[blfs-support] iptables errors starting

Fernando de Oliveira famobr at yahoo.com.br
Mon May 28 08:20:31 PDT 2012


Thank you very much for the replies, Ken and Bruce. With the
clarifications, I could correct the problems. Please, read comments
inline, below. Included also Bruce's comments and my reply.

On 27-05-2012 12:39, Ken Moffat wrote:
> On Sun, May 27, 2012 at 07:17:03AM -0700, Fernando de Oliveira wrote:

[...]

>> This has been happening for some time, but only noticed last week and
>> happens either with iptables-1.4.13 or with the new version
>> iptables-1.4.14

[...]

>>
>> The following appears at boot or starting iptables:
>>
>> # /etc/rc.d/init.d/iptables start
>> Starting iptables...FATAL: Module ipt_LOG not found.
>> iptables: No chain/target/match by that name.
>> iptables: No chain/target/match by that name.
>>
>> In /etc/rc.d/rc.iptables I have identified the following lines as
>> sources of the error messages (by commenting out)
>>
>> modprobe ipt_LOG

I commented this out in /etc/rc.d/rc.iptables, as I know now there is no
such module or option in config-3.4.0.
	
>> iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
>> iptables -I INPUT -p tcp -m state --state INVALID \
>>     -j LOG --log-prefix "FIREWALL:INVALID"

I left these uncommented.

>> I understand the first error message having no ipt_LOG module:

[...]

>> I understand the other error messages as consequence of something
>> necessary, perhaps ipt_LOG.

Could not find such a thing in config-3.4.0.

>> Other than commenting out the offending lines, what can be done to
>> correct this?
>>
>> Help would be much appreciated.
>>
>  Try checking / adding every kernel option (for netfilter) that you
> *might* want to use in your ruleset.  For log, in 3.0 it is
> CONFIG_NETFILTER_NETLINK_LOG - there are *loads* of other possible
> kernel netlink-related options, e.g. for logging in XTABLES.  Perhaps
> newer kernels have changed the options ?

Otions changed (write about below). Well, this was already set:
# grep -i NETFILTER /boot/config-3.4.0 | grep -i NETLINK | grep -i log
CONFIG_NETFILTER_NETLINK_LOG=y


>  Or, perhaps you didn't 'make modules_install' (unlikely, but I've
> occasionally done that myself on new kernels).

LOL. I did it. But I forgot it some time ago in another version.


>  Personally I don't like the aggravation of having to ensure a
> module is loaded when I later change the iptables script, so I build
> them all in.

I agree with you. Going to the wrong side, I had some in-kernel options
transformed in modules years ago, to comply with rc.iptables, not the
inverse. Now, corrected.

> 
>  For the rest, it's possible that something else has changed.

Yes, this seems to be the case. After replying to Bruce, below, I will
write down the solution.

[...]

>  When you have logging working, it's a good idea to monitor the log
> to see what is being dropped - at least until everything is working.

Thanks, I will do it.


On 27-05-2012 12:55, Bruce Dubbs wrote:

[...]

> The way to correct it would be to set CONFIG_IP_NF_TARGET_LOG=y in the 
> kernel configuration.   You may be looking in the wrong place.  There 
> are a lot of netfilter options.

There is no such option anymore.

I have the following related options set:
# grep CONFIG /boot/config-3.4.0 | grep -i ip | grep -i target | grep -i log
CONFIG_IP_NF_TARGET_ULOG=y

Here, I end the inline reply.

Now, the solution. I decided to "make -j4" with the "oldconfig" from
3.3.6 again, instead of trying to start with the one from 3.4.0. Lots of
questions, suddenly

  LOG target support (NETFILTER_XT_TARGET_LOG) [N/m/y/?] (NEW) y

thus, previously I did differently and did not notice this. With just
this, and commenting out modprobe ipt_LOG (as written above), *problem
solved*!!! I decided for this option, after you both mentioned the *LOG
options.

Thank you very much.

Incidentally, I noticed the following new options, one could be relevant
to a recurrent issue/discussion about RPC:

  RPC: Enable dprintk debugging (SUNRPC_DEBUG) [N/y/?] (NEW) 

and the other one for flash storage:

  Universal Flash Storage host controller driver (SCSI_UFSHCD) [N/m/y/?] (NEW) y

Chose yes, just in case i need it if by any chance I get a flash HD.


-- 
[]s,
Fernando



More information about the blfs-support mailing list