On 2020-04-18 15:03, Peter Humphrey wrote:
# grep NETFILTER_XT_MATCH_STATE /usr/src/linux/.config
CONFIG_NETFILTER_XT_MATCH_STATE=m
So yes, it is.
I'm confused by having two apparently different sets of IP filtering options. Do
I need the NF set or the older one?
This depends on whether shorewall uses the older iptables stack, or the
newer nftables one. I don't know much about shorewall, but according to
a quick search online it seems to still rely on iptables.
In that case, CONFIG_NETFILTER_XT_MATCH_STATE should be the correct
option to use.
I'm using nftables myself, and I don't think there is a separate option
for match support, as it's contained in CONFIG_NFT_CT.
There used to be CONFIG_IP_NF_MATCH_STATE, but that is for very old
kernels only (2.6.15 is the last one with that option). I'm assuming
that this option was at some point changed to XT_MATCH_STATE.
In any case, you do seem to have the correct option set. Since you're
using it as a module, have you checked lsmod to see whether the
'xt_state' module is loaded? Maybe there's some more information in
dmesg as well.
--
Wolf
