| 1 |
On 2020-04-18 15:03, Peter Humphrey wrote: |
| 2 |
># grep NETFILTER_XT_MATCH_STATE /usr/src/linux/.config |
| 3 |
>CONFIG_NETFILTER_XT_MATCH_STATE=m |
| 4 |
> |
| 5 |
>So yes, it is. |
| 6 |
> |
| 7 |
>I'm confused by having two apparently different sets of IP filtering options. Do |
| 8 |
>I need the NF set or the older one? |
| 9 |
|
| 10 |
This depends on whether shorewall uses the older iptables stack, or the |
| 11 |
newer nftables one. I don't know much about shorewall, but according to |
| 12 |
a quick search online it seems to still rely on iptables. |
| 13 |
|
| 14 |
In that case, CONFIG_NETFILTER_XT_MATCH_STATE should be the correct |
| 15 |
option to use. |
| 16 |
|
| 17 |
I'm using nftables myself, and I don't think there is a separate option |
| 18 |
for match support, as it's contained in CONFIG_NFT_CT. |
| 19 |
|
| 20 |
There used to be CONFIG_IP_NF_MATCH_STATE, but that is for very old |
| 21 |
kernels only (2.6.15 is the last one with that option). I'm assuming |
| 22 |
that this option was at some point changed to XT_MATCH_STATE. |
| 23 |
|
| 24 |
In any case, you do seem to have the correct option set. Since you're |
| 25 |
using it as a module, have you checked lsmod to see whether the |
| 26 |
'xt_state' module is loaded? Maybe there's some more information in |
| 27 |
dmesg as well. |
| 28 |
|
| 29 |
-- |
| 30 |
Wolf |
Archives