When starting shorewall-3.2.8 I get four error messages like FATAL: Module ip_tables not found. As far as I can tell it still works, but this never occurred in the past. In my kernel .config I have CONFIG_IP_NF_IPTABLES=y, which seems likely to me as the source of the complaint. Reproducible: Always Steps to Reproduce: 1./etc/init.d/shorewall restart (or start) With version 3.2.8 2. 3. Actual Results: See above. ============== emerge --info ======================== Portage 2.1.2-r5 (default-linux/amd64/2006.0, gcc-4.1.1, glibc-2.5-r0, 2.6.19-gentoo-r4 x86_64) ================================================================= System uname: 2.6.19-gentoo-r4 x86_64 AMD Opteron(tm) Processor 242 Gentoo Base System version 1.12.9 Timestamp of tree: Thu, 01 Feb 2007 21:30:02 +0000 ccache version 2.4 [enabled] dev-java/java-config: 1.3.7, 2.0.31-r3 dev-lang/python: 2.4.4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.4-r6 sys-apps/sandbox: 1.2.18.1 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.17 sys-devel/gcc-config: 1.3.14 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.19.2-r2 ACCEPT_KEYWORDS="amd64 ~amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -march=opteron -pipe -fomit-frame-pointer" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-O2 -march=opteron -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache distlocks fixpackages metadata-transfer parallel-fetch sandbox sfperms strict" GENTOO_MIRRORS="http://gentoo.osuosl.org http://cudlug.cudenver.edu/gentoo http://gentoo.binarycompass.org" LINGUAS="en" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X aac aiglx alsa amd64 apache2 auctex audiofile bash-completion bcmath berkdb bitmap-fonts blas bonobo bzip2 calendar cdrom clamav cli colordiff cracklib crypt ctype cups dbus debugger dga divx-linux dlloader dri dvd dvdr dvdread emacs emboss emul-linux86 encode esd fam fastcgi fbcon firefox flac foomaticdb fortran ftp gif glut gnome gphoto2 gpm gstreamer gtk gtk2 iconv imlib ipv6 isdnlog java jpeg kde kerberos lapack latin1 leim lesstif libclamav logrotate lzw lzw-tiff mbox mcal midi mime mng mouse mozcalendar mozilla mp3 mpeg mpi mysql mysqli ncurses nls nocd nosendmail nptl nptlonly nsplugin nvidia offensive openal opengl osc oscar pam pcre pdf perl png pop pop3d portaudio ppds pppd preview-latex python qt3 qt4 quicktime readline reflection replytolist rtc samba sasl sdl session sharedmem sockets source sox speex spell spl ssl svg symlink tcltk tcpd tetex threads thunderbird tiff truetype truetype-fonts type1-fonts usb vhosts vorbis xine xmail xorg xpm xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" USERLAND="GNU" VIDEO_CARDS="nvidia vesa fbdev" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
You should see this error whenever trying to use iptables, not just shorewall. If you compiled your kernel with ip_tables as a module you will have to modprobe ip_tables (or include ip_tables in gentoo's /etc/modules.autoload.d/kernel-2.x). Are you sure it's really built-in (y)? emerge -s iptables?
Double-check: Networking ---> Networking options ---> Network packet filtering (replaces ipchains) ---> Core Netfilter Configuration ---> Netfilter Xtables support (required for ip_tables) Networking ---> Networking options ---> Network packet filtering (replaces ipchains) ---> IP: Netfilter Configuration ---> IP tables support (required for filtering/masq/NAT)
(In reply to comment #1) Yes, all those things are configured. When I run iptables -L it seems I get a long list of things that certainly appears to mean that all is working, and another machine is getting to the internet through this one. I really think shorewall has done the right thing, aside of course from the misleading error messages. Thanks.
My test with shorewall 3.2.8: INF-BL07 shorewall # /etc/init.d/shorewall start ; /etc/init.d/shorewall stop * Starting firewall ... [ ok ] * Stopping firewall ... [ ok ] INF-BL07 shorewall # cat /usr/src/linux/.config | grep _NF_ CONFIG_IP_NF_CONNTRACK=y CONFIG_IP_NF_CT_ACCT=y CONFIG_IP_NF_CONNTRACK_MARK=y CONFIG_IP_NF_CONNTRACK_EVENTS=y CONFIG_IP_NF_CT_PROTO_SCTP=y CONFIG_IP_NF_FTP=y CONFIG_IP_NF_IRC=y CONFIG_IP_NF_NETBIOS_NS=y CONFIG_IP_NF_TFTP=y CONFIG_IP_NF_AMANDA=y CONFIG_IP_NF_PPTP=y CONFIG_IP_NF_QUEUE=m CONFIG_IP_NF_IPTABLES=y CONFIG_IP_NF_MATCH_LIMIT=y CONFIG_IP_NF_MATCH_IPRANGE=y CONFIG_IP_NF_MATCH_MAC=y CONFIG_IP_NF_MATCH_PKTTYPE=y CONFIG_IP_NF_MATCH_MARK=y CONFIG_IP_NF_MATCH_MULTIPORT=y CONFIG_IP_NF_MATCH_TOS=y CONFIG_IP_NF_MATCH_RECENT=y CONFIG_IP_NF_MATCH_ECN=y CONFIG_IP_NF_MATCH_DSCP=y CONFIG_IP_NF_MATCH_AH_ESP=y CONFIG_IP_NF_MATCH_LENGTH=y CONFIG_IP_NF_MATCH_TTL=y CONFIG_IP_NF_MATCH_TCPMSS=y CONFIG_IP_NF_MATCH_HELPER=y CONFIG_IP_NF_MATCH_STATE=y CONFIG_IP_NF_MATCH_CONNTRACK=y CONFIG_IP_NF_MATCH_OWNER=y CONFIG_IP_NF_MATCH_ADDRTYPE=y CONFIG_IP_NF_MATCH_REALM=y CONFIG_IP_NF_MATCH_SCTP=y CONFIG_IP_NF_MATCH_DCCP=y CONFIG_IP_NF_MATCH_COMMENT=y CONFIG_IP_NF_MATCH_CONNMARK=y CONFIG_IP_NF_MATCH_CONNBYTES=y CONFIG_IP_NF_MATCH_HASHLIMIT=y CONFIG_IP_NF_MATCH_STRING=y CONFIG_IP_NF_FILTER=y CONFIG_IP_NF_TARGET_REJECT=y CONFIG_IP_NF_TARGET_LOG=y CONFIG_IP_NF_TARGET_ULOG=m CONFIG_IP_NF_TARGET_TCPMSS=y # CONFIG_IP_NF_TARGET_NFQUEUE is not set CONFIG_IP_NF_NAT=y CONFIG_IP_NF_NAT_NEEDED=y CONFIG_IP_NF_TARGET_MASQUERADE=y CONFIG_IP_NF_TARGET_REDIRECT=y CONFIG_IP_NF_TARGET_NETMAP=y CONFIG_IP_NF_TARGET_SAME=y CONFIG_IP_NF_NAT_SNMP_BASIC=y CONFIG_IP_NF_NAT_IRC=y CONFIG_IP_NF_NAT_FTP=y CONFIG_IP_NF_NAT_TFTP=y CONFIG_IP_NF_NAT_AMANDA=y CONFIG_IP_NF_NAT_PPTP=y CONFIG_IP_NF_MANGLE=y CONFIG_IP_NF_TARGET_TOS=y CONFIG_IP_NF_TARGET_ECN=y CONFIG_IP_NF_TARGET_DSCP=y CONFIG_IP_NF_TARGET_MARK=y CONFIG_IP_NF_TARGET_CLASSIFY=y CONFIG_IP_NF_TARGET_TTL=y CONFIG_IP_NF_TARGET_CONNMARK=y CONFIG_IP_NF_TARGET_CLUSTERIP=y CONFIG_IP_NF_RAW=y CONFIG_IP_NF_TARGET_NOTRACK=y CONFIG_IP_NF_ARPTABLES=y CONFIG_IP_NF_ARPFILTER=y CONFIG_IP_NF_ARP_MANGLE=y # CONFIG_IP6_NF_QUEUE is not set CONFIG_IP6_NF_IPTABLES=y CONFIG_IP6_NF_MATCH_LIMIT=y CONFIG_IP6_NF_MATCH_MAC=y CONFIG_IP6_NF_MATCH_RT=y CONFIG_IP6_NF_MATCH_OPTS=y CONFIG_IP6_NF_MATCH_FRAG=y CONFIG_IP6_NF_MATCH_HL=y CONFIG_IP6_NF_MATCH_MULTIPORT=y CONFIG_IP6_NF_MATCH_OWNER=y CONFIG_IP6_NF_MATCH_MARK=y CONFIG_IP6_NF_MATCH_IPV6HEADER=y CONFIG_IP6_NF_MATCH_AHESP=y CONFIG_IP6_NF_MATCH_LENGTH=y CONFIG_IP6_NF_MATCH_EUI64=y CONFIG_IP6_NF_FILTER=y CONFIG_IP6_NF_TARGET_LOG=y # CONFIG_IP6_NF_TARGET_REJECT is not set # CONFIG_IP6_NF_TARGET_NFQUEUE is not set CONFIG_IP6_NF_MANGLE=y CONFIG_IP6_NF_TARGET_MARK=y # CONFIG_IP6_NF_TARGET_HL is not set CONFIG_IP6_NF_RAW=y INF-BL07 shorewall # emerge -s iptables Searching... [ Results for search key : iptables ] [ Applications found : 1 ] * net-firewall/iptables Latest version available: 1.3.5-r4 Latest version installed: 1.3.4 Size of files: 295 kB Homepage: http://www.iptables.org/ http://www.linuximq.net/ http://l7-filter.sf.net/ Description: Linux kernel (2.4+) firewall, NAT and packet mangling tools License: GPL-2 INF-BL07 shorewall # uname -a Linux INF-BL07 2.6.15-gentoo-r5 #1 SMP Mon Mar 6 12:09:37 CET 2006 x86_64 Intel(R) Xeon(TM) CPU 3.20GHz GenuineIntel GNU/Linux Are you by any chance doing traffic shaping? (marking) I am willing to simulate your rules on my test system.
(In reply to comment #3) > I really think > shorewall has done the right thing, aside of course from the misleading error > messages. Shorewall doesn't produce that error message. It's iptables.
(In reply to comment #4) > My test with shorewall 3.2.8: Probably the biggest difference is in the version of iptables. I have * net-firewall/iptables Latest version available: 1.3.7 Latest version installed: 1.3.7 Size of files: 316 kB Homepage: http://www.iptables.org/ http://www.linuximq.net/ http://l7-filter.sf.net/ Description: Linux kernel (2.4+) firewall, NAT and packet mangling tools License: GPL-2 For completeness I have included my cat .config|grep _NF_ CONFIG_NF_CONNTRACK_ENABLED=m CONFIG_NF_CONNTRACK_SUPPORT=y # CONFIG_IP_NF_CONNTRACK_SUPPORT is not set CONFIG_NF_CONNTRACK=m # CONFIG_NF_CT_ACCT is not set # CONFIG_NF_CONNTRACK_MARK is not set # CONFIG_NF_CONNTRACK_EVENTS is not set # CONFIG_NF_CT_PROTO_SCTP is not set # CONFIG_NF_CONNTRACK_AMANDA is not set # CONFIG_NF_CONNTRACK_FTP is not set # CONFIG_NF_CONNTRACK_H323 is not set # CONFIG_NF_CONNTRACK_IRC is not set # CONFIG_NF_CONNTRACK_NETBIOS_NS is not set # CONFIG_NF_CONNTRACK_PPTP is not set # CONFIG_NF_CONNTRACK_SIP is not set # CONFIG_NF_CONNTRACK_TFTP is not set CONFIG_NF_CONNTRACK_IPV4=m CONFIG_NF_CONNTRACK_PROC_COMPAT=y CONFIG_IP_NF_QUEUE=m CONFIG_IP_NF_IPTABLES=y CONFIG_IP_NF_MATCH_IPRANGE=m CONFIG_IP_NF_MATCH_TOS=m CONFIG_IP_NF_MATCH_RECENT=m CONFIG_IP_NF_MATCH_ECN=m CONFIG_IP_NF_MATCH_AH=m CONFIG_IP_NF_MATCH_TTL=m CONFIG_IP_NF_MATCH_OWNER=m CONFIG_IP_NF_MATCH_ADDRTYPE=m CONFIG_IP_NF_FILTER=m CONFIG_IP_NF_TARGET_REJECT=m CONFIG_IP_NF_TARGET_LOG=m CONFIG_IP_NF_TARGET_ULOG=m # CONFIG_IP_NF_TARGET_TCPMSS is not set CONFIG_NF_NAT=m CONFIG_NF_NAT_NEEDED=y # CONFIG_IP_NF_TARGET_MASQUERADE is not set # CONFIG_IP_NF_TARGET_REDIRECT is not set # CONFIG_IP_NF_TARGET_NETMAP is not set # CONFIG_IP_NF_TARGET_SAME is not set # CONFIG_NF_NAT_SNMP_BASIC is not set # CONFIG_NF_NAT_FTP is not set # CONFIG_NF_NAT_IRC is not set # CONFIG_NF_NAT_TFTP is not set # CONFIG_NF_NAT_AMANDA is not set # CONFIG_NF_NAT_PPTP is not set # CONFIG_NF_NAT_H323 is not set # CONFIG_NF_NAT_SIP is not set CONFIG_IP_NF_MANGLE=m CONFIG_IP_NF_TARGET_TOS=m CONFIG_IP_NF_TARGET_ECN=m CONFIG_IP_NF_TARGET_TTL=m CONFIG_IP_NF_RAW=m CONFIG_IP_NF_ARPTABLES=m CONFIG_IP_NF_ARPFILTER=m CONFIG_IP_NF_ARP_MANGLE=m I might note that I have a lot of things as modules as I wasn't clear on what I needed and what wasn't needed.
You might want to CONFIG_IP_NF_IPTABLES=m and load it in autoload.d. You can take a look at this post: http://forums.gentoo.org/viewtopic.php?t=159133&highlight=iptables+howto
(In reply to comment #7) > You might want to CONFIG_IP_NF_IPTABLES=m and load it in autoload.d. > You can take a look at this post: > http://forums.gentoo.org/viewtopic.php?t=159133&highlight=iptables+howto > There is nothing at this link that implies loading iptables as a module (as opposed to building in the kernel) is necessary. Since my configuration currently works, I'll leave it as it is. The fact that it prints out an error message labeled as FATAL, is in my opinion a bug.
(In reply to comment #8) > The fact that it prints out an error > message labeled as FATAL, is in my opinion a bug. You may consider bringing this up in the netfilter mailing list. If you ever get this straightened out then it would be nice if you could drop a word in the forum iptables thread.
> (In reply to comment #8) > > The fact that it prints out an error > > message labeled as FATAL, is in my opinion a bug. > > You may consider bringing this up in the netfilter mailing list. Fully with it ;) Not our own bug, thus marking as upstream