# Shorewall: kernel/iptables - no state match support [SOLVED]

## Punchcutter

Hi,

I'm trying to set up a simple firewall with shorewall in the same way I have it running on another machine, and having what looks like a kernel related problem:

```
# /etc/init.d/shorewall start

 * Starting firewall ...

   ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system                                    [ !! ]

 * ERROR: shorewall failed to start

```

Problem is - I'm pretty sure I do have my kernel configured properly:

```
# zgrep -iE 'NF_|XT_' /proc/config.gz 

CONFIG_NF_CONNTRACK=m

# CONFIG_NF_CT_ACCT is not set

# CONFIG_NF_CONNTRACK_MARK is not set

# CONFIG_NF_CONNTRACK_EVENTS is not set

# CONFIG_NF_CT_PROTO_DCCP is not set

# CONFIG_NF_CT_PROTO_SCTP is not set

# CONFIG_NF_CT_PROTO_UDPLITE is not set

# CONFIG_NF_CONNTRACK_AMANDA is not set

# CONFIG_NF_CONNTRACK_FTP is not set

# CONFIG_NF_CONNTRACK_H323 is not set

# CONFIG_NF_CONNTRACK_IRC is not set

# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set

# CONFIG_NF_CONNTRACK_PPTP is not set

# CONFIG_NF_CONNTRACK_SANE is not set

# CONFIG_NF_CONNTRACK_SIP is not set

# CONFIG_NF_CONNTRACK_TFTP is not set

# CONFIG_NF_CT_NETLINK is not set

# CONFIG_NETFILTER_XT_TARGET_CLASSIFY is not set

# CONFIG_NETFILTER_XT_TARGET_CONNMARK is not set

# CONFIG_NETFILTER_XT_TARGET_MARK is not set

# CONFIG_NETFILTER_XT_TARGET_NFLOG is not set

# CONFIG_NETFILTER_XT_TARGET_NFQUEUE is not set

# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set

# CONFIG_NETFILTER_XT_TARGET_TCPMSS is not set

# CONFIG_NETFILTER_XT_MATCH_CLUSTER is not set

# CONFIG_NETFILTER_XT_MATCH_COMMENT is not set

# CONFIG_NETFILTER_XT_MATCH_CONNBYTES is not set

# CONFIG_NETFILTER_XT_MATCH_CONNLIMIT is not set

# CONFIG_NETFILTER_XT_MATCH_CONNMARK is not set

CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m

# CONFIG_NETFILTER_XT_MATCH_DCCP is not set

# CONFIG_NETFILTER_XT_MATCH_DSCP is not set

# CONFIG_NETFILTER_XT_MATCH_ESP is not set

# CONFIG_NETFILTER_XT_MATCH_HASHLIMIT is not set

# CONFIG_NETFILTER_XT_MATCH_HELPER is not set

# CONFIG_NETFILTER_XT_MATCH_HL is not set

# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set

# CONFIG_NETFILTER_XT_MATCH_LENGTH is not set

# CONFIG_NETFILTER_XT_MATCH_LIMIT is not set

# CONFIG_NETFILTER_XT_MATCH_MAC is not set

# CONFIG_NETFILTER_XT_MATCH_MARK is not set

CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m

# CONFIG_NETFILTER_XT_MATCH_OWNER is not set

# CONFIG_NETFILTER_XT_MATCH_POLICY is not set

# CONFIG_NETFILTER_XT_MATCH_PKTTYPE is not set

# CONFIG_NETFILTER_XT_MATCH_QUOTA is not set

# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set

# CONFIG_NETFILTER_XT_MATCH_REALM is not set

# CONFIG_NETFILTER_XT_MATCH_RECENT is not set

# CONFIG_NETFILTER_XT_MATCH_SCTP is not set

CONFIG_NETFILTER_XT_MATCH_STATE=m

# CONFIG_NETFILTER_XT_MATCH_STATISTIC is not set

# CONFIG_NETFILTER_XT_MATCH_STRING is not set

# CONFIG_NETFILTER_XT_MATCH_TCPMSS is not set

# CONFIG_NETFILTER_XT_MATCH_TIME is not set

# CONFIG_NETFILTER_XT_MATCH_U32 is not set

CONFIG_NF_DEFRAG_IPV4=m

CONFIG_NF_CONNTRACK_IPV4=m

CONFIG_NF_CONNTRACK_PROC_COMPAT=y

# CONFIG_IP_NF_QUEUE is not set

CONFIG_IP_NF_IPTABLES=m

# CONFIG_IP_NF_MATCH_ADDRTYPE is not set

# CONFIG_IP_NF_MATCH_AH is not set

# CONFIG_IP_NF_MATCH_ECN is not set

# CONFIG_IP_NF_MATCH_TTL is not set

# CONFIG_IP_NF_FILTER is not set

# CONFIG_IP_NF_TARGET_LOG is not set

# CONFIG_IP_NF_TARGET_ULOG is not set

# CONFIG_NF_NAT is not set

# CONFIG_IP_NF_MANGLE is not set

# CONFIG_IP_NF_TARGET_TTL is not set

# CONFIG_IP_NF_RAW is not set

# CONFIG_IP_NF_ARPTABLES is not set

# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set

CONFIG_GENERIC_FIND_NEXT_BIT=y

# lsmod | grep -E 'nf_|xt_'

xt_tcpudp               1671  0 

xt_state                 938  0 

nf_conntrack_ipv4       7385  0 

nf_defrag_ipv4           901  1 nf_conntrack_ipv4

xt_multiport            1762  0 

xt_conntrack            1966  0 

nf_conntrack           41674  3 xt_state,nf_conntrack_ipv4,xt_conntrack

x_tables               10735  5 xt_tcpudp,xt_state,xt_multiport,xt_conntrack,ip_tables

```

This oughta be the same kernel config as my other machine that shorewall runs fine on.  I have shorewall 4.4.10 and iptables 1.4.8-r1.

Can anyone give me a clue what might be wrong here?  Thanks a lot in advance.

Here's emerge --info as well for good luck:

```
# emerge --info

Portage 2.1.8.3 (default/linux/x86/10.0, gcc-4.3.2, glibc-2.11.2-r0, 2.6.34-gentoo-r1 i686)

=================================================================

System uname: Linux-2.6.34-gentoo-r1-i686-AMD_Athlon-TM-_XP_2200+-with-gentoo-2.0.1

Timestamp of tree: Wed, 21 Jul 2010 21:45:01 +0000

ccache version 2.4 [enabled]

app-shells/bash:     4.1_p7

dev-java/java-config: 1.3.7, 2.1.11

dev-lang/python:     2.4.4-r13, 2.5.4-r2, 2.6.5-r2

dev-util/ccache:     2.4-r8

dev-util/cmake:      2.8.1-r2

sys-apps/baselayout: 2.0.1

sys-apps/openrc:     0.6.1-r1

sys-apps/sandbox:    2.2

sys-devel/autoconf:  2.13, 2.65-r1

sys-devel/automake:  1.7.9-r1, 1.8.5-r3, 1.9.6-r3, 1.10.3, 1.11.1

sys-devel/binutils:  2.20.1-r1

sys-devel/gcc:       4.1.2, 4.3.2-r3, 4.4.4-r1

sys-devel/gcc-config: 1.4.1

sys-devel/libtool:   2.2.10

virtual/os-headers:  2.6.34

ACCEPT_KEYWORDS="x86 ~x86"

ACCEPT_LICENSE="*"

CBUILD="i686-pc-linux-gnu"

CFLAGS="-O2 -march=athlon-xp -pipe"

CHOST="i686-pc-linux-gnu"

CONFIG_PROTECT="/etc /usr/share/X11/xkb /usr/share/config /var/lib/hsqldb"

CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"

CXXFLAGS="-O2 -march=athlon-xp -pipe"

DISTDIR="/usr/portage/distfiles"

FEATURES="assume-digests ccache distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch"

GENTOO_MIRRORS="http://gentoo.cs.utah.edu http://mirror.usu.edu/gentoo"

LANG="en_US.UTF-8"

LDFLAGS="-Wl,-O1"

LINGUAS="en ja"

MAKEOPTS="-j2"

PKGDIR="/usr/portage/packages"

PORTAGE_CONFIGROOT="/"

PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"

PORTAGE_TMPDIR="/var/tmp"

PORTDIR="/usr/portage"

PORTDIR_OVERLAY="   "

SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage"

USE="X acl acpi alsa berkdb bzip2 cjk cli cracklib crypt cups cxx dbus dri gdbm gnupg gpm hal iconv imap immqt-bc jpeg kde latex libwww modules mp3 mudflap ncurses nls nptl nptlonly nsplugin opengl openmp pam pcre pdf perl png pppd python qt3support qt4 quicktime readline reflection samba scim session skype spl ssl sysfs tcpd udev unicode v4l2 vim-syntax x86 xorg xscreensaver xulrunner yahoo zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en ja" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="nvidia" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 

Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

```

Last edited by Punchcutter on Fri Jul 30, 2010 4:35 am; edited 1 time in total

----------

## truc

It could be interesting to look at the init script where the message looks coming from:

```
# /etc/init.d/shorewall start

 * Starting firewall ...

   ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system 
```

(well I'm not sure the ERROR thrown above really comes from the init script itself (and not from shorewall), but it's worth a look isn't it?

----------

## Punchcutter

Thanks for the response, truc... but the message is not in the init.d script, so it probably comes from Shorewall itself.

----------

## deanpence

Is it possible that you have a symlink to /usr/src/linux that's not configured yet? I'm not sure whether shorewall looks at /proc or /usr/src/linux to determine whether stateful packet inspection is possible, but most apps looking for kernel support that I've seen look in /usr/src/linux.

Alternatively, if the shorewall app is a text script of some sort, inspect it yourself to see where and how this error occurs.

----------

## albright

Are all your netfilter modules loaded?

----------

## Punchcutter

@deanpence: my /usr/src/linux symlink points to the actual kernel source tree that I'm running on.  I believe Shorewall is written in Perl, and I can read Perl, but haven't bothered to dig inside yet.  It may come to that.

@albright: I'm not sure which ones are "all" of them.  I'm quite sure this configuration is the same as on my other machine, where Shorewall works fine.  Here's what I've got:

```
# lsmod | grep -E 'nf_|xt_|netfilter|ipta|ip_ta'

xt_tcpudp               1671  0 

xt_state                 938  0 

nf_conntrack_ipv4       7385  0 

nf_defrag_ipv4           901  1 nf_conntrack_ipv4

xt_multiport            1762  0 

xt_conntrack            1966  0 

nf_conntrack           41674  3 xt_state,nf_conntrack_ipv4,xt_conntrack

ip_tables               7490  0 

x_tables               10735  5 xt_tcpudp,xt_state,xt_multiport,xt_conntrack,ip_tables

```

Thanks again.

----------

## Punchcutter

I'm sorry for the trouble... when I went and checked the other machine, sure enough the Netfilter-related settings were a bit different   :Embarassed:  .  Matching them up, I was able to get Shorewall to work on this machine.

I still think it's a bit odd that the error reported was "no state match support" when the state match kernel option was very definitely turned on, but apparently something that state match depends on was not activated.

----------

