[gentoo-user] Shorewall6 kernel config

[gentoo-user] Shorewall6 kernel config

[Peter Humphrey]

Afternoon all,

I did have IPv6 running on my LAN, but then I dropped it while bug-hunting. 
Now I'd like to put it up again, but I'm falling at the first hurdle.

# shorewall6 check
Checking using Shorewall 5.2.3.7...
Processing /etc/shorewall6/params ...
Processing /etc/shorewall6/shorewall6.conf...
Loading Modules...
   ERROR: Your kernel/iptables do not include state match support. No version 
of Shorewall will run on this system /usr/share/shorewall6/helpers (EOF)

Shorewall refuses to specify which state is not being matched, and I can't find 
anything useful in my kernel config (gentoo-sources-5.4.28). The shorewall 
website is no help - it even announces that its kernel config page is not 
maintained - and google doesn't help either.

Can anyone point me in the right direction?

-- 
Regards,
Peter.

Re: [gentoo-user] Shorewall6 kernel config

[Wolf]

>   ERROR: Your kernel/iptables do not include state match support. No version
>of Shorewall will run on this system /usr/share/shorewall6/helpers (EOF)
>
>Shorewall refuses to specify which state is not being matched, and I can't find
>anything useful in my kernel config (gentoo-sources-5.4.28). The shorewall
>website is no help - it even announces that its kernel config page is not
>maintained - and google doesn't help either.

This sounds like shorewall6 is looking for "state" match support for 
iptables. 

The corresponding config option is CONFIG_NETFILTER_XT_MATCH_STATE, is 
that option enabled in your kernel?

-- 
Wolf

Re: [gentoo-user] Shorewall6 kernel config

[Peter Humphrey]

On Saturday, 18 April 2020 14:52:04 BST Wolf wrote:
> >   ERROR: Your kernel/iptables do not include state match support. No
> >   version
> >
> >of Shorewall will run on this system /usr/share/shorewall6/helpers (EOF)
> >
> >Shorewall refuses to specify which state is not being matched, and I can't
> >find anything useful in my kernel config (gentoo-sources-5.4.28). The
> >shorewall website is no help - it even announces that its kernel config
> >page is not maintained - and google doesn't help either.
> 
> This sounds like shorewall6 is looking for "state" match support for
> iptables.
> 
> The corresponding config option is CONFIG_NETFILTER_XT_MATCH_STATE, is
> that option enabled in your kernel?

# grep NETFILTER_XT_MATCH_STATE /usr/src/linux/.config
CONFIG_NETFILTER_XT_MATCH_STATE=m

So yes, it is.

I'm confused by having two apparently different sets of IP filtering options. Do 
I need the NF set or the older one?

-- 
Regards,
Peter.

Re: [gentoo-user] Shorewall6 kernel config

[Wolf]

On 2020-04-18 15:03, Peter Humphrey wrote:
># grep NETFILTER_XT_MATCH_STATE /usr/src/linux/.config
>CONFIG_NETFILTER_XT_MATCH_STATE=m
>
>So yes, it is.
>
>I'm confused by having two apparently different sets of IP filtering options. Do
>I need the NF set or the older one?

This depends on whether shorewall uses the older iptables stack, or the 
newer nftables one. I don't know much about shorewall, but according to 
a quick search online it seems to still rely on iptables. 

In that case, CONFIG_NETFILTER_XT_MATCH_STATE should be the correct 
option to use.

I'm using nftables myself, and I don't think there is a separate option 
for match support, as it's contained in CONFIG_NFT_CT.

There used to be CONFIG_IP_NF_MATCH_STATE, but that is for very old 
kernels only (2.6.15 is the last one with that option). I'm assuming 
that this option was at some point changed to XT_MATCH_STATE.

In any case, you do seem to have the correct option set. Since you're 
using it as a module, have you checked lsmod to see whether the 
'xt_state' module is loaded? Maybe there's some more information in 
dmesg as well.

-- 
Wolf

Re: [gentoo-user] Shorewall6 kernel config

[Peter Humphrey]

On Saturday, 18 April 2020 15:20:43 BST Wolf wrote:
> On 2020-04-18 15:03, Peter Humphrey wrote:
> ># grep NETFILTER_XT_MATCH_STATE /usr/src/linux/.config
> >CONFIG_NETFILTER_XT_MATCH_STATE=m
> >
> >So yes, it is.
> >
> >I'm confused by having two apparently different sets of IP filtering
> >options. Do I need the NF set or the older one?
> 
> This depends on whether shorewall uses the older iptables stack, or the
> newer nftables one. I don't know much about shorewall, but according to
> a quick search online it seems to still rely on iptables.
> 
> In that case, CONFIG_NETFILTER_XT_MATCH_STATE should be the correct
> option to use.
> 
> I'm using nftables myself, and I don't think there is a separate option
> for match support, as it's contained in CONFIG_NFT_CT.
> 
> There used to be CONFIG_IP_NF_MATCH_STATE, but that is for very old
> kernels only (2.6.15 is the last one with that option). I'm assuming
> that this option was at some point changed to XT_MATCH_STATE.
> 
> In any case, you do seem to have the correct option set. Since you're
> using it as a module, have you checked lsmod to see whether the
> 'xt_state' module is loaded? Maybe there's some more information in
> dmesg as well.

Thanks for the help. In the end I just enabled more-or-less everything to do 
with iptables and nftables. I reasoned that I was not opening any holes, just 
setting the ground for the firewall to operate on.

-- 
Regards,
Peter.