On 4/21/07, Dan Johansson <[EMAIL PROTECTED]> wrote:
On Saturday 21 April 2007 15:53, Uwe Thiem wrote: > On 21 April 2007, Dan Johansson wrote: > > After upgrading gentoo-sources to 2.6.20-r6 from 2.6.19-r5 today my > > firewall won't start (shorewall). > > > > The here's the error: > > iptables: Invalid argument > > ERROR: Command "/sbin/iptables -A FORWARD -m state --state > > ESTABLISHED,RELATED -j ACCEPT" Failed > > > > I'm getting the same errormessage when it try it by hand. > > When you generated the kernel, did you build all modules necessary. In this > particlu case, ipt_state? If you meen CONFIG_NETFILTER_XT_MATCH_STATE=y then yes it's compiled in (not a module). You know of any other part that NEEDS to be activated other the the following? CONFIG_NETFILTER=y CONFIG_NF_CONNTRACK_ENABLED=y CONFIG_NF_CONNTRACK_SUPPORT=y CONFIG_NF_CONNTRACK=y CONFIG_NETFILTER_XTABLES=y CONFIG_NETFILTER_XT_MATCH_LIMIT=y CONFIG_NETFILTER_XT_MATCH_STATE=y CONFIG_IP_NF_QUEUE=y CONFIG_IP_NF_IPTABLES=y CONFIG_IP_NF_FILTER=y CONFIG_IP_NF_TARGET_REJECT=y CONFIG_IP_NF_TARGET_LOG=y CONFIG_IP_NF_MANGLE=y -- Dan Johansson, <http://www.dmj.nu> *************************************************** This message is printed on 100% recycled electrons! ***************************************************
You found your problem, then. When you use iptables -m state, it loads the state module. Since it's not compiled as a module, it won't load. Either change it to module in the kernel or remove the -m state (I think I tried once compiling into the kernel and dropping the -m state, but it didn't work). -- - Mark Shields
