Scott Ruckh wrote: > I am not even sure this is a shorewall issue as kernel, iptables, and > shorewall have all recently been updated.
It has nothing to do with Shorewall. > > Shorewall Version: 4.2.9 > Iptables Version: v1.4.3.2 > Kernel Version: 2.6.30-rc8 > OS: Centos 4.7 X86_64 > > I see the following on std-output and /var/log/messages > > Jun 4 22:17:27 firewall shorewall: Compiling... > Jun 4 22:17:29 firewall kernel: Netfilter messages via NETLINK v0.30. > Jun 4 22:17:29 firewall kernel: nf_conntrack version 0.5.0 (16384 buckets, > 65536 max) > Jun 4 22:17:29 firewall kernel: CONFIG_NF_CT_ACCT is deprecated and will be > removed soon. Please use > Jun 4 22:17:29 firewall kernel: nf_conntrack.acct=1 kernel paramater, > acct=1 nf_conntrack module option or > Jun 4 22:17:29 firewall kernel: sysctl net.netfilter.nf_conntrack_acct=1 to > enable it. > Jun 4 22:17:29 firewall kernel: ctnetlink v0.93: registering with > nfnetlink. > Jun 4 22:17:30 firewall kernel: ClusterIP Version 0.8 loaded successfully > Jun 4 22:17:30 firewall kernel: xt_time: kernel timezone is -0700 > Jun 4 22:17:31 firewall shorewall: Compiling /etc/shorewall/zones... > Jun 4 22:17:31 firewall shorewall: Compiling /etc/shorewall/interfaces... > Jun 4 22:17:31 firewall shorewall: Determining Hosts in Zones... > > I have added nf_conntrack.acct=1 to /etc/sysctl.conf, but I still get that > message. > > I did not find CONFIG_NF_CT_ACCT in the kernel Makefile, or in any of the > shorewall files. It is set in your .config file though. It is listed in the 'Core Netfilter Configuration' page under "Connection tracking flow accounting". A google search pulls up bug reports and other patches, > but nothing definitive on the cause or the fix. > > This appears to just be a warning message and does not negatively impact the > system, but I was wondering if anyone here knows the root cause. Read the help text for the option as well as Documentation/feature-removal-schedule.txt. The entire issue is explained there. The CONFIG_NF_CT_ACCT option is being removed; the feature will always be included. You control the feature using the /proc flag that you are now setting. The reason that you see the message during Shorewall compilation is that Shorewall is loading all of the modules specified in /usr/share/shorewall/modules before assessing your iptables/kernel capabilities. Of course the conntrack module gets loaded at that time. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
