[gentoo-user] iptables will not load rule after kernel upgrade (2.6.19-r5 -> 2.6.20-r6)

[gentoo-user] iptables will not load rule after kernel upgrade (2.6.19-r5 -> 2.6.20-r6)

[Dan Johansson]

[-- Attachment #1: Type: text/plain, Size: 675 bytes --]

After upgrading gentoo-sources to 2.6.20-r6 from 2.6.19-r5 today my firewall 
won't start (shorewall).

The here's the error:
iptables: Invalid argument
   ERROR: Command "/sbin/iptables -A FORWARD -m state --state 
ESTABLISHED,RELATED -j ACCEPT" Failed

I'm getting the same errormessage when it try it by hand. I've reemerged my 
iptables (net-firewall/iptables-1.3.5-r4  
USE="-extensions -imq -ipv6 -l7filter -static") but that did not help.
Any suggestions?
-- 
Dan Johansson, <http://www.dmj.nu>
***************************************************
This message is printed on 100% recycled electrons!
***************************************************

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] iptables will not load rule after kernel upgrade (2.6.19-r5 -> 2.6.20-r6)

[Uwe Thiem]

On 21 April 2007, Dan Johansson wrote:
> After upgrading gentoo-sources to 2.6.20-r6 from 2.6.19-r5 today my
> firewall won't start (shorewall).
>
> The here's the error:
> iptables: Invalid argument
>    ERROR: Command "/sbin/iptables -A FORWARD -m state --state
> ESTABLISHED,RELATED -j ACCEPT" Failed
>
> I'm getting the same errormessage when it try it by hand.

When you generated the kernel, did you build all modules necessary. In this 
particlu case, ipt_state?

Uwe

-- 
The Informal Linux Group Namibia:
http://www.linux.org.na
SysEx (Pty) Ltd.:
http://www.SysEx.com.na
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables will not load rule after kernel upgrade (2.6.19-r5 -> 2.6.20-r6)

[Dan Johansson]

[-- Attachment #1: Type: text/plain, Size: 1289 bytes --]

On Saturday 21 April 2007 15:53, Uwe Thiem wrote:
> On 21 April 2007, Dan Johansson wrote:
> > After upgrading gentoo-sources to 2.6.20-r6 from 2.6.19-r5 today my
> > firewall won't start (shorewall).
> >
> > The here's the error:
> > iptables: Invalid argument
> >    ERROR: Command "/sbin/iptables -A FORWARD -m state --state
> > ESTABLISHED,RELATED -j ACCEPT" Failed
> >
> > I'm getting the same errormessage when it try it by hand.
>
> When you generated the kernel, did you build all modules necessary. In this
> particlu case, ipt_state?
If you meen CONFIG_NETFILTER_XT_MATCH_STATE=y then yes it's compiled in (not a 
module). You know of any other part that NEEDS to be activated other the the 
following?

CONFIG_NETFILTER=y
CONFIG_NF_CONNTRACK_ENABLED=y
CONFIG_NF_CONNTRACK_SUPPORT=y
CONFIG_NF_CONNTRACK=y
CONFIG_NETFILTER_XTABLES=y
CONFIG_NETFILTER_XT_MATCH_LIMIT=y
CONFIG_NETFILTER_XT_MATCH_STATE=y
CONFIG_IP_NF_QUEUE=y
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
CONFIG_IP_NF_TARGET_LOG=y
CONFIG_IP_NF_MANGLE=y


-- 
Dan Johansson, <http://www.dmj.nu>
***************************************************
This message is printed on 100% recycled electrons!
***************************************************

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] iptables will not load rule after kernel upgrade (2.6.19-r5 -> 2.6.20-r6)

[Mark Shields]

[-- Attachment #1: Type: text/plain, Size: 1713 bytes --]

On 4/21/07, Dan Johansson <Dan.Johansson@dmj.nu> wrote:
>
> On Saturday 21 April 2007 15:53, Uwe Thiem wrote:
> > On 21 April 2007, Dan Johansson wrote:
> > > After upgrading gentoo-sources to 2.6.20-r6 from 2.6.19-r5 today my
> > > firewall won't start (shorewall).
> > >
> > > The here's the error:
> > > iptables: Invalid argument
> > >    ERROR: Command "/sbin/iptables -A FORWARD -m state --state
> > > ESTABLISHED,RELATED -j ACCEPT" Failed
> > >
> > > I'm getting the same errormessage when it try it by hand.
> >
> > When you generated the kernel, did you build all modules necessary. In
> this
> > particlu case, ipt_state?
> If you meen CONFIG_NETFILTER_XT_MATCH_STATE=y then yes it's compiled in
> (not a
> module). You know of any other part that NEEDS to be activated other the
> the
> following?
>
> CONFIG_NETFILTER=y
> CONFIG_NF_CONNTRACK_ENABLED=y
> CONFIG_NF_CONNTRACK_SUPPORT=y
> CONFIG_NF_CONNTRACK=y
> CONFIG_NETFILTER_XTABLES=y
> CONFIG_NETFILTER_XT_MATCH_LIMIT=y
> CONFIG_NETFILTER_XT_MATCH_STATE=y
> CONFIG_IP_NF_QUEUE=y
> CONFIG_IP_NF_IPTABLES=y
> CONFIG_IP_NF_FILTER=y
> CONFIG_IP_NF_TARGET_REJECT=y
> CONFIG_IP_NF_TARGET_LOG=y
> CONFIG_IP_NF_MANGLE=y
>
>
> --
> Dan Johansson, <http://www.dmj.nu>
> ***************************************************
> This message is printed on 100% recycled electrons!
> ***************************************************
>
>
You found your problem, then.  When you use iptables -m state, it loads the
state module.  Since it's not compiled as a module, it won't load.  Either
change it to module in the kernel or remove the -m state (I think I tried
once compiling into the kernel and dropping the -m state, but it didn't
work).

-- 
- Mark Shields

[-- Attachment #2: Type: text/html, Size: 2221 bytes --]

Re: [gentoo-user] iptables will not load rule after kernel upgrade (2.6.19-r5 -> 2.6.20-r6) SOLVED

[Dan Johansson]

[-- Attachment #1: Type: text/plain, Size: 1995 bytes --]

On Saturday 21 April 2007 20:34, Mark Shields wrote:
> On 4/21/07, Dan Johansson <Dan.Johansson@dmj.nu> wrote:
> > On Saturday 21 April 2007 15:53, Uwe Thiem wrote:
> > > On 21 April 2007, Dan Johansson wrote:
> > > > After upgrading gentoo-sources to 2.6.20-r6 from 2.6.19-r5 today my
> > > > firewall won't start (shorewall).
> > > >
> > > > The here's the error:
> > > > iptables: Invalid argument
> > > >    ERROR: Command "/sbin/iptables -A FORWARD -m state --state
> > > > ESTABLISHED,RELATED -j ACCEPT" Failed
> > > >
> > > > I'm getting the same errormessage when it try it by hand.
> > >
> > > When you generated the kernel, did you build all modules necessary. In
> >
> > this
> >
> > > particlu case, ipt_state?
> >
> > If you meen CONFIG_NETFILTER_XT_MATCH_STATE=y then yes it's compiled in
> > (not a
> > module). You know of any other part that NEEDS to be activated other the
> > the
> > following?
> >
> > CONFIG_NETFILTER=y
> > CONFIG_NF_CONNTRACK_ENABLED=y
> > CONFIG_NF_CONNTRACK_SUPPORT=y
> > CONFIG_NF_CONNTRACK=y
> > CONFIG_NETFILTER_XTABLES=y
> > CONFIG_NETFILTER_XT_MATCH_LIMIT=y
> > CONFIG_NETFILTER_XT_MATCH_STATE=y
> > CONFIG_IP_NF_QUEUE=y
> > CONFIG_IP_NF_IPTABLES=y
> > CONFIG_IP_NF_FILTER=y
> > CONFIG_IP_NF_TARGET_REJECT=y
> > CONFIG_IP_NF_TARGET_LOG=y
> > CONFIG_IP_NF_MANGLE=y
> >
>
> You found your problem, then.  When you use iptables -m state, it loads the
> state module.  Since it's not compiled as a module, it won't load.  Either
> change it to module in the kernel or remove the -m state (I think I tried
> once compiling into the kernel and dropping the -m state, but it didn't
> work).

I found the problem, CONFIG_NF_CONNTRACK_IPV4=y has to be set as well (no need 
to compile anything as modules).

-- 
Dan Johansson, <http://www.dmj.nu>
***************************************************
This message is printed on 100% recycled electrons!
***************************************************

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]