423635 – net-firewall/shorewall6 claims the kernel doesn't include state match support, which it does.

Bug 423635 - net-firewall/shorewall6 claims the kernel doesn't include state match support, which it does.

Summary: net-firewall/shorewall6 claims the kernel doesn't include state match support...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	AMD64 Linux

Importance:	Normal normal (vote)
Assignee:	Vieri

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2012-06-26 10:46 UTC by Gustav Schaffter
Modified:	2012-10-12 18:34 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Gustav Schaffter 2012-06-26 10:46:50 UTC

On this system, I currently and successfully run shorewall (IPv4).
I successfully installed and configured net-firewall/shorewall6-4.4.23.2.

When I run

/etc/init.d/shorewall6 check
 -or-
/etc/init.d/shorewall6 start

I get the error message:
ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system [ !! ]

But, IPv4 shorewall happily runs and filters traffic.


Reproducible: Always

Steps to Reproduce:
1. Install, configure and start shorewall
2. Install and configure shorewall6
3. Try to start shorewall6
4. Copy /proc/config.gz to a directory and gunzip it.
5. Check for CONFIG_NETFILTER_XT_MATCH_STATE=y

Actual Results:  
# /etc/init.d/shorewall6 start
Starting firewall ...
ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system [ !! ]
ERROR: shorewall6 failed to start


Expected Results:  
# /etc/init.d/shorewall6 start
Starting firewall ... [ ok ]

# emerge --info
Portage 2.1.10.65 (default/linux/amd64/10.0, gcc-4.5.3, glibc-2.14.1-r3, 3.3.8-gentoo-embla x86_64)
=================================================================
System uname: Linux-3.3.8-gentoo-embla-x86_64-AMD_Athlon-tm-_64_Processor_4000+-with-gentoo-2.1
Timestamp of tree: Tue, 26 Jun 2012 00:15:01 +0000
app-shells/bash:          4.2_p20
dev-java/java-config:     2.1.11-r3
dev-lang/python:          2.7.3-r2, 3.2.3
dev-util/cmake:           2.8.7-r5
dev-util/pkgconfig:       0.26
sys-apps/baselayout:      2.1-r1
sys-apps/openrc:          0.9.8.4
sys-apps/sandbox:         2.5
sys-devel/autoconf:       2.13, 2.68
sys-devel/automake:       1.9.6-r3, 1.10.3, 1.11.1
sys-devel/binutils:       2.21.1-r1
sys-devel/gcc:            4.5.3-r2
sys-devel/gcc-config:     1.6
sys-devel/libtool:        2.4-r1
sys-devel/make:           3.82-r1
sys-kernel/linux-headers: 3.1 (virtual/os-headers)
sys-libs/glibc:           2.14.1-r3
Repositories: gentoo x-portage
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="*"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -march=native -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /var/lib/hsqldb"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-O2 -march=native -pipe"
DISTDIR="/usr/portage/distfiles"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles news parallel-fetch parse-eapi-ebuild-head protect-owned sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="en_US.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="en en_US en_GB fr it sv"
MAKEOPTS="-j1"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://gentoo-portage.home.schaffter.com/gentoo-portage"
USE="32bit 3dnow 3dnowext 64bit X a52 aac aalib acl acpi alsa amd64 apache2 apng asf assistant avahi berkdb bidi branding bzip2 cairo cdda cddb cdparanoia cdr clamdtop cli consolekit corba cracklib cron crypt css ctype cups cxx daap dbus dc1394 device-mapper dia divx dri dts dv dvb dvd dvdr dvdread eds emacs encode exif extensions extras faac faad fam fame fat ffmpeg filter firefox fits flac fontconfig fortran freetype gd gdbm gdu gedit ggi gif gimp gimpprint gmedia gnome gnutls gpac gphoto2 gpm grammar gstreamer gtk gtk3 gudev hddtemp hdri httpd hwdb iconv id3tag idea imagemagick inkjar ipod iptc ipv6 java jpeg jpeg2k kdrive keyring kqemu ldap libcaca libnotify lightning live lm_sensors logrotate lzo mad matroska mbox mdnsresponder-compat mikmod minizip mjpeg mmx mng mod modules mono mozbranding mozcalendar mozilla mozsvg mp3 mpeg mplayer mudflap multilib musicbrainz mysql mysqli ncurses netcdf network-cron new-login nfs nls nptl nptlonly nsplugin nvidia nvidis odbc ogdi ogg ogm openexr opengl openmp pae pam pcre pdf player plugins png policykit ppds pppd python python2 qemu qt3support qt4 quicktime rar readline realmedia reiserfs rtsp scanner sdl sensord session shout skins smp sox speex spell sqlite sse sse2 ssl startup-notification stream subtitles svg tcpd tetex theora threads tiff tk tordns truetype udev unicode upnp usb utempter v4l v4l2 vcd vdpau vlm vorbis wav wma wmf wmp wxwindows x264 xanim xine xinerama xml xorg xosd xulrunner xvid zip zlib" ALSA_CARDS="intel8x0 usb-audio" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack vhost_alias" APACHE2_MPMS="worker" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en en_US en_GB fr it sv" PHP_TARGETS="php5-3" PYTHON_TARGETS="python3_2 python2_7" QEMU_SOFTMMU_TARGETS="i386 x86_64" QEMU_USER_TARGETS="i386 x86_64" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="nvidia" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON






# uname -a
Linux embla 3.3.8-gentoo-embla #2 PREEMPT Mon Jun 25 15:13:54 CEST 2012 x86_64 AMD Athlon(tm) 64 Processor 4000+ AuthenticAMD GNU/Linux



# /etc/init.d/shorewall status
 * Use of the opts variable is deprecated and will be
 * removed in the future.
 * Please use extra_commands, extra_started_commands or extra_stopped_commands.
 * status: started





Extracted from /proc/config.gz :

#                                 
# Automatically generated file; DO NOT EDIT.
# Linux/x86_64 3.3.8-gentoo Kernel Configuration
#
.
.
.
#
# Networking options
#
CONFIG_PACKET=y
CONFIG_UNIX=y
# CONFIG_UNIX_DIAG is not set
CONFIG_XFRM=y
# CONFIG_XFRM_USER is not set
# CONFIG_XFRM_SUB_POLICY is not set
# CONFIG_XFRM_MIGRATE is not set
# CONFIG_XFRM_STATISTICS is not set
# CONFIG_NET_KEY is not set
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
# CONFIG_IP_ADVANCED_ROUTER is not set
CONFIG_IP_ROUTE_CLASSID=y
# CONFIG_IP_PNP is not set
# CONFIG_NET_IPIP is not set
# CONFIG_NET_IPGRE_DEMUX is not set
# CONFIG_IP_MROUTE is not set
# CONFIG_ARPD is not set
# CONFIG_SYN_COOKIES is not set
# CONFIG_INET_AH is not set
# CONFIG_INET_ESP is not set
# CONFIG_INET_IPCOMP is not set
# CONFIG_INET_XFRM_TUNNEL is not set
CONFIG_INET_TUNNEL=y
CONFIG_INET_XFRM_MODE_TRANSPORT=y
CONFIG_INET_XFRM_MODE_TUNNEL=y
CONFIG_INET_XFRM_MODE_BEET=y
# CONFIG_INET_LRO is not set
CONFIG_INET_DIAG=y
CONFIG_INET_TCP_DIAG=y
# CONFIG_INET_UDP_DIAG is not set
# CONFIG_TCP_CONG_ADVANCED is not set
CONFIG_TCP_CONG_CUBIC=y
CONFIG_DEFAULT_TCP_CONG="cubic"
# CONFIG_TCP_MD5SIG is not set
CONFIG_IPV6=y
# CONFIG_IPV6_PRIVACY is not set
# CONFIG_IPV6_ROUTER_PREF is not set
# CONFIG_IPV6_OPTIMISTIC_DAD is not set
CONFIG_INET6_AH=y
CONFIG_INET6_ESP=y
# CONFIG_INET6_IPCOMP is not set
# CONFIG_IPV6_MIP6 is not set
# CONFIG_INET6_XFRM_TUNNEL is not set
# CONFIG_INET6_TUNNEL is not set
CONFIG_INET6_XFRM_MODE_TRANSPORT=y
CONFIG_INET6_XFRM_MODE_TUNNEL=y
CONFIG_INET6_XFRM_MODE_BEET=y
# CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION is not set
CONFIG_IPV6_SIT=y
# CONFIG_IPV6_SIT_6RD is not set
CONFIG_IPV6_NDISC_NODETYPE=y
# CONFIG_IPV6_TUNNEL is not set
# CONFIG_IPV6_MULTIPLE_TABLES is not set
# CONFIG_IPV6_MROUTE is not set
# CONFIG_NETWORK_SECMARK is not set
# CONFIG_NETWORK_PHY_TIMESTAMPING is not set
CONFIG_NETFILTER=y
# CONFIG_NETFILTER_DEBUG is not set
CONFIG_NETFILTER_ADVANCED=y
CONFIG_BRIDGE_NETFILTER=y

#
# Core Netfilter Configuration
#
CONFIG_NETFILTER_NETLINK=y
# CONFIG_NETFILTER_NETLINK_ACCT is not set
CONFIG_NETFILTER_NETLINK_QUEUE=y
CONFIG_NETFILTER_NETLINK_LOG=y
CONFIG_NF_CONNTRACK=y
CONFIG_NF_CONNTRACK_MARK=y
CONFIG_NF_CONNTRACK_PROCFS=y
# CONFIG_NF_CONNTRACK_EVENTS is not set
# CONFIG_NF_CONNTRACK_TIMESTAMP is not set
# CONFIG_NF_CT_PROTO_DCCP is not set
# CONFIG_NF_CT_PROTO_SCTP is not set
# CONFIG_NF_CT_PROTO_UDPLITE is not set
# CONFIG_NF_CONNTRACK_AMANDA is not set
# CONFIG_NF_CONNTRACK_FTP is not set
# CONFIG_NF_CONNTRACK_H323 is not set
# CONFIG_NF_CONNTRACK_IRC is not set
# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
# CONFIG_NF_CONNTRACK_SNMP is not set
# CONFIG_NF_CONNTRACK_PPTP is not set
# CONFIG_NF_CONNTRACK_SANE is not set
# CONFIG_NF_CONNTRACK_SIP is not set
# CONFIG_NF_CONNTRACK_TFTP is not set
# CONFIG_NF_CT_NETLINK is not set
# CONFIG_NETFILTER_TPROXY is not set
CONFIG_NETFILTER_XTABLES=y

#
# Xtables combined modules
#
CONFIG_NETFILTER_XT_MARK=y
CONFIG_NETFILTER_XT_CONNMARK=y

#
# Xtables targets
#
# CONFIG_NETFILTER_XT_TARGET_AUDIT is not set
# CONFIG_NETFILTER_XT_TARGET_CHECKSUM is not set
CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
# CONFIG_NETFILTER_XT_TARGET_CT is not set
CONFIG_NETFILTER_XT_TARGET_DSCP=y
CONFIG_NETFILTER_XT_TARGET_HL=y
# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set
CONFIG_NETFILTER_XT_TARGET_MARK=y
CONFIG_NETFILTER_XT_TARGET_NFLOG=y
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
# CONFIG_NETFILTER_XT_TARGET_NOTRACK is not set
# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set
# CONFIG_NETFILTER_XT_TARGET_TEE is not set
# CONFIG_NETFILTER_XT_TARGET_TRACE is not set
# CONFIG_NETFILTER_XT_TARGET_TCPMSS is not set
# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set

#
# Xtables matches
#
# CONFIG_NETFILTER_XT_MATCH_ADDRTYPE is not set
# CONFIG_NETFILTER_XT_MATCH_CLUSTER is not set
CONFIG_NETFILTER_XT_MATCH_COMMENT=y
CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
# CONFIG_NETFILTER_XT_MATCH_CONNLIMIT is not set
CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
# CONFIG_NETFILTER_XT_MATCH_CPU is not set
CONFIG_NETFILTER_XT_MATCH_DCCP=y
# CONFIG_NETFILTER_XT_MATCH_DEVGROUP is not set
CONFIG_NETFILTER_XT_MATCH_DSCP=y
CONFIG_NETFILTER_XT_MATCH_ECN=y
CONFIG_NETFILTER_XT_MATCH_ESP=y
CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y
CONFIG_NETFILTER_XT_MATCH_HELPER=y
CONFIG_NETFILTER_XT_MATCH_HL=y
# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set
CONFIG_NETFILTER_XT_MATCH_LENGTH=y
CONFIG_NETFILTER_XT_MATCH_LIMIT=y
CONFIG_NETFILTER_XT_MATCH_MAC=y
CONFIG_NETFILTER_XT_MATCH_MARK=y
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set
# CONFIG_NETFILTER_XT_MATCH_OSF is not set
# CONFIG_NETFILTER_XT_MATCH_OWNER is not set
CONFIG_NETFILTER_XT_MATCH_POLICY=y
# CONFIG_NETFILTER_XT_MATCH_PHYSDEV is not set
CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y
CONFIG_NETFILTER_XT_MATCH_QUOTA=y
# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set
CONFIG_NETFILTER_XT_MATCH_REALM=y
CONFIG_NETFILTER_XT_MATCH_RECENT=y
CONFIG_NETFILTER_XT_MATCH_SCTP=y
CONFIG_NETFILTER_XT_MATCH_STATE=y
CONFIG_NETFILTER_XT_MATCH_STATISTIC=y
CONFIG_NETFILTER_XT_MATCH_STRING=y
CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
# CONFIG_NETFILTER_XT_MATCH_TIME is not set
# CONFIG_NETFILTER_XT_MATCH_U32 is not set
# CONFIG_IP_SET is not set
# CONFIG_IP_VS is not set

#
# IP: Netfilter Configuration
#
CONFIG_NF_DEFRAG_IPV4=y
CONFIG_NF_CONNTRACK_IPV4=y
CONFIG_NF_CONNTRACK_PROC_COMPAT=y
# CONFIG_IP_NF_QUEUE is not set
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_AH=y
CONFIG_IP_NF_MATCH_ECN=y
# CONFIG_IP_NF_MATCH_RPFILTER is not set
CONFIG_IP_NF_MATCH_TTL=y
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
CONFIG_IP_NF_TARGET_LOG=y
CONFIG_IP_NF_TARGET_ULOG=y
CONFIG_NF_NAT=y
CONFIG_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_IP_NF_TARGET_NETMAP=y
CONFIG_IP_NF_TARGET_REDIRECT=y
# CONFIG_NF_NAT_FTP is not set
# CONFIG_NF_NAT_IRC is not set
# CONFIG_NF_NAT_TFTP is not set
# CONFIG_NF_NAT_AMANDA is not set
# CONFIG_NF_NAT_PPTP is not set
# CONFIG_NF_NAT_H323 is not set
# CONFIG_NF_NAT_SIP is not set
CONFIG_IP_NF_MANGLE=y
# CONFIG_IP_NF_TARGET_CLUSTERIP is not set
CONFIG_IP_NF_TARGET_ECN=y
CONFIG_IP_NF_TARGET_TTL=y
CONFIG_IP_NF_RAW=y
CONFIG_IP_NF_ARPTABLES=y
CONFIG_IP_NF_ARPFILTER=y
CONFIG_IP_NF_ARP_MANGLE=y

#
# IPv6: Netfilter Configuration
#
# CONFIG_NF_DEFRAG_IPV6 is not set
# CONFIG_NF_CONNTRACK_IPV6 is not set
# CONFIG_IP6_NF_QUEUE is not set
# CONFIG_IP6_NF_IPTABLES is not set
# CONFIG_BRIDGE_NF_EBTABLES is not set
# CONFIG_IP_DCCP is not set
# CONFIG_IP_SCTP is not set
# CONFIG_RDS is not set
# CONFIG_TIPC is not set
# CONFIG_ATM is not set
# CONFIG_L2TP is not set
CONFIG_STP=y
CONFIG_BRIDGE=y
# CONFIG_BRIDGE_IGMP_SNOOPING is not set
# CONFIG_NET_DSA is not set
# CONFIG_VLAN_8021Q is not set
# CONFIG_DECNET is not set
CONFIG_LLC=y
# CONFIG_LLC2 is not set
# CONFIG_IPX is not set
# CONFIG_ATALK is not set
# CONFIG_X25 is not set
# CONFIG_LAPB is not set
# CONFIG_ECONET is not set
# CONFIG_WAN_ROUTER is not set
# CONFIG_PHONET is not set
# CONFIG_IEEE802154 is not set
# CONFIG_NET_SCHED is not set
# CONFIG_DCB is not set
# CONFIG_BATMAN_ADV is not set
# CONFIG_OPENVSWITCH is not set
CONFIG_BQL=y
CONFIG_HAVE_BPF_JIT=y
# CONFIG_BPF_JIT is not set

Comment 1 Gustav Schaffter 2012-06-26 11:53:25 UTC

Just tried to set CONFIG_IP6_NF_IPTABLES=y
recompile the kernel and reboot with the new kernel.

No change. Still the same error.

Comment 2 Rafał Mużyło 2012-06-26 14:52:46 UTC

Did you check what check exactly is made by that script that fails ?

Comment 3 Gustav Schaffter 2012-06-26 17:35:44 UTC

(In reply to comment #2)
> Did you check what check exactly is made by that script that fails ?

Well, now I have. (Thanks for pushing me in the right direction. ;-)


The error occurs in the file

/usr/share/shorewall/Shorewall/Config.pm


Reading lines 2769 to 2778 of 'sub determine_capabilities()' it becomes clear that shorewall6 (just as shorewall[IPv4]) tries to determine if it's going to be able to configure the iptables. From what I understand of the code, it will first create a 'dummy' chain with a 'silly name'. Let's here call it 'sillyname', just as an example. It will then try to create two new rules into the 'sillyname' chain. This is where it fails.


As far as I can understand, it succeeds in creating the dummy chain 'sillyname'.

But it fails to create the two rules:

ip6tables -A sillyname -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A sillyname -m state --state ESTABLISHED,RELATED -j ACCEPT


When I try this from the command line, creation of a new dummy chain succeeds, but trying to create any of the rules into the dummy chain fails with return code 1 and the error message: "ip6tables: Protocol wrong type for socket." And this is my root problem.



My Conclusions:
===============

1) The root cause doesn't seem to be in shorewall6.

2) The error message from shorewall6 ( actually in the shorewall[IPv4] code, shared by shorewall6 ) could be made clearer and more explicit.

3) Especially: Config.pm should not claim that "No version of Shorewall will run on this system" when in fact shorewall[IPv4] already does so without problems.I can imagine that this is an artifact from the time when there was IPv4 and shorewall[IPv4] and nothing more. I believe that this is all that could be improved upon within shorewall concerning my specific problem.

4) In this case I would propose "No IPv6 version of Shorewall will run on this system" as error message, because Config.pm knows if it's dealing with IPv6 or IPv4. ( Otherwise it wouldn't know to call for iptables or ip6tables. )

5) The root cause of my problem is most likely a kernel configuration issue.

6) I will now have to find out what IPv6 capabilities I miss in my kernel configuration, by trial and error, including configuration, compilation, installation and reboot. At least I know how to spend my evening. ;-)

Comment 4 Constanze Hausner (RETIRED) gentoo-dev

2012-06-28 11:53:59 UTC

Did you find the problem?

Comment 5 Gustav Schaffter 2012-07-13 05:09:24 UTC

I now successfully run both shorewall[IPv4] and shorewall6 on this system.


After a long delay, due to "real life" related issues, I finally got around to tinker with my kernel settings. Due to shorewall being less than helpful in its error messages, I've been forced to take the old "trial and error" method. In fact, I now have enabled almost all iptables related options in the kernel. Some options, that I felt was definitively not related to the problem and that were totally unrelated to this system are still not set. I have also avoided to enable any options marked as "EXPERIMENTAL". I'm convinced that I now have "too many" options enabled, but I fail to find the time required to fine-tune these settings.

When I got around the problem as described above, the next problem surfaced. When trying to either '/etc/init.d/shorewall6 check' --or-- '/etc/init.d/shorewall6 start' I got another error message that I had difficulties to interpret: "FORWARD_CLEAR_MARK=Yes requires MARK Target in your kernel and iptables".

The resolution to this was to enable CONFIG_NETFILTER_XT_TARGET_CT in the kernel. This is another example of when the error messages produced from shorewall is less than helpful for a kernel/iptables novice like myself.

Yes, my system now runs both shorewall and shorewall6.

Comment 6 Gustav Schaffter 2012-07-13 05:23:51 UTC

My final thoughts:


shorewall6 (together with shorewall) seems to work really well.



But, it's internal configuration tests could be improved upon. There are examples of when two or more tests must ALL succeed and when just any one of them fails, a common error message is produced. A user like myself doesn't know WHICH test failed. Just one of them. (Nor does the software in that moment, but it doesn't really care.)


I also believe that when such internal tests fail, it would be VERY helpful if the failing iptables command was displayed or logged. With such information available, it becomes easier (though not necessarily easy) to understand what shorewall tries to do, and what fails.


But, my remarks are indirect requests for IMPROVEMENTS in shorewall and shorewall6's error handling and error reporting. When the kernel is "correctly" configured, the shorewall software family has no problems that I'm aware of.


I'm not sure if my rantings have been helpful to anyone. My personal opinion is that it would/could be constructive if my experiences somehow could be forwarded upstream to the software maintainer(s) of the shorewall software family.

Comment 7 Constanze Hausner (RETIRED) gentoo-dev

2012-07-13 08:09:30 UTC

Thanks for your comment. I think it will be useful, if someone else runs into some of these problems. Maybe you could write to the shorewall mailinglist (shorewall-users@lists.sourceforge.net)? Unfortunatly they have no bugzilla, so everything goes through mailing-lists and IRC.