On Sat, 2009-06-06 at 11:52 -0700, Tom Eastep wrote: > Scott Ruckh wrote: > > I am not even sure this is a shorewall issue as kernel, iptables, and > > shorewall have all recently been updated. > > It has nothing to do with Shorewall. > > > > > Shorewall Version: 4.2.9 > > Iptables Version: v1.4.3.2 > > Kernel Version: 2.6.30-rc8 > > OS: Centos 4.7 X86_64 > > > > I see the following on std-output and /var/log/messages > > > > Jun 4 22:17:27 firewall shorewall: Compiling... > > Jun 4 22:17:29 firewall kernel: Netfilter messages via NETLINK v0.30. > > Jun 4 22:17:29 firewall kernel: nf_conntrack version 0.5.0 (16384 buckets, > > 65536 max) > > Jun 4 22:17:29 firewall kernel: CONFIG_NF_CT_ACCT is deprecated and will > > be > > removed soon. Please use > > Jun 4 22:17:29 firewall kernel: nf_conntrack.acct=1 kernel paramater, > > acct=1 nf_conntrack module option or > > Jun 4 22:17:29 firewall kernel: sysctl net.netfilter.nf_conntrack_acct=1 > > to > > enable it. > > Jun 4 22:17:29 firewall kernel: ctnetlink v0.93: registering with > > nfnetlink. > > Jun 4 22:17:30 firewall kernel: ClusterIP Version 0.8 loaded successfully > > Jun 4 22:17:30 firewall kernel: xt_time: kernel timezone is -0700 > > Jun 4 22:17:31 firewall shorewall: Compiling /etc/shorewall/zones... > > Jun 4 22:17:31 firewall shorewall: Compiling /etc/shorewall/interfaces... > > Jun 4 22:17:31 firewall shorewall: Determining Hosts in Zones... > > > > I have added nf_conntrack.acct=1 to /etc/sysctl.conf, but I still get that > > message. > > > > I did not find CONFIG_NF_CT_ACCT in the kernel Makefile, or in any of the > > shorewall files. > > It is set in your .config file though. It is listed in the 'Core > Netfilter Configuration' page under "Connection tracking flow accounting". > > A google search pulls up bug reports and other patches, > > but nothing definitive on the cause or the fix. > > > > This appears to just be a warning message and does not negatively impact > > the > > system, but I was wondering if anyone here knows the root cause. > > Read the help text for the option as well as > Documentation/feature-removal-schedule.txt. The entire issue is > explained there. > > The CONFIG_NF_CT_ACCT option is being removed; the feature will always > be included. You control the feature using the /proc flag that you are > now setting. > > The reason that you see the message during Shorewall compilation is that > Shorewall is loading all of the modules specified in > /usr/share/shorewall/modules before assessing your iptables/kernel > capabilities. Of course the conntrack module gets loaded at that time.
Thank you for the valuable response! ------------------------------------------------------------------------------ OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
