# [SOLVED] Firehol:  No chain/target/match by that name.

## devlaam

After a kernel upgrade (well, it was a new install, namely x86, 3.5.7) i have problems with firehol on a configuration that worked flawlessly on the previous kernel. This is the message:

```
octy ~ # /etc/init.d/firehol start 

 * Starting FireHOL ...

--------------------------------------------------------------------------------

ERROR   : # 1.

WHAT    : A runtime command failed to execute (returned error 1).

SOURCE  : line 29 of /etc/firehol/firehol.conf

COMMAND : /sbin/iptables -t filter -A pr_internet_fragments -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=\'PACKET\ FRAGMENTS:\' 

OUTPUT  : 

iptables: No chain/target/match by that name.
```

and the latter is repeated many times (24) more for almost all rules.

My suspicion is that some kernel module is missing, (see also: https://forums.gentoo.org/viewtopic-t-652568-highlight-firehol.html) but i think i checked most relevant ones:

```
CONFIG_NF_CONNTRACK=m

CONFIG_IP_NF_IPTABLES=m

CONFIG_PACKET=y

```

where the last option was needed to get dhcpcd running correctly in ipv4 mode (see: https://forums.gentoo.org/viewtopic-t-951848.html) The modules seem loaded all right:

```
> lsmod

Module                  Size  Used by

iptable_mangle          1040  0 

nf_nat_ftp              1072  0 

nf_nat_irc               890  0 

nf_conntrack_ftp        4001  1 nf_nat_ftp

nf_conntrack_irc        2359  1 nf_nat_irc

ipt_MASQUERADE          1106  8 

iptable_nat             2748  1 

nf_nat                  9792  4 nf_nat_ftp,nf_nat_irc,ipt_MASQUERADE,iptable_nat

ipv6                  192906  24 

ipt_REJECT              1521  0 

xt_tcpudp               1643  0 

xt_conntrack            2281  0 

xt_limit                1028  0 

nf_conntrack_ipv4       7802  3 iptable_nat,nf_nat

nf_conntrack           40968  9 nf_nat_ftp,nf_nat_irc,nf_conntrack_ftp,nf_conntrack_irc,ipt_MASQUERADE,iptable_nat,nf_nat,xt_conntrack,nf_conntrack_ipv4

nf_defrag_ipv4           815  1 nf_conntrack_ipv4

iptable_filter           928  0 

ip_tables               7511  3 iptable_mangle,iptable_nat,iptable_filter

x_tables                9058  9 iptable_mangle,ipt_MASQUERADE,iptable_nat,ipt_REJECT,xt_tcpudp,xt_conntrack,xt_limit,iptable_filter,ip_tables

snd_via82xx            15163  0 

...
```

Also, i (re)emerged iptables after i emerged the gentoo-sources, and recompiled the kernel after that. What am i missing? 

For the record, here are the complete lsmod and config files:

http://www.betaresearch.nl/tmp/config-dump

http://www.betaresearch.nl/tmp/lsmod-dump

Thank you for any ideas!Last edited by devlaam on Thu Feb 21, 2013 7:20 pm; edited 1 time in total

----------

## khayyam

devlaam ...

At a quick glance it seems as though the issue is that you are missing xt_LOG (IPv4/IPv6 packet logging). The error shows the command '-j LOG', but no xt_LOG is listed in the output of lsmod.

best ... khayyam

----------

## devlaam

Thanks for the tip, i assume you are referring to the symbol: 

```
# CONFIG_NETFILTER_XT_TARGET_LOG is not set
```

since 

```
CONFIG_NETFILTER_XT_TARGET_NFLOG=m
```

I give this a try and report the result (compiling takes 5 hours so this may take a while  :Wink:  )

Preliminary research indicates that -j LOG is t least related to the problem, since if i remove all logging from the generated iptable commands and run them, they are (with a lot of warnings) accepted.

----------

## khayyam

 *devlaam wrote:*   

> Thanks for the tip, i assume you are referring to the symbol: 
> 
> ```
> # CONFIG_NETFILTER_XT_TARGET_LOG is not set
> ```
> ...

 

devlaam ... yes, xt_LOG.

 *devlaam wrote:*   

> 
> 
> ```
> CONFIG_NETFILTER_XT_TARGET_NFLOG=m
> ```
> ...

 

This is nfnetlink_log for logging to userspace, ie for logging to something like ulogd (app-admin/ulogd), whereas NETFILTER_XT_TARGET_LOG is for the LOG target used by the firehol rules (-j TARGET ... ie: -j LOG).

 *devlaam wrote:*   

> [...] Preliminary research indicates that -j LOG is t least related to the problem, since if i remove all logging from the generated iptable commands and run them, they are (with a lot of warnings) accepted.

 

hmmmm .... well, warnings suggest something else may also be missing, but I can only guess wtihout further info.

best ... khay

----------

## devlaam

khayyam .... you rule! The tip you gave was correct and now the firewall starts without any troubles.

Thanks a lot!

----------

