I have a Ubiquiti EdgeRouter PoE router on which I've been running Shorewall since 2014. It runs Shorewall 4.4.11 on Linux kernel 3.4.27.
I'm currently in the process of setting up a new Ubiquiti EdgeRouter X, which is running kernel 3.10.14, and on which I have just installed shorewall 4.5.5, the latest available Shorewall package for debian wheezy mipsel. My first step after installing was to copy the ruleset from the Shorewall 4.4.11 installation on the old router to 4.5.5 on the new one. Shorewall 4.5.5 APPEARS to process all the rules properly, but spits out some errors during initialization. It emits no errors after the initialization phase (i.e, once it starts compiling). Running 'shorewall trace restart >shorewall.out 2>&1' yielded the following among the output: SYS----> /sbin/iptables -A fooX23872 -m recent --update -j ACCEPT SYS----> /sbin/iptables -A fooX23872 -m owner --uid-owner 0 -j ACCEPT iptables: No chain/target/match by that name. SYS----> /sbin/iptables -A fooX23872 -m owner --uid-owner root SYS----> /sbin/iptables -A fooX23872 -p tcp -m ipp2p --edk -j ACCEPT SYS----> /sbin/iptables -A fooX23872 -p tcp -m ipp2p --ipp2p -j ACCEPT iptables v1.4.20: unknown option "--ipp2p" Try `iptables -h' or 'iptables --help' for more information. SYS----> /sbin/iptables -t mangle -A fooX23872 -j CLASSIFY --set-class 1:1 SYS----> /sbin/iptables -t mangle -A fooX23872 -j IPMARK --addr src iptables v1.4.20: unknown option "--addr" SYS----> /sbin/iptables -t mangle -A fooX23872 -p tcp -j TPROXY --on-port 0 --tproxy-mark 1 iptables: No chain/target/match by that name. SYS----> /sbin/iptables -t rawpost -L -n iptables v1.4.20: can't initialize iptables table `rawpost': Table does not exist (do you need to insmod?) SYS----> /sbin/ipset -X fooX23872 ipset v6.23: The set with the given name does not exist SYS----> /sbin/ipset -N fooX23872 iphash SYS----> /sbin/ipset -N fooX23872 hash:ip family inet ipset v6.23: Set cannot be created: set with the same name already exists SYS----> /sbin/iptables -A fooX23872 -j LOGMARK iptables v1.4.20: Couldn't load target `LOGMARK':No such file or directory SYS----> /sbin/iptables -A fooX23872 -j ACCOUNT --addr 192.168.1.0/29 --tname fooX23872 iptables v1.4.20: unknown option "--addr" Try `iptables -h' or 'iptables --help' for more information. SYS----> /sbin/iptables -A fooX23872 -j AUDIT --type drop iptables: No chain/target/match by that name. SYS----> /sbin/ipset -X fooX23872 ipset v6.23: The set with the given name does not exist SYS----> /sbin/ipset -N fooX23872 hash:ip family inet SYS----> /sbin/iptables -A fooX23872 -m condition --condition foo iptables: No chain/target/match by that name. SYS----> /sbin/iptables -A fooX23872 -m geoip --src-cc US iptables v1.4.20: Couldn't load match `geoip':No such file or directory SYS----> /sbin/iptables -t nat -F fooX23872 iptables: No chain/target/match by that name. SYS----> /sbin/iptables -t nat -X fooX23872 iptables: No chain/target/match by that name. Now, not being even remotely close to an iptables expert ... how serious are these? Need I be concerned? If so, is there anything I can likely do about them, remembering that I am running an embedded device and have no control over the kernel configuration? Is it likely I have misconfigured anything? I have intentionally not touched anything whatsoever in shorewall.conf. (I assume the geoip-related error is because I haven't installed a geoip tool, because I don't know yet what to install to support it.) -- Phil Stracchino Babylon Communications [email protected] [email protected] Landline: 603.293.8485 ------------------------------------------------------------------------------ The Command Line: Reinvented for Modern Developers Did the resurgence of CLI tooling catch you by surprise? Reconnect with the command line and become more productive. Learn the new .NET and ASP.NET CLI. Get your free copy! http://sdm.link/telerik _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
