On Saturday 21 April 2007 20:34, Mark Shields wrote: > On 4/21/07, Dan Johansson <[EMAIL PROTECTED]> wrote: > > On Saturday 21 April 2007 15:53, Uwe Thiem wrote: > > > On 21 April 2007, Dan Johansson wrote: > > > > After upgrading gentoo-sources to 2.6.20-r6 from 2.6.19-r5 today my > > > > firewall won't start (shorewall). > > > > > > > > The here's the error: > > > > iptables: Invalid argument > > > > ERROR: Command "/sbin/iptables -A FORWARD -m state --state > > > > ESTABLISHED,RELATED -j ACCEPT" Failed > > > > > > > > I'm getting the same errormessage when it try it by hand. > > > > > > When you generated the kernel, did you build all modules necessary. In > > > > this > > > > > particlu case, ipt_state? > > > > If you meen CONFIG_NETFILTER_XT_MATCH_STATE=y then yes it's compiled in > > (not a > > module). You know of any other part that NEEDS to be activated other the > > the > > following? > > > > CONFIG_NETFILTER=y > > CONFIG_NF_CONNTRACK_ENABLED=y > > CONFIG_NF_CONNTRACK_SUPPORT=y > > CONFIG_NF_CONNTRACK=y > > CONFIG_NETFILTER_XTABLES=y > > CONFIG_NETFILTER_XT_MATCH_LIMIT=y > > CONFIG_NETFILTER_XT_MATCH_STATE=y > > CONFIG_IP_NF_QUEUE=y > > CONFIG_IP_NF_IPTABLES=y > > CONFIG_IP_NF_FILTER=y > > CONFIG_IP_NF_TARGET_REJECT=y > > CONFIG_IP_NF_TARGET_LOG=y > > CONFIG_IP_NF_MANGLE=y > > > > You found your problem, then. When you use iptables -m state, it loads the > state module. Since it's not compiled as a module, it won't load. Either > change it to module in the kernel or remove the -m state (I think I tried > once compiling into the kernel and dropping the -m state, but it didn't > work).
I found the problem, CONFIG_NF_CONNTRACK_IPV4=y has to be set as well (no need to compile anything as modules). -- Dan Johansson, <http://www.dmj.nu> *************************************************** This message is printed on 100% recycled electrons! ***************************************************
pgp2ZERcHZE9y.pgp
Description: PGP signature
