Ok after a week of trying I think its time to call this turkey cooked. iptables -m conntrack -h was never a problem I can also call iptables -m connmark -h with no problem
but if I try to use the rule as it is used in shorecap it failes. I can see so far no way to get connmark match support to work iptables -A foo123 -m connmark --mark 2 -j ACCEPT I don't see any stock support in the 2.4.33 kernel for connmark match support. I don't see any support in patch-o-matic or patch-o-matic-ng. I did find a few patches out in the wild for this but even after applying them and fixing a few issues in the patch I was not able to get iptables to agree with connmark match being installed. I tried 1.3.8 and 1.4 series iptables. I was however able to use a freshly compiled 2.6.22 kernel and with a few mods boot it up on my cf disk and it did support connmark match. It seems that support for iptables on 2.4 kernel's is going away :( I still prefer the 2.4 kernel for its small footprint and superior reliability. I have production firewalls with uptimes over 3 years with an average traffic load over 20mbits to the world on a 2.4 kernel. I have my doubts that a 2.6 kernel is as reliable, but we shall see. This is not the definitive answer to this but it warrants a little more study and if it is conclude that the ability to use connmark match and multi ISP support is not "stock" in 2.4.x kernels then maybe an update on the Shorewall docs is in order to deter others from wasting a week : c ) If however ANYONE did get this module to work on a 2.4 kernel please post back how and where the patches are maintained for your kernel. Re Sean M > -----Original Message----- > From: Shorewall Geek [mailto:[EMAIL PROTECTED] > Sent: Tuesday, December 02, 2008 3:35 PM > To: Sean Mathews; Shorewall Users > Subject: Re: [Shorewall-users] ERROR: the provider 'track' option requires > Connmark Match in your kernel and iptables > > > sean mathews wrote: > > So here is the error. > > > > ERROR: the provider 'track' option requires Connmark Match in your > kernel and iptables > > > > At the end of this email is some info that will help figure out whats > up. I have looked it over for a few days and to > > me it seems that my kernel and iptables should support the Connmark > module. > > > > I updated the kernel with what is as best I can tell all that is needed > from the docs, but I have > > __NOT__ yet updated my iptables but its my next target. > > > > You almost certainly need to update your iptables. You will know that > your iptables is correct when you can enter this command: > > iptables -m conntrack -h > > and you don't get an error. > > > > > Ideas? > > > > Don't know about your kernel -- the config info you posted didn't > include anything about your netfilter configuration and I haven't built > a 2.4 kernel in years. ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
