On Thu, Feb 13, 2020 at 4:34 AM Tom Eastep <teas...@shorewall.net> wrote: > > > After rebooting into the new kernel, shorewall complains with: > > > > "Your kernel/iptables do not include state match support." > > > > Grepping for the kernel option yields the following even for the new kernel: > > > > CONFIG_NETFILTER_XT_MATCH_STATE=m > > This code can be simulated with these commands at a shell prompt: > > iptables -N foo > iptables -A foo -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT > iptables -A foo -m state --state ESTABLISHED,RELATED -j ACCEPT > > One of the last two commands must succeed, so hopefully the error output > from those commands will give you a clue...
I had a chance to do that today. However, I'm unable to figure out what it all means. This is the output for the above commands: iptables: Protocol wrong type for socket. iptables: Protocol wrong type for socket. # egrep 'STATE|CONNTRACK' /usr/src/linux/.config CONFIG_NEED_DMA_MAP_STATE=y CONFIG_PERF_EVENTS_INTEL_CSTATE=y CONFIG_ACPI_SYSTEM_POWER_STATES_SUPPORT=y CONFIG_ACPI_PROCESSOR_CSTATE=y # CONFIG_X86_INTEL_PSTATE is not set CONFIG_NF_CONNTRACK=y CONFIG_NF_CONNTRACK_SECMARK=y CONFIG_NF_CONNTRACK_PROCFS=y CONFIG_NF_CONNTRACK_FTP=y CONFIG_NF_CONNTRACK_IRC=y # CONFIG_NF_CONNTRACK_NETBIOS_NS is not set CONFIG_NF_CONNTRACK_SIP=y CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y CONFIG_NETFILTER_XT_MATCH_STATE=y CONFIG_NF_CONNTRACK_IPV4=y CONFIG_NF_CONNTRACK_IPV6=y # CONFIG_VGASTATE is not set # CONFIG_CPU_HOTPLUG_STATE_CONTROL is not set A Shorewall dump reveals: Modules ip_set 35141 4 ip_set_hash_mac,ip_set_bitmap_port,ip_set_hash_n et,ip_set_hash_ip ip_set_bitmap_port 6270 1 ip_set_hash_ip 24681 14 ip_set_hash_mac 13431 1 ip_set_hash_net 27712 29 ip_tables 16491 3 iptable_mangle,iptable_filter,iptable_raw iptable_filter 2293 1 iptable_mangle 2066 0 iptable_raw 1918 0 nf_conntrack 109483 21 nf_conntrack_sip,nf_conntrack_proto_sctp,nf_con ntrack_irc,nf_conntrack_ftp,nf_nat_sip,nf_conntrack_tftp,nf_nat_irc,nf_conntrack _pptp,nf_conntrack_amanda,nf_conntrack_broadcast,nf_nat_ftp,nf_conntrack_sane,nf _nat_amanda,nf_conntrack_netlink,nf_conntrack_proto_udplite,nf_conntrack_netbios _ns,nf_conntrack_proto_gre,nf_conntrack_h323,xt_conntrack,nf_nat_tftp,nf_nat nf_conntrack_amanda 3226 1 nf_nat_amanda nf_conntrack_broadcast 1709 1 nf_conntrack_netbios_ns nf_conntrack_ftp 13086 1 nf_nat_ftp nf_conntrack_h323 66414 0 nf_conntrack_irc 6064 1 nf_nat_irc nf_conntrack_netbios_ns 1657 0 nf_conntrack_netlink 29038 0 nf_conntrack_pptp 11804 0 nf_conntrack_proto_gre 7067 1 nf_conntrack_pptp nf_conntrack_proto_sctp 14239 0 nf_conntrack_proto_udplite 4722 0 nf_conntrack_sane 5607 0 nf_conntrack_sip 24130 1 nf_nat_sip nf_conntrack_tftp 5729 1 nf_nat_tftp nf_log_common 3973 1 nf_log_ipv4 nf_log_ipv4 4447 0 nf_nat 17129 5 nf_nat_sip,nf_nat_irc,nf_nat_ftp,nf_nat_amanda,n f_nat_tftp nf_nat_amanda 1547 0 nf_nat_ftp 2722 0 nf_nat_irc 2291 0 nf_nat_sip 8546 0 nf_nat_tftp 1353 0 xt_LOG 2258 0 xt_NFLOG 1529 0 xt_conntrack 3656 0 ERROR: Your kernel lacks connection tracking and/or state matching -- Shorewa ll will not run on this system dmesg has this: [ 38.497693] nf_conntrack version 0.5.0 (65536 buckets, 262144 max) [ 38.521205] ctnetlink v0.93: registering with nfnetlink. [ 38.634761] xt_conntrack: cannot load conntrack support for proto=2 [ 38.641262] xt_conntrack: cannot load conntrack support for proto=2 [ 50.687185] xt_conntrack: cannot load conntrack support for proto=2 [ 50.690144] xt_conntrack: cannot load conntrack support for proto=2 [ 59.171524] xt_conntrack: cannot load conntrack support for proto=2 [ 59.178150] xt_conntrack: cannot load conntrack support for proto=2 If you have any suggestions they are very welcome. The reason I'm fiddling with different kernel versions is because of the NFQUEUE "misbehavior" I'm seeing in syslog (reported in another thread). Regards, Vieri _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
