I recently installed shorewall on a bunch of systems and on one of them it won't start. The machine in question is a Coraid file server, and I suspect that the kernel is missing something that shorewall wants. I already had to set
TC_ENABLED=no to get even this far. The problem machine is essentially a Debian system, with a custom kernel from Coraid: % uname -a Linux makki 2.6.16.35-c1 #2 SMP Thu Dec 7 11:29:35 EST 2006 x86_64 GNU/Linux % shorewall debug start 2>/tmp/trace ended with + '[' 1 -ne 0 ']' + error_message 'ERROR: Command "/sbin/iptables -A' FORWARD -m state --state ESTABLISHED,RELATED -j 'ACCEPT" Failed' + echo ' ERROR: Command "/sbin/iptables -A' FORWARD -m state --state ESTABLISHED,RELATED -j 'ACCEPT" Failed' ERROR: Command "/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT" Failed + stop_firewall + case $COMMAND in + set +x iptables: No chain/target/match by that name iptables: No chain/target/match by that name and sure enough: shorewall stop shorewall clear iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables: No chain/target/match by that name Whereas on all other systems the /sbin/iptables command worked at the same point. I already tried setting IP_FORWARDING=Off on the problem system (it does not need forwarding) and the same problem was seen. Here are what I think are the relevant entries from the .config file: CONFIG_IP_MULTICAST=y CONFIG_IP_ADVANCED_ROUTER=y CONFIG_IP_FIB_HASH=y CONFIG_IP_MULTIPLE_TABLES=y CONFIG_IP_ROUTE_FWMARK=y CONFIG_IP_ROUTE_MULTIPATH=y CONFIG_IP_ROUTE_VERBOSE=y CONFIG_IP_MROUTE=y CONFIG_IP_PIMSM_V1=y CONFIG_IP_PIMSM_V2=y CONFIG_IP_VS=m CONFIG_IP_VS_TAB_BITS=12 CONFIG_IP_VS_PROTO_TCP=y CONFIG_IP_VS_PROTO_UDP=y CONFIG_IP_VS_PROTO_ESP=y CONFIG_IP_VS_PROTO_AH=y CONFIG_IP_VS_RR=m CONFIG_IP_VS_WRR=m CONFIG_IP_VS_LC=m CONFIG_IP_VS_WLC=m CONFIG_IP_VS_LBLC=m CONFIG_IP_VS_LBLCR=m CONFIG_IP_VS_DH=m CONFIG_IP_VS_SH=m CONFIG_IP_VS_SED=m CONFIG_IP_VS_NQ=m CONFIG_IP_VS_FTP=m CONFIG_IPV6=m CONFIG_IPV6_PRIVACY=y CONFIG_IPV6_TUNNEL=m CONFIG_IP_NF_CONNTRACK=m CONFIG_IP_NF_CT_ACCT=y CONFIG_IP_NF_CONNTRACK_MARK=y CONFIG_IP_NF_CT_PROTO_SCTP=m CONFIG_IP_NF_FTP=m CONFIG_IP_NF_IRC=m CONFIG_IP_NF_TFTP=m CONFIG_IP_NF_AMANDA=m CONFIG_IP_NF_QUEUE=m CONFIG_IP_NF_IPTABLES=m CONFIG_IP_NF_FILTER=m CONFIG_IP_NF_TARGET_REJECT=m CONFIG_IP_NF_TARGET_LOG=m CONFIG_IP6_NF_QUEUE=m CONFIG_IP_SCTP=m Rebuilding the kernel is not a good option here, is there some other way to work around this? Thanks, David Mathog [EMAIL PROTECTED] Manager, Sequence Analysis Facility, Biology Division, Caltech ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
