(This detail should not be a problem for you if for Gentoo you are using the default ‘genkernel‘.)
Here’s a ‘minor’ update foible to watch out for on Gentoo when moving from a compiled kernel-3.3.8-gentoo to kernel-3.4.9-gentoo and running Shorewall…
There’s a few new kernel config options and at least some of them must be set for Shorewall to successfully configure iptables.
The additional kernel config options that I’ve set are:
CONFIG_IP_MROUTE_MULTIPLE_TABLES=y
CONFIG_INET_UDP_DIAG=y
CONFIG_NETFILTER_NETLINK_ACCT=m
CONFIG_NF_CONNTRACK_TIMEOUT=y
CONFIG_NF_CONNTRACK_TIMESTAMP=y
CONFIG_NF_CONNTRACK_SNMP=m
CONFIG_NETFILTER_XT_SET=m
CONFIG_NETFILTER_XT_TARGET_AUDIT=m
CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m
CONFIG_NETFILTER_XT_TARGET_CT=m
CONFIG_NETFILTER_XT_TARGET_IDLETIMER=m
CONFIG_NETFILTER_XT_TARGET_LOG=m
CONFIG_NETFILTER_XT_TARGET_TEE=m
CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m
CONFIG_NETFILTER_XT_MATCH_DEVGROUP=m
CONFIG_NETFILTER_XT_MATCH_NFACCT=m
CONFIG_IP_SET=m
CONFIG_IP_SET_MAX=256
CONFIG_IP_SET_BITMAP_IP=m
CONFIG_IP_SET_BITMAP_IPMAC=m
CONFIG_IP_SET_BITMAP_PORT=m
CONFIG_IP_SET_HASH_IP=m
CONFIG_IP_SET_HASH_IPPORT=m
CONFIG_IP_SET_HASH_IPPORTIP=m
CONFIG_IP_SET_HASH_IPPORTNET=m
CONFIG_IP_SET_HASH_NET=m
CONFIG_IP_SET_HASH_NETPORT=m
CONFIG_IP_SET_HASH_NETIFACE=m
CONFIG_IP_SET_LIST_SET=m
CONFIG_IP_NF_MATCH_RPFILTER=m
CONFIG_NF_NAT_SNMP_BASIC=m
I’ve not checked to see which of those are essential. However, the “CONFIG_NETFILTER_XT_TARGET_LOG=m” is required to avoid seeing:
ERROR: A log level other than NONE requires LOG Target in your kernel and iptables
Multiple of the others are needed to avoid seeing:
ERROR: iptables-restore Failed. Input is in /var/lib/shorewall/.iptables-restore-input
Good luck!
Leave a Reply
You must be logged in to post a comment.