Brian J. Murrell wrote > > Yeah. That's what I have been trying to figure out/work with given > that I was not getting modules autoloaded.
The problem isn't that modules aren't autoloaded but that the autoloading comes after the 'state match' check :-( We added that check because Gentoo users often build kernels with the bare minimum netfilter support and then ask why it doesn't work. > > I have not see where in "shorewall reload" (on a shorewall-lite > machine) this is actually happening. The modules are stored in the > "<state_dir>/.modules" but I don't see any effort to try to load > them. > > xtrace from the restore script shows all of the execution prior to > the test for the state module as being: > > + LEFTSHIFT=<< ... > + qt1 /usr/sbin/iptables -A foox1234 -m state --state > ESTABLISHED,RELATED -j ACCEPT > > Perhaps the modules loading is supposed to happen before the call to > the restore script? Attached is a patch which moves the state match test to after module loading occurs. Please give it a try. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
Index: Shorewall/Compiler.pm
===================================================================
--- Shorewall/Compiler.pm (revision 9055)
+++ Shorewall/Compiler.pm (working copy)
@@ -178,18 +178,6 @@
'[ -d ${VARDIR} ] || mkdir -p ${VARDIR}'
);
- emit ( '',
- '#',
- '# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here',
- '#',
- 'qt1 $IPTABLES -N foox1234',
- 'qt1 $IPTABLES -A foox1234 -m state --state ESTABLISHED,RELATED -j ACCEPT',
- 'result=$?',
- 'qt1 $IPTABLES -F foox1234',
- 'qt1 $IPTABLES -X foox1234',
- '[ $result = 0 ] || startup_error "Your kernel/iptables do not include state match support. No version of Shorewall will run on this system"',
- '' );
-
pop_indent;
emit "}\n"; # End of initialize()
@@ -540,7 +528,17 @@
emit 'load_kernel_modules Yes';
}
- emit '';
+ emit ( '',
+ '#',
+ '# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here',
+ '#',
+ 'qt1 $IPTABLES -N foox1234',
+ 'qt1 $IPTABLES -A foox1234 -m state --state ESTABLISHED,RELATED -j ACCEPT',
+ 'result=$?',
+ 'qt1 $IPTABLES -F foox1234',
+ 'qt1 $IPTABLES -X foox1234',
+ '[ $result = 0 ] || startup_error "Your kernel/iptables do not include state match support. No version of Shorewall will run on this system"',
+ '' );
for my $interface ( @{find_interfaces_by_option 'norfc1918'} ) {
emit ( "addr=\$(ip -f inet addr show $interface 2> /dev/null | grep 'inet\ ' | head -n1)",
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
