicion is that some kernel module is missing, (see also: https://forums.gentoo.org/viewtopic-t-652568-highlight-firehol.html) but i think i checked most relevant ones:
Code: | CONFIG_NF_CONNTRACK=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_PACKET=y
| where the last option was needed to get dhcpcd running correctly in ipv4 mode (see: https://forums.gentoo.org/viewtopic-t-951848.html) The modules seem loaded all right:
Code: | > lsmod
Module Size Used by
iptable_mangle 1040 0
nf_nat_ftp 1072 0
nf_nat_irc 890 0
nf_conntrack_ftp 4001 1 nf_nat_ftp
nf_conntrack_irc 2359 1 nf_nat_irc
ipt_MASQUERADE 1106 8
iptable_nat 2748 1
nf_nat 9792 4 nf_nat_ftp,nf_nat_irc,ipt_MASQUERADE,iptable_nat
ipv6 192906 24
ipt_REJECT 1521 0
xt_tcpudp 1643 0
xt_conntrack 2281 0
xt_limit 1028 0
nf_conntrack_ipv4 7802 3 iptable_nat,nf_nat
nf_conntrack 40968 9 nf_nat_ftp,nf_nat_irc,nf_conntrack_ftp,nf_conntrack_irc,ipt_MASQUERADE,iptable_nat,nf_nat,xt_conntrack,nf_conntrack_ipv4
nf_defrag_ipv4 815 1 nf_conntrack_ipv4
iptable_filter 928 0
ip_tables 7511 3 iptable_mangle,iptable_nat,iptable_filter
x_tables 9058 9 iptable_mangle,ipt_MASQUERADE,iptable_nat,ipt_REJECT,xt_tcpudp,xt_conntrack,xt_limit,iptable_filter,ip_tables
snd_via82xx 15163 0
... |
Also, i (re)emerged iptables after i emerged the gentoo-sources, and recompiled the kernel after that. What am i missing?
For the record, here are the complete lsmod and config files:
http://www.betaresearch.nl/tmp/config-dump
http://www.betaresearch.nl/tmp/lsmod-dump
Thank you for any ideas!
Last edited by devlaam on Thu Feb 21, 2013 7:20 pm; edited 1 time in total |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Thu Feb 21, 2013 12:45 pm Post subject: |
|
|
devlaam ...
At a quick glance it seems as though the issue is that you are missing xt_LOG (IPv4/IPv6 packet logging). The error shows the command '-j LOG', but no xt_LOG is listed in the output of lsmod.
best ... khayyam |
|
Back to top |
|
|
devlaam n00b
Joined: 22 Oct 2009 Posts: 49 Location: Alkmaar, Netherlands
|
Posted: Thu Feb 21, 2013 1:34 pm Post subject: |
|
|
Thanks for the tip, i assume you are referring to the symbol:
Code: | # CONFIG_NETFILTER_XT_TARGET_LOG is not set |
since
Code: | CONFIG_NETFILTER_XT_TARGET_NFLOG=m |
I give this a try and report the result (compiling takes 5 hours so this may take a while )
Preliminary research indicates that -j LOG is t least related to the problem, since if i remove all logging from the generated iptable commands and run them, they are (with a lot of warnings) accepted. |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Thu Feb 21, 2013 2:18 pm Post subject: |
|
|
devlaam wrote: | Thanks for the tip, i assume you are referring to the symbol:
Code: | # CONFIG_NETFILTER_XT_TARGET_LOG is not set |
|
devlaam ... yes, xt_LOG.
devlaam wrote: | Code: | CONFIG_NETFILTER_XT_TARGET_NFLOG=m |
|
This is nfnetlink_log for logging to userspace, ie for logging to something like ulogd (app-admin/ulogd), whereas NETFILTER_XT_TARGET_LOG is for the LOG target used by the firehol rules (-j TARGET ... ie: -j LOG).
devlaam wrote: | [...] Preliminary research indicates that -j LOG is t least related to the problem, since if i remove all logging from the generated iptable commands and run them, they are (with a lot of warnings) accepted. |
hmmmm .... well, warnings suggest something else may also be missing, but I can only guess wtihout further info.
best ... khay |
|
Back to top |
|
|
devlaam n00b
Joined: 22 Oct 2009 Posts: 49 Location: Alkmaar, Netherlands
|
Posted: Thu Feb 21, 2013 7:19 pm Post subject: |
|
|
khayyam .... you rule! The tip you gave was correct and now the firewall starts without any troubles.
Thanks a lot! |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|