Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-user

From: Dan Johansson <Dan.Johansson@×××.nu>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] iptables will not load rule after kernel upgrade (2.6.19-r5 -> 2.6.20-r6) SOLVED
Date: Sun, 22 Apr 2007 09:19:06
Message-Id: 200704221113.48726.Dan.Johansson@dmj.nu
In Reply to: Re: [gentoo-user] iptables will not load rule after kernel upgrade (2.6.19-r5 -> 2.6.20-r6) by Mark Shields
1 On Saturday 21 April 2007 20:34, Mark Shields wrote:
2 > On 4/21/07, Dan Johansson <Dan.Johansson@×××.nu> wrote:
3 > > On Saturday 21 April 2007 15:53, Uwe Thiem wrote:
4 > > > On 21 April 2007, Dan Johansson wrote:
5 > > > > After upgrading gentoo-sources to 2.6.20-r6 from 2.6.19-r5 today my
6 > > > > firewall won't start (shorewall).
7 > > > >
8 > > > > The here's the error:
9 > > > > iptables: Invalid argument
10 > > > > ERROR: Command "/sbin/iptables -A FORWARD -m state --state
11 > > > > ESTABLISHED,RELATED -j ACCEPT" Failed
12 > > > >
13 > > > > I'm getting the same errormessage when it try it by hand.
14 > > >
15 > > > When you generated the kernel, did you build all modules necessary. In
16 > >
17 > > this
18 > >
19 > > > particlu case, ipt_state?
20 > >
21 > > If you meen CONFIG_NETFILTER_XT_MATCH_STATE=y then yes it's compiled in
22 > > (not a
23 > > module). You know of any other part that NEEDS to be activated other the
24 > > the
25 > > following?
26 > >
27 > > CONFIG_NETFILTER=y
28 > > CONFIG_NF_CONNTRACK_ENABLED=y
29 > > CONFIG_NF_CONNTRACK_SUPPORT=y
30 > > CONFIG_NF_CONNTRACK=y
31 > > CONFIG_NETFILTER_XTABLES=y
32 > > CONFIG_NETFILTER_XT_MATCH_LIMIT=y
33 > > CONFIG_NETFILTER_XT_MATCH_STATE=y
34 > > CONFIG_IP_NF_QUEUE=y
35 > > CONFIG_IP_NF_IPTABLES=y
36 > > CONFIG_IP_NF_FILTER=y
37 > > CONFIG_IP_NF_TARGET_REJECT=y
38 > > CONFIG_IP_NF_TARGET_LOG=y
39 > > CONFIG_IP_NF_MANGLE=y
40 > >
41 >
42 > You found your problem, then. When you use iptables -m state, it loads the
43 > state module. Since it's not compiled as a module, it won't load. Either
44 > change it to module in the kernel or remove the -m state (I think I tried
45 > once compiling into the kernel and dropping the -m state, but it didn't
46 > work).
47
48 I found the problem, CONFIG_NF_CONNTRACK_IPV4=y has to be set as well (no need
49 to compile anything as modules).
50
51 --
52 Dan Johansson, <http://www.dmj.nu>
53 ***************************************************
54 This message is printed on 100% recycled electrons!
55 ***************************************************
Report Message
Find on MARC Find on Google Groups