[Shorewall-users] CONNMARK and CentOS4

Sat, 04 Aug 2007 02:03:17 -0700 

Hi All,

It's an old problem and still isn't fixed :(  I need the connection 
marking support to enable the triplet of ISP's we use.  However, I 
downloaded the latest 2.6.22.1 kernel, made an RPM and installed it.  I 
see the following kernel modules (which looks promising):

/lib/modules/2.6.22.1/kernel/net/netfilter
xt_connmark.ko
xt_CONNMARK.ko

Which yields the following gems:
 >modinfo xt_CONNMARK.ko
filename:       xt_CONNMARK.ko
author:         Henrik Nordstrom <snipped his e-mail>
description:    IP tables CONNMARK matching module
license:        GPL
alias:          ipt_CONNMARK
vermagic:       2.6.22.1 SMP mod_unload PENTIUM4 4KSTACKS
depends:        x_tables,nf_conntrack

 >modinfo xt_connmark.ko
filename:       xt_connmark.ko
author:         Henrik Nordstrom <snipped his e-mail>
description:    IP tables connmark match module
license:        GPL
alias:          ipt_connmark
vermagic:       2.6.22.1 SMP mod_unload PENTIUM4 4KSTACKS
depends:        x_tables,nf_conntrack

So far, so good.  I have the default CentOS 4.4 iptables:
 >rpm -qa|grep iptables
iptables-1.2.11-3.1.RHEL4

However, this is a live production firewall and scheduling downtime is a 
pretty delicate affair (unless I want to go into the co-lo at dark 
o'clock).  So my questions to the list are:

1. Does this kernel compile look ok?  I was expecting the modules, but
    not with the "xt_" prefix.

2. Do I need to recompile, or get a different version of, iptables?

3. Do I need to tweak the aliases in /etc/modprobe.conf?

The system cannot be easily migrated to a different version of CentOS or 
distribution of Linux (due to the configuration management system we 
use...BCFG2 <shudder>).  Changing just the kernel and perhaps iptables 
is a reasonably straight-forward affair though.

BTW, I am still using Shorewall 3.4.5-1 (via RPM).  I'd like to get this 
setup working on the old version before introducing extra complexity 
with the nex 4.x branch.

Any help or insights would be greatly appreciated.

Regards,

James

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to