On 2/12/20 2:01 AM, Vieri Di Paola wrote: > Hi, > > On a system with shorewall working fine, I decided to build a new > kernel version, and rebuild all kernel modules for that version. > > iptables has not been re-compiled after building and symlinking the > new kernel version. > > After rebooting into the new kernel, shorewall complains with: > > "Your kernel/iptables do not include state match support." > > Grepping for the kernel option yields the following even for the new kernel: > > CONFIG_NETFILTER_XT_MATCH_STATE=m > > Is it because iptables must be recompiled? > If so, won't I have trouble when trying to switch from one kernel to > another when rebooting?
Vieri,
When you build your own kernels, you are basically on your own and need
to understand how Shorewall detects kernel/iptables capabilities. In
this case, the code that raises the error is in the Config.pm Perl module:
fatal_error 'Your kernel/iptables do not include state match support. No
version of Shorewall will run on this system'
unless
qt1( "$iptables $iptablesw -A $sillyname -m conntrack --ctstate
ESTABLISHED,RELATED -j ACCEPT") ||
qt1( "$iptables $iptablesw -A $sillyname -m state --state
ESTABLISHED,RELATED -j ACCEPT");;
This code can be simulated with these commands at a shell prompt:
iptables -N foo
iptables -A foo -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A foo -m state --state ESTABLISHED,RELATED -j ACCEPT
One of the last two commands must succeed, so hopefully the error output
from those commands will give you a clue...
-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster
Shoreline, \ with an international standard?
Washington, USA \ A: Someone who makes you an offer you
http://shorewall.org \ can't understand
\________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
