| View previous topic :: View next topic |
| Author |
Message |
schnitten
n00b
Joined: 05 Oct 2006
Posts: 13
|
 Posted: Sun Jan 27, 2008 5:20 pm Post subject: [SOLVED] firehol not working after kernel upgrade |
 |
|
Hi,
I switched from kernel-2.6.19-gentoo-r5 to kernel-2.6.23-gentoo-r6. Afterwards firehol is not working anymore.
On startup I get a whole bunch of errors like the following:
| Code: |
--------------------------------------------------------------------------------
ERROR : # 220.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line 167 of /tmp/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_interface3_irc_c13 -p tcp --sport 6667 --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT
OUTPUT :
iptables: No chain/target/match by that name
|
So I switched from the current stable to the latest unstable version, which is firehol-1.256-r1. The results remain the same.
On the firehol homepage it is mentioned that there were some issues with kernels 2.6.20+ , but they should be fixed right now.
thanks for your help
Christian
Last edited by schnitten on Wed Jan 30, 2008 9:12 pm; edited 1 time in total |
|
| Back to top |
|
 |
magic919
Advocate
Joined: 17 Jun 2005
Posts: 2169
Location: Berkshire, UK
|
| Posted: Sun Jan 27, 2008 6:46 pm Post subject: |
|
|
| Check the Kernel config for IP Tables support. It's usually that you lack some needed modules. |
|
| Back to top |
|
|
schnitten
n00b
Joined: 05 Oct 2006
Posts: 13
|
| Posted: Sun Jan 27, 2008 6:59 pm Post subject: |
|
|
| magic919 wrote: | | Check the Kernel config for IP Tables support. It's usually that you lack some needed modules. |
Did so, before I built the new kernel I copied over the previous .config file.
When rebuilding firehol, it reports when some kernel flags are missing. There were no warnings regarding missing flags.
Still there is the chance that I missed some flag - or some flag name did change for the new kernel. How can I find out which one this might be? Does firehol store some temporary script file when processing my rules which I could use for debugging? |
|
| Back to top |
|
|
magic919
Advocate
Joined: 17 Jun 2005
Posts: 2169
Location: Berkshire, UK
|
| Posted: Sun Jan 27, 2008 7:11 pm Post subject: |
|
|
| I don't use Firehol myself. Have you looked for a firehol.conf or similar? |
|
| Back to top |
|
|
Hu
Watchman
Joined: 06 Mar 2007
Posts: 6828
|
| Posted: Sun Jan 27, 2008 8:19 pm Post subject: |
|
|
| It appears that the block you quoted in your first post tells you the iptables command that failed. |
|
| Back to top |
|
|
schnitten
n00b
Joined: 05 Oct 2006
Posts: 13
|
| Posted: Mon Jan 28, 2008 8:30 pm Post subject: |
|
|
| Hu wrote: | | It appears that the block you quoted in your first post tells you the iptables command that failed. |
I think you are right and the chain (denoted by the -A parameter) is not present. But why. Firehol should have created that chain before it tries to add rules. I do not see any error message that the chain could not be created. Therefore I'm looking for some temporary script that firehol uses to feed iptables. I guess the error message I posted is only the result of some previous error which I am not (yet) able to track |
|
| Back to top |
|
|
magic919
Advocate
Joined: 17 Jun 2005
Posts: 2169
Location: Berkshire, UK
|
| Posted: Mon Jan 28, 2008 9:02 pm Post subject: |
|
|
| Why don't you run it with the debug option. Apparently it then spits out the iptables ccommands. Run them by hand and find out what it can and cannot do. The generic error above can be a match problem, not just chain. |
|
| Back to top |
|
|
thepustule
Apprentice
Joined: 22 Feb 2004
Posts: 210
Location: Toronto, Canada
|
| Posted: Mon Jan 28, 2008 10:34 pm Post subject: |
|
|
| If I recall correctly, between 2.6.19 and 2.6.23 some of the iptables options in the kernel got moved around in the menus and don't get activated by just doing a "make oldconfig". This bit me as well. If you just do a "make menuconfig" and make sure all the necessary iptables options are still enabled, or re-enable them if necessary, you should be ok. |
|
| Back to top |
|
|
schnitten
n00b
Joined: 05 Oct 2006
Posts: 13
|
| Posted: Wed Jan 30, 2008 9:12 pm Post subject: |
|
|
I really did miss some targets for iptables. Maybe some of these options got renamed? No matter what, now iptables work as expected.
BTW: why aren't such changes mentioned by portage when fetching new kernel-sources? |
|
| Back to top |
|
|
magic919
Advocate
Joined: 17 Jun 2005
Posts: 2169
Location: Berkshire, UK
|
| Posted: Thu Jan 31, 2008 5:51 am Post subject: |
|
|
The kernel is too involved for them to list every change in the Portage notes. However, there is a guide.
http://www.gentoo.org/doc/en/kernel-upgrade.xml
If you skip down to section 10 it covers using an old config. It would give a Y/n for each new option. That's as much help as there is. |
|
| Back to top |
|
|
|
Networking & Security
