Arch Linux

random.bits

Member

From: Ottawa Canada

Registered: 2004-07-18

Posts: 39

Upgrade of Kernel stops Shorewall from working (work around)

With the latest kernel upgrade, shorewall started to FAIL on start up.

I finally found a hint on Shorewall's site. It appears the new kernel has the NEW_CONNTRACK_MATCH capability  (I am assuming that this is part of IPTABLES.)

Anyways, if you create a capabilities file in /etc/shorewall you can disable its use by shorewall.

shorewall show -f capabilities >/etc/shorewall/capabilities

edit /etc/shorewall/capabilities

NEW_CONNTRACK_MATCH=Yes

to

NEW_CONNTRACK_MATCH=

Shorewall started working again for me.

Note the error message from shorewall was:

Setting up Accept Source Routing...                                                                           
Setting up Proxy ARP...                                                                                       
Setting up Traffic Control...                                                                                 
Preparing iptables-restore input...                                                                           
Running /usr/sbin/iptables-restore...                                                                         
iptables-restore v1.4.2: conntrack: Bad value for "--ctorigdstport" option: "www"                             
Error occurred at line: 162                                                                                   
Try `iptables-restore -h' or 'iptables-restore --help' for more information.                                   
   ERROR: iptables-restore Failed. Input is in /var/lib/shorewall/.iptables-restore-input                     
Processing /etc/shorewall/stop ...           

Note, I upgraded Shorewall to the latest version having seen a similar error message being fixed in that release (4.2.5). It still did not help me.