Shorewall config problem

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Shorewall config problem

Peter Humphrey-3
Morning all,

When emerging shorewall-5.2.1.1 I get an error from the kernel settings check:

CONFIG_NF_CONNTRACK_IPV4:   is not set when it should be.

This is with gentoo-sources-4.19.1. And indeed there is no such kernel
parameter:

$ grep CONFIG_NF_CONNTRACK /usr/src/linux/.config    
CONFIG_NF_CONNTRACK=m <<< Note
# CONFIG_NF_CONNTRACK_MARK is not set
CONFIG_NF_CONNTRACK_SECMARK=y
# CONFIG_NF_CONNTRACK_ZONES is not set
CONFIG_NF_CONNTRACK_PROCFS=y
# CONFIG_NF_CONNTRACK_EVENTS is not set
# CONFIG_NF_CONNTRACK_TIMEOUT is not set
# CONFIG_NF_CONNTRACK_TIMESTAMP is not set
# CONFIG_NF_CONNTRACK_LABELS is not set
# CONFIG_NF_CONNTRACK_AMANDA is not set
CONFIG_NF_CONNTRACK_FTP=m
# CONFIG_NF_CONNTRACK_H323 is not set
CONFIG_NF_CONNTRACK_IRC=m
# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
# CONFIG_NF_CONNTRACK_SNMP is not set
# CONFIG_NF_CONNTRACK_PPTP is not set
# CONFIG_NF_CONNTRACK_SANE is not set
CONFIG_NF_CONNTRACK_SIP=m
# CONFIG_NF_CONNTRACK_TFTP is not set

On another box with gentoo sources 4.14.78 I get this:

$ grep CONFIG_NF_CONNTRACK_IP /usr/src/linux/.config
CONFIG_NF_CONNTRACK_IPV4=y
CONFIG_NF_CONNTRACK_IPV6=y

So far I've been ignoring the error, assuming that the entry I've noted above
now combines IPV4 and IPV6.

Does the panel think this is worth a bug report against shorewall?

--
Regards,
Peter.




Reply | Threaded
Open this post in threaded view
|

Re: Shorewall config problem

J. Roeleveld
On Monday, November 12, 2018 11:11:52 AM CET Peter Humphrey wrote:

> Morning all,
>
> When emerging shorewall-5.2.1.1 I get an error from the kernel settings
> check:
>
> CONFIG_NF_CONNTRACK_IPV4:   is not set when it should be.
>
> This is with gentoo-sources-4.19.1. And indeed there is no such kernel
> parameter:
>
> $ grep CONFIG_NF_CONNTRACK /usr/src/linux/.config
> CONFIG_NF_CONNTRACK=m <<< Note
> # CONFIG_NF_CONNTRACK_MARK is not set
> CONFIG_NF_CONNTRACK_SECMARK=y
> # CONFIG_NF_CONNTRACK_ZONES is not set
> CONFIG_NF_CONNTRACK_PROCFS=y
> # CONFIG_NF_CONNTRACK_EVENTS is not set
> # CONFIG_NF_CONNTRACK_TIMEOUT is not set
> # CONFIG_NF_CONNTRACK_TIMESTAMP is not set
> # CONFIG_NF_CONNTRACK_LABELS is not set
> # CONFIG_NF_CONNTRACK_AMANDA is not set
> CONFIG_NF_CONNTRACK_FTP=m
> # CONFIG_NF_CONNTRACK_H323 is not set
> CONFIG_NF_CONNTRACK_IRC=m
> # CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
> # CONFIG_NF_CONNTRACK_SNMP is not set
> # CONFIG_NF_CONNTRACK_PPTP is not set
> # CONFIG_NF_CONNTRACK_SANE is not set
> CONFIG_NF_CONNTRACK_SIP=m
> # CONFIG_NF_CONNTRACK_TFTP is not set
>
> On another box with gentoo sources 4.14.78 I get this:
>
> $ grep CONFIG_NF_CONNTRACK_IP /usr/src/linux/.config
> CONFIG_NF_CONNTRACK_IPV4=y
> CONFIG_NF_CONNTRACK_IPV6=y
>
> So far I've been ignoring the error, assuming that the entry I've noted
> above now combines IPV4 and IPV6.
>
> Does the panel think this is worth a bug report against shorewall?

Does it show up when you search for that config-item from within "make
menuconfig"?
Not all config-items end up in the config-file, especially if pre-requisites are
disabled themselves.

--
Joost




Reply | Threaded
Open this post in threaded view
|

Re: Shorewall config problem

Peter Humphrey-3
On Monday, 12 November 2018 10:19:24 GMT J. Roeleveld wrote:

> On Monday, November 12, 2018 11:11:52 AM CET Peter Humphrey wrote:
> > Morning all,
> >
> > When emerging shorewall-5.2.1.1 I get an error from the kernel settings
> > check:
> >
> > CONFIG_NF_CONNTRACK_IPV4:   is not set when it should be.
> >
> > This is with gentoo-sources-4.19.1. And indeed there is no such kernel
> > parameter:
> >
> > $ grep CONFIG_NF_CONNTRACK /usr/src/linux/.config
> > CONFIG_NF_CONNTRACK=m <<< Note
> > # CONFIG_NF_CONNTRACK_MARK is not set
> > CONFIG_NF_CONNTRACK_SECMARK=y
> > # CONFIG_NF_CONNTRACK_ZONES is not set
> > CONFIG_NF_CONNTRACK_PROCFS=y
> > # CONFIG_NF_CONNTRACK_EVENTS is not set
> > # CONFIG_NF_CONNTRACK_TIMEOUT is not set
> > # CONFIG_NF_CONNTRACK_TIMESTAMP is not set
> > # CONFIG_NF_CONNTRACK_LABELS is not set
> > # CONFIG_NF_CONNTRACK_AMANDA is not set
> > CONFIG_NF_CONNTRACK_FTP=m
> > # CONFIG_NF_CONNTRACK_H323 is not set
> > CONFIG_NF_CONNTRACK_IRC=m
> > # CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
> > # CONFIG_NF_CONNTRACK_SNMP is not set
> > # CONFIG_NF_CONNTRACK_PPTP is not set
> > # CONFIG_NF_CONNTRACK_SANE is not set
> > CONFIG_NF_CONNTRACK_SIP=m
> > # CONFIG_NF_CONNTRACK_TFTP is not set
> >
> > On another box with gentoo sources 4.14.78 I get this:
> >
> > $ grep CONFIG_NF_CONNTRACK_IP /usr/src/linux/.config
> > CONFIG_NF_CONNTRACK_IPV4=y
> > CONFIG_NF_CONNTRACK_IPV6=y
> >
> > So far I've been ignoring the error, assuming that the entry I've noted
> > above now combines IPV4 and IPV6.
> >
> > Does the panel think this is worth a bug report against shorewall?
>
> Does it show up when you search for that config-item from within "make
> menuconfig"?
> Not all config-items end up in the config-file, especially if pre-requisites
> are disabled themselves.

Nope.

--
Regards,
Peter.




Reply | Threaded
Open this post in threaded view
|

Re: Shorewall config problem

Adam Carter
In reply to this post by Peter Humphrey-3
On Mon, Nov 12, 2018 at 9:11 PM Peter Humphrey <[hidden email]> wrote:
Morning all,

When emerging shorewall-5.2.1.1 I get an error from the kernel settings check:

CONFIG_NF_CONNTRACK_IPV4:   is not set when it should be.

This is with gentoo-sources-4.19.1. And indeed there is no such kernel
parameter:

 Yep, grepped my .config archive and its gone in 4.19 so the shorewall ebuild (at least) will need an update. Checked bugzilla?
Reply | Threaded
Open this post in threaded view
|

Re: Shorewall config problem

William Kenworthy
On 13/11/18 12:09 pm, Adam Carter wrote:

> On Mon, Nov 12, 2018 at 9:11 PM Peter Humphrey <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     Morning all,
>
>     When emerging shorewall-5.2.1.1 I get an error from the kernel
>     settings check:
>
>     CONFIG_NF_CONNTRACK_IPV4:   is not set when it should be.
>
>     This is with gentoo-sources-4.19.1. And indeed there is no such
>     kernel
>     parameter:
>
>
>  Yep, grepped my .config archive and its gone in 4.19 so the shorewall
> ebuild (at least) will need an update. Checked bugzilla?


Grepping .config will only work sometimes - If its enabled it will be
there, if not it "may or may not be"

Only sure way that I am aware of is to use the search function "\" from
within make menuconfig.


Bill K.



Reply | Threaded
Open this post in threaded view
|

Re: Shorewall config problem

Adam Carter
>  Yep, grepped my .config archive and its gone in 4.19 so the shorewall
> ebuild (at least) will need an update. Checked bugzilla?


Grepping .config will only work sometimes - If its enabled it will be
there, if not it "may or may not be"

My .config hasnt changed, other than from setting the new options via make oldconfig;

/usr/src/configs # grep CONFIG_NF_CONNTRACK_IP config-2018-10-29 config-2018-11-13
config-2018-10-29:CONFIG_NF_CONNTRACK_IPV4=y
config-2018-10-29:CONFIG_NF_CONNTRACK_IPV6=y

/usr/src/configs # head -n3 config-2018-10-29 config-2018-11-13
==> config-2018-10-29 <==
#
# Automatically generated file; DO NOT EDIT.
# Linux/x86 4.18.16-gentoo Kernel Configuration

==> config-2018-11-13 <==
#
# Automatically generated file; DO NOT EDIT.
# Linux/x86 4.19.0-gentoo Kernel Configuration
/usr/src/configs #



Reply | Threaded
Open this post in threaded view
|

Re: Shorewall config problem

Peter Humphrey-3
On Tuesday, 13 November 2018 08:06:03 GMT Adam Carter wrote:

> My .config hasnt changed, other than from setting the new options via make
> oldconfig;
>
> /usr/src/configs # grep CONFIG_NF_CONNTRACK_IP config-2018-10-29
> config-2018-11-13
> config-2018-10-29:CONFIG_NF_CONNTRACK_IPV4=y
> config-2018-10-29:CONFIG_NF_CONNTRACK_IPV6=y
>
> /usr/src/configs # head -n3 config-2018-10-29 config-2018-11-13
> ==> config-2018-10-29 <==
> #
> # Automatically generated file; DO NOT EDIT.
> # Linux/x86 4.18.16-gentoo Kernel Configuration
>
> ==> config-2018-11-13 <==
> #
> # Automatically generated file; DO NOT EDIT.
> # Linux/x86 4.19.0-gentoo Kernel Configuration
> /usr/src/configs #

That is odd. I tried inserting the IPV[4,6] .config entries by hand, but
oldconfig removed them again.

The help text in kernel 4.14.78 says:

   Defined at net/ipv4/netfilter/Kconfig:12                                        
   Depends on: NET [=y] && INET [=y] && NETFILTER [=y] && NF_CONNTRACK [=y]
   Selects: NF_DEFRAG_IPV4 [=y]

None of those dependencies look likely to hide the IPV[4,6] options.

I also tried copying in the old config file from 4.14.78 and running it
through oldconfig again, this time including all the new netfilter options.
Again there was no sign of the IPV[4,6] options.

--
Regards,
Peter.




Reply | Threaded
Open this post in threaded view
|

Re: Shorewall config problem

Adam Carter
That is odd. I tried inserting the IPV[4,6] .config entries by hand, but
oldconfig removed them again.

I'd say those entries are deprecated and that shorewall will just need an update to make it compatible with 4.19.

Reply | Threaded
Open this post in threaded view
|

Re: Shorewall config problem

Peter Humphrey-3
On Wednesday, 14 November 2018 22:03:36 GMT Adam Carter wrote:
> > That is odd. I tried inserting the IPV[4,6] .config entries by hand, but
> > oldconfig removed them again.
>
> I'd say those entries are deprecated and that shorewall will just need an
> update to make it compatible with 4.19.

https://bugs.gentoo.org/671176 submitted.

--
Regards,
Peter.