1 |
On 2020-04-18 15:03, Peter Humphrey wrote: |
2 |
># grep NETFILTER_XT_MATCH_STATE /usr/src/linux/.config |
3 |
>CONFIG_NETFILTER_XT_MATCH_STATE=m |
4 |
> |
5 |
>So yes, it is. |
6 |
> |
7 |
>I'm confused by having two apparently different sets of IP filtering options. Do |
8 |
>I need the NF set or the older one? |
9 |
|
10 |
This depends on whether shorewall uses the older iptables stack, or the |
11 |
newer nftables one. I don't know much about shorewall, but according to |
12 |
a quick search online it seems to still rely on iptables. |
13 |
|
14 |
In that case, CONFIG_NETFILTER_XT_MATCH_STATE should be the correct |
15 |
option to use. |
16 |
|
17 |
I'm using nftables myself, and I don't think there is a separate option |
18 |
for match support, as it's contained in CONFIG_NFT_CT. |
19 |
|
20 |
There used to be CONFIG_IP_NF_MATCH_STATE, but that is for very old |
21 |
kernels only (2.6.15 is the last one with that option). I'm assuming |
22 |
that this option was at some point changed to XT_MATCH_STATE. |
23 |
|
24 |
In any case, you do seem to have the correct option set. Since you're |
25 |
using it as a module, have you checked lsmod to see whether the |
26 |
'xt_state' module is loaded? Maybe there's some more information in |
27 |
dmesg as well. |
28 |
|
29 |
-- |
30 |
Wolf |