Trying to start shorewall with net-firewall/iptables-1.4.12.1 gives this error: Running /sbin/iptables-restore... iptables-restore v1.4.12.1: conntrack rev 2 does not support port ranges Error occurred at line: 251 Try `iptables-restore -h' or 'iptables-restore --help' for more information. ERROR: iptables-restore Failed. Input is in /var/lib/shorewall/.iptables-restore-input Processing /etc/shorewall/stop ... Quick google shows its known bug in 1.4.12 that doesnt appear to be fixed in gentoo bug http://comments.gmane.org/gmane.comp.security.firewalls.netfilter.devel/40158 Older iptables version works fine. Reproducible: Always Could expose user systems if they upgrade and dont check afterwards that iptables loaded ok. moriah ~ # emerge --info Portage 2.1.10.11 (default/linux/x86/10.0, gcc-4.5.3, glibc-2.12.2-r0, 2.6.37-gentoo-r2 i686) ================================================================= System uname: Linux-2.6.37-gentoo-r2-i686-Pentium-R-_Dual-Core_CPU_E6600_@_3.06GHz-with-gentoo-2.0.3 Timestamp of tree: Sat, 17 Sep 2011 05:15:01 +0000 distcc 3.1 i686-pc-linux-gnu [disabled] ccache version 2.4 [enabled] app-shells/bash: 4.1_p9 dev-java/java-config: 2.1.11-r3 dev-lang/python: 2.5.4-r4, 2.7.1-r1, 3.1.3-r1 dev-util/ccache: 2.4-r9 dev-util/cmake: 2.8.4-r1 dev-util/pkgconfig: 0.26 sys-apps/baselayout: 2.0.3 sys-apps/openrc: 0.8.3-r1 sys-apps/sandbox: 2.4 sys-devel/autoconf: 2.13, 2.68 sys-devel/automake: 1.4_p6-r1, 1.5-r1, 1.7.9-r2, 1.8.5-r4, 1.9.6-r3, 1.10.3, 1.11.1 sys-devel/binutils: 2.20.1-r1 sys-devel/gcc: 4.4.5, 4.5.3-r1 sys-devel/gcc-config: 1.4.1-r1 sys-devel/libtool: 2.4-r1 sys-devel/make: 3.82-r1 sys-kernel/linux-headers: 2.6.36.1 (virtual/os-headers) sys-libs/glibc: 2.12.2 Repositories: gentoo Mythtv-Ebuilds x-portage ACCEPT_KEYWORDS="x86" ACCEPT_LICENSE="* -@EULA dlj-1.1 sun-bcla-java-vm AdobeFlash-10 AdobeFlash-10.1" CBUILD="i686-pc-linux-gnu" CFLAGS="-w -march=core2 -O2 -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/gnupg/qualified.txt /usr/share/openvpn/easy-rsa /var/bind /var/lib/hsqldb" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/splash /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-w -march=core2 -O2 -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--with-bdeps=y" FEATURES="assume-digests binpkg-logs ccache distlocks ebuild-locks fixlafiles fixpackages news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch" FFLAGS="" GENTOO_MIRRORS="http://ftp.iinet.net.au/pub/Gentoo" LANG="en_AU.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LINGUAS="en en_AU.UTF-8" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/mythtv_portage/Gentoo /usr/local/portage" SYNC="rsync://rsync.au.gentoo.org/gentoo-portage" USE="16bittmp X aac aalib acpi activefilter adns adplug alaw alsa ao apache2 asterisk async audacious bash-completion berkdb bgpclassless binfilter branding browserplugin bs2b buffysize bzip2 cairo calendar cdda cddb cdparanoia cdr cgi clamav cli cracklib crypt cscope ctype cue cups curl curlwrappers customlog cvs cxx dba dbus dedicated device-mapper dga dhcp dirac directfb djvu dlloader dri dv dvb dvd dvi eds encode erandom esd examples extensions extras faac fam fbcon fbsplash ffmpeg filter fits flac flash fluidsynth follow-xff font-server fontconfig foomaticdb fortran fpx freetds frontendonly ftp gcj gcrypt gd gdbm gdu geos gif gimp gimpprint glib glibc-omitfp gml gnome gnome-keyring gnutls gpc gphoto2 gpm graphviz gs gsm gstreamer gtk gtk2 gtkhtml h323 hdf hdf5 hpn iconv idn ilbc imagemagick imap imlib innodb iproute2 java javascript jbig jpeg jpeg2k kate kdrive lame lcms ldap libclamav libnotify libsamplerate lm_sensors logrotate lua lzo mad mbrola midi mms mmx mmxext mng modules motif mozilla mozsvg mp3 mpeg mpi-threads mtp mudflap multipath multislot multiuser mysql nautilus ncurses netlink netpbm nls nntp no-htdocs nptl nptlonly nsplugin oav objc odbc ogdi ogg old-linux opengl ospfapi pam passwordsave pch pcre pda pdf pdo perl php png pnm policykit postgres ppds pppd proj python pyzord qemu-ifup qt3support quicktime rar readline rpm rtc samba scanner schroedinger scrobbler sdl seamonkey sensord server session sftplogging sid sip slp smi smp smux sndfile soap sockets sound speex spell sqlite sse sse2 ssl ssse3 startup-notification subversion svg svga swat sysfs syslog szip t1lib tcl tcltk tcpd tga theora threads tidy tiff tk tokenizer toolbar truetype ulaw underscores unicode unzip urandom usb v4l v4l2 vcd vde vidix vim-pager vim-syntax vim-with-x virus-scan vorbis vpx wav wavpack wddx webdav win32codecs wmf wxGTK x86 xanim xext xine xml xmlrpc xorg xpm xsl xulrunner xv xvid yaz zaptel zip zlib zrtp zvbi" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack vhost_alias cgid" CALLIGRA_FEATURES="kexi words flow plan stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en en_AU.UTF-8" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="intel fbdev vesa" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS moriah ~ #
Thank you for report. Fixed in iptables-1.4.12.1-r1. Please, try it out and report if it still fails for you. Probably I'll ask stabilization earlier then.
Where can I get -r1? - been syncing each day and its not showing up or is the mirror I am using out of date: moriah ~ # ls -al /usr/portage/net-firewall/iptables/ total 77 drwxr-xr-x 3 root root 416 Sep 21 06:59 . drwxr-xr-x 31 root root 896 Sep 17 15:01 .. -rw-r--r-- 1 root root 44300 Sep 17 01:31 ChangeLog -rw-r--r-- 1 root root 4042 Sep 17 01:31 Manifest drwxr-xr-x 2 root root 312 Sep 17 15:01 files -rw-r--r-- 1 root root 2211 Jun 14 10:32 iptables-1.4.10-r1.ebuild -rw-r--r-- 1 root root 1847 Jan 14 2011 iptables-1.4.10.ebuild -rw-r--r-- 1 root root 2226 Aug 29 00:01 iptables-1.4.11.1-r2.ebuild -rw-r--r-- 1 root root 2241 Sep 17 01:31 iptables-1.4.12.1.ebuild -rw-r--r-- 1 root root 2181 Jul 23 01:41 iptables-1.4.12.ebuild -rw-r--r-- 1 root root 1433 Sep 7 2010 iptables-1.4.6.ebuild -rw-r--r-- 1 root root 1033 Feb 10 2011 metadata.xml moriah ~ #
ok, came down with the next sync soon after I posted the above comment. emerged it and it does seem like its working ok. Fixed the issue for me. BillK
