| Summary: | net-firewall/shorewall-3.2.8 - module ip_tables not found | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Fred Krogh <fkrogh> |
| Component: | Current packages | Assignee: | Gentoo Netmon project <netmon> |
| Status: | RESOLVED UPSTREAM | ||
| Severity: | normal | ||
| Priority: | High | ||
| Version: | 2006.1 | ||
| Hardware: | AMD64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
|
Description
Fred Krogh
2007-02-01 22:23:17 UTC
You should see this error whenever trying to use iptables, not just shorewall. If you compiled your kernel with ip_tables as a module you will have to modprobe ip_tables (or include ip_tables in gentoo's /etc/modules.autoload.d/kernel-2.x). Are you sure it's really built-in (y)? emerge -s iptables? Double-check: Networking ---> Networking options ---> Network packet filtering (replaces ipchains) ---> Core Netfilter Configuration ---> Netfilter Xtables support (required for ip_tables) Networking ---> Networking options ---> Network packet filtering (replaces ipchains) ---> IP: Netfilter Configuration ---> IP tables support (required for filtering/masq/NAT) (In reply to comment #1) Yes, all those things are configured. When I run iptables -L it seems I get a long list of things that certainly appears to mean that all is working, and another machine is getting to the internet through this one. I really think shorewall has done the right thing, aside of course from the misleading error messages. Thanks. My test with shorewall 3.2.8:
INF-BL07 shorewall # /etc/init.d/shorewall start ; /etc/init.d/shorewall stop
* Starting firewall ... [ ok ]
* Stopping firewall ... [ ok ]
INF-BL07 shorewall # cat /usr/src/linux/.config | grep _NF_
CONFIG_IP_NF_CONNTRACK=y
CONFIG_IP_NF_CT_ACCT=y
CONFIG_IP_NF_CONNTRACK_MARK=y
CONFIG_IP_NF_CONNTRACK_EVENTS=y
CONFIG_IP_NF_CT_PROTO_SCTP=y
CONFIG_IP_NF_FTP=y
CONFIG_IP_NF_IRC=y
CONFIG_IP_NF_NETBIOS_NS=y
CONFIG_IP_NF_TFTP=y
CONFIG_IP_NF_AMANDA=y
CONFIG_IP_NF_PPTP=y
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_LIMIT=y
CONFIG_IP_NF_MATCH_IPRANGE=y
CONFIG_IP_NF_MATCH_MAC=y
CONFIG_IP_NF_MATCH_PKTTYPE=y
CONFIG_IP_NF_MATCH_MARK=y
CONFIG_IP_NF_MATCH_MULTIPORT=y
CONFIG_IP_NF_MATCH_TOS=y
CONFIG_IP_NF_MATCH_RECENT=y
CONFIG_IP_NF_MATCH_ECN=y
CONFIG_IP_NF_MATCH_DSCP=y
CONFIG_IP_NF_MATCH_AH_ESP=y
CONFIG_IP_NF_MATCH_LENGTH=y
CONFIG_IP_NF_MATCH_TTL=y
CONFIG_IP_NF_MATCH_TCPMSS=y
CONFIG_IP_NF_MATCH_HELPER=y
CONFIG_IP_NF_MATCH_STATE=y
CONFIG_IP_NF_MATCH_CONNTRACK=y
CONFIG_IP_NF_MATCH_OWNER=y
CONFIG_IP_NF_MATCH_ADDRTYPE=y
CONFIG_IP_NF_MATCH_REALM=y
CONFIG_IP_NF_MATCH_SCTP=y
CONFIG_IP_NF_MATCH_DCCP=y
CONFIG_IP_NF_MATCH_COMMENT=y
CONFIG_IP_NF_MATCH_CONNMARK=y
CONFIG_IP_NF_MATCH_CONNBYTES=y
CONFIG_IP_NF_MATCH_HASHLIMIT=y
CONFIG_IP_NF_MATCH_STRING=y
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
CONFIG_IP_NF_TARGET_LOG=y
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_TARGET_TCPMSS=y
# CONFIG_IP_NF_TARGET_NFQUEUE is not set
CONFIG_IP_NF_NAT=y
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_IP_NF_TARGET_REDIRECT=y
CONFIG_IP_NF_TARGET_NETMAP=y
CONFIG_IP_NF_TARGET_SAME=y
CONFIG_IP_NF_NAT_SNMP_BASIC=y
CONFIG_IP_NF_NAT_IRC=y
CONFIG_IP_NF_NAT_FTP=y
CONFIG_IP_NF_NAT_TFTP=y
CONFIG_IP_NF_NAT_AMANDA=y
CONFIG_IP_NF_NAT_PPTP=y
CONFIG_IP_NF_MANGLE=y
CONFIG_IP_NF_TARGET_TOS=y
CONFIG_IP_NF_TARGET_ECN=y
CONFIG_IP_NF_TARGET_DSCP=y
CONFIG_IP_NF_TARGET_MARK=y
CONFIG_IP_NF_TARGET_CLASSIFY=y
CONFIG_IP_NF_TARGET_TTL=y
CONFIG_IP_NF_TARGET_CONNMARK=y
CONFIG_IP_NF_TARGET_CLUSTERIP=y
CONFIG_IP_NF_RAW=y
CONFIG_IP_NF_TARGET_NOTRACK=y
CONFIG_IP_NF_ARPTABLES=y
CONFIG_IP_NF_ARPFILTER=y
CONFIG_IP_NF_ARP_MANGLE=y
# CONFIG_IP6_NF_QUEUE is not set
CONFIG_IP6_NF_IPTABLES=y
CONFIG_IP6_NF_MATCH_LIMIT=y
CONFIG_IP6_NF_MATCH_MAC=y
CONFIG_IP6_NF_MATCH_RT=y
CONFIG_IP6_NF_MATCH_OPTS=y
CONFIG_IP6_NF_MATCH_FRAG=y
CONFIG_IP6_NF_MATCH_HL=y
CONFIG_IP6_NF_MATCH_MULTIPORT=y
CONFIG_IP6_NF_MATCH_OWNER=y
CONFIG_IP6_NF_MATCH_MARK=y
CONFIG_IP6_NF_MATCH_IPV6HEADER=y
CONFIG_IP6_NF_MATCH_AHESP=y
CONFIG_IP6_NF_MATCH_LENGTH=y
CONFIG_IP6_NF_MATCH_EUI64=y
CONFIG_IP6_NF_FILTER=y
CONFIG_IP6_NF_TARGET_LOG=y
# CONFIG_IP6_NF_TARGET_REJECT is not set
# CONFIG_IP6_NF_TARGET_NFQUEUE is not set
CONFIG_IP6_NF_MANGLE=y
CONFIG_IP6_NF_TARGET_MARK=y
# CONFIG_IP6_NF_TARGET_HL is not set
CONFIG_IP6_NF_RAW=y
INF-BL07 shorewall # emerge -s iptables
Searching...
[ Results for search key : iptables ]
[ Applications found : 1 ]
* net-firewall/iptables
Latest version available: 1.3.5-r4
Latest version installed: 1.3.4
Size of files: 295 kB
Homepage: http://www.iptables.org/ http://www.linuximq.net/ http://l7-filter.sf.net/
Description: Linux kernel (2.4+) firewall, NAT and packet mangling tools
License: GPL-2
INF-BL07 shorewall # uname -a
Linux INF-BL07 2.6.15-gentoo-r5 #1 SMP Mon Mar 6 12:09:37 CET 2006 x86_64 Intel(R) Xeon(TM) CPU 3.20GHz GenuineIntel GNU/Linux
Are you by any chance doing traffic shaping? (marking)
I am willing to simulate your rules on my test system.
(In reply to comment #3) > I really think > shorewall has done the right thing, aside of course from the misleading error > messages. Shorewall doesn't produce that error message. It's iptables. (In reply to comment #4) > My test with shorewall 3.2.8: Probably the biggest difference is in the version of iptables. I have * net-firewall/iptables Latest version available: 1.3.7 Latest version installed: 1.3.7 Size of files: 316 kB Homepage: http://www.iptables.org/ http://www.linuximq.net/ http://l7-filter.sf.net/ Description: Linux kernel (2.4+) firewall, NAT and packet mangling tools License: GPL-2 For completeness I have included my cat .config|grep _NF_ CONFIG_NF_CONNTRACK_ENABLED=m CONFIG_NF_CONNTRACK_SUPPORT=y # CONFIG_IP_NF_CONNTRACK_SUPPORT is not set CONFIG_NF_CONNTRACK=m # CONFIG_NF_CT_ACCT is not set # CONFIG_NF_CONNTRACK_MARK is not set # CONFIG_NF_CONNTRACK_EVENTS is not set # CONFIG_NF_CT_PROTO_SCTP is not set # CONFIG_NF_CONNTRACK_AMANDA is not set # CONFIG_NF_CONNTRACK_FTP is not set # CONFIG_NF_CONNTRACK_H323 is not set # CONFIG_NF_CONNTRACK_IRC is not set # CONFIG_NF_CONNTRACK_NETBIOS_NS is not set # CONFIG_NF_CONNTRACK_PPTP is not set # CONFIG_NF_CONNTRACK_SIP is not set # CONFIG_NF_CONNTRACK_TFTP is not set CONFIG_NF_CONNTRACK_IPV4=m CONFIG_NF_CONNTRACK_PROC_COMPAT=y CONFIG_IP_NF_QUEUE=m CONFIG_IP_NF_IPTABLES=y CONFIG_IP_NF_MATCH_IPRANGE=m CONFIG_IP_NF_MATCH_TOS=m CONFIG_IP_NF_MATCH_RECENT=m CONFIG_IP_NF_MATCH_ECN=m CONFIG_IP_NF_MATCH_AH=m CONFIG_IP_NF_MATCH_TTL=m CONFIG_IP_NF_MATCH_OWNER=m CONFIG_IP_NF_MATCH_ADDRTYPE=m CONFIG_IP_NF_FILTER=m CONFIG_IP_NF_TARGET_REJECT=m CONFIG_IP_NF_TARGET_LOG=m CONFIG_IP_NF_TARGET_ULOG=m # CONFIG_IP_NF_TARGET_TCPMSS is not set CONFIG_NF_NAT=m CONFIG_NF_NAT_NEEDED=y # CONFIG_IP_NF_TARGET_MASQUERADE is not set # CONFIG_IP_NF_TARGET_REDIRECT is not set # CONFIG_IP_NF_TARGET_NETMAP is not set # CONFIG_IP_NF_TARGET_SAME is not set # CONFIG_NF_NAT_SNMP_BASIC is not set # CONFIG_NF_NAT_FTP is not set # CONFIG_NF_NAT_IRC is not set # CONFIG_NF_NAT_TFTP is not set # CONFIG_NF_NAT_AMANDA is not set # CONFIG_NF_NAT_PPTP is not set # CONFIG_NF_NAT_H323 is not set # CONFIG_NF_NAT_SIP is not set CONFIG_IP_NF_MANGLE=m CONFIG_IP_NF_TARGET_TOS=m CONFIG_IP_NF_TARGET_ECN=m CONFIG_IP_NF_TARGET_TTL=m CONFIG_IP_NF_RAW=m CONFIG_IP_NF_ARPTABLES=m CONFIG_IP_NF_ARPFILTER=m CONFIG_IP_NF_ARP_MANGLE=m I might note that I have a lot of things as modules as I wasn't clear on what I needed and what wasn't needed. You might want to CONFIG_IP_NF_IPTABLES=m and load it in autoload.d. You can take a look at this post: http://forums.gentoo.org/viewtopic.php?t=159133&highlight=iptables+howto (In reply to comment #7) > You might want to CONFIG_IP_NF_IPTABLES=m and load it in autoload.d. > You can take a look at this post: > http://forums.gentoo.org/viewtopic.php?t=159133&highlight=iptables+howto > There is nothing at this link that implies loading iptables as a module (as opposed to building in the kernel) is necessary. Since my configuration currently works, I'll leave it as it is. The fact that it prints out an error message labeled as FATAL, is in my opinion a bug. (In reply to comment #8) > The fact that it prints out an error > message labeled as FATAL, is in my opinion a bug. You may consider bringing this up in the netfilter mailing list. If you ever get this straightened out then it would be nice if you could drop a word in the forum iptables thread. > (In reply to comment #8)
> > The fact that it prints out an error
> > message labeled as FATAL, is in my opinion a bug.
>
> You may consider bringing this up in the netfilter mailing list.
Fully with it ;) Not our own bug, thus marking as upstream
|
