# [SOLVED] firehol not working after kernel upgrade

## schnitten

Hi,

I switched from kernel-2.6.19-gentoo-r5 to kernel-2.6.23-gentoo-r6. Afterwards firehol is not working anymore.

On startup I get a whole bunch of errors like the following:

```

--------------------------------------------------------------------------------

ERROR   : # 220.

WHAT    : A runtime command failed to execute (returned error 1).

SOURCE  : line 167 of /tmp/firehol.conf

COMMAND : /sbin/iptables -t filter -A in_interface3_irc_c13 -p tcp --sport 6667 --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT 

OUTPUT  : 

iptables: No chain/target/match by that name

```

So I switched from the current stable to the latest unstable version, which is firehol-1.256-r1. The results remain the same.

On the firehol homepage it is mentioned that there were some issues with kernels 2.6.20+ , but they should be fixed right now.

thanks for your help

ChristianLast edited by schnitten on Wed Jan 30, 2008 9:12 pm; edited 1 time in total

----------

## magic919

Check the Kernel config for IP Tables support.  It's usually that you lack some needed modules.

----------

## schnitten

 *magic919 wrote:*   

> Check the Kernel config for IP Tables support.  It's usually that you lack some needed modules.

 

Did so, before I built the new kernel I copied over the previous .config file.

When rebuilding firehol, it reports when some kernel flags are missing. There were no warnings regarding missing flags.

Still there is the chance that I missed some flag - or some flag name did change for the new kernel. How can I find out which one this might be? Does firehol store some temporary script file when processing my rules which I could use for debugging?

----------

## magic919

I don't use Firehol myself.  Have you looked for a firehol.conf or similar?

----------

## Hu

It appears that the block you quoted in your first post tells you the iptables command that failed.

----------

## schnitten

 *Hu wrote:*   

> It appears that the block you quoted in your first post tells you the iptables command that failed.

 

I think you are right and the chain (denoted by the -A parameter) is not present. But why. Firehol should have created that chain before it tries to add rules. I do not see any error message that the chain could not be created. Therefore I'm looking for some temporary script that firehol uses to feed iptables. I guess the error message I posted is only the result of some previous error which I am not (yet) able to track

----------

## magic919

Why don't you run it with the debug option.  Apparently it then spits out the iptables ccommands.  Run them by hand and find out what it can and cannot do.  The generic error above can be a match problem, not just chain.

----------

## thepustule

If I recall correctly, between 2.6.19 and 2.6.23 some of the iptables options in the kernel got moved around in the menus and don't get activated by just doing a "make oldconfig".  This bit me as well.  If you just do a "make menuconfig" and make sure all the necessary iptables options are still enabled, or re-enable them if necessary, you should be ok.

----------

## schnitten

I really did miss some targets for iptables. Maybe some of these options got renamed? No matter what, now iptables work as expected.

BTW: why aren't such changes mentioned by portage when fetching new kernel-sources?

----------

## magic919

The kernel is too involved for them to list every change in the Portage notes.  However, there is a guide.

http://www.gentoo.org/doc/en/kernel-upgrade.xml

If you skip down to section 10 it covers using an old config.  It would give a Y/n for each new option.  That's as much help as there is.

----------

