Missing Netfilter feature in Kernel of Clearfog

This forum is for supported devices using an ARMv7 Marvell SoC.

Missing Netfilter feature in Kernel of Clearfog

Postby fanningert » Wed Jun 01, 2016 7:52 pm

Currently the kernel for Clearfog doesn't have Netfilter support. Please add the Netfilter feature to the kernel.

Code: Select all
# CONFIG_IP_NF_IPTABLES is not set
# CONFIG_IP6_NF_IPTABLES is not set


https://github.com/archlinuxarm/PKGBUIL ... fog/config
Raspberry Pi | Raspberry Pi 2 | SolidRun ClearFog | USB Armory | Cubieboard 2 | Cubietruck
fanningert
 
Posts: 17
Joined: Wed Apr 09, 2014 7:59 pm
Location: Vienna

Re: Missing Netfilter feature in Kernel of Clearfog

Postby moonman » Wed Jun 01, 2016 8:42 pm

You can submit a Pull Reqest, or I will do it tonight
Pogoplug V4 | GoFlex Home | Raspberry Pi B 512 | CuBox-i4 Pro | ClearFog | BeagleBone Black | Odroid U2 | Odroid C1 | Odroid XU4
-----------------------------------------------------------------------------------------------------------------------
[armv5] Updated U-Boot | |[armv5] How to install my.pogoplug.com service | [armv5] NAND Rescue System
moonman
Developer
 
Posts: 3089
Joined: Sat Jan 15, 2011 3:36 am
Location: Calgary, Canada

Re: Missing Netfilter feature in Kernel of Clearfog

Postby fanningert » Thu Jun 02, 2016 4:13 am

Please, can you add the missing parts. My experience with kernel configuration is by null and I don't know if only this two flag are to change or other flags also.
Regards Thomas
Raspberry Pi | Raspberry Pi 2 | SolidRun ClearFog | USB Armory | Cubieboard 2 | Cubietruck
fanningert
 
Posts: 17
Joined: Wed Apr 09, 2014 7:59 pm
Location: Vienna

Re: Missing Netfilter feature in Kernel of Clearfog

Postby moonman » Thu Jun 02, 2016 6:46 pm

Ok there was more to it than just changing config since the switch to GCC6.1. I'm compiling a test build right now. If all is well, it should be in the repos tonight (UTC -7)
Pogoplug V4 | GoFlex Home | Raspberry Pi B 512 | CuBox-i4 Pro | ClearFog | BeagleBone Black | Odroid U2 | Odroid C1 | Odroid XU4
-----------------------------------------------------------------------------------------------------------------------
[armv5] Updated U-Boot | |[armv5] How to install my.pogoplug.com service | [armv5] NAND Rescue System
moonman
Developer
 
Posts: 3089
Joined: Sat Jan 15, 2011 3:36 am
Location: Calgary, Canada

Re: Missing Netfilter feature in Kernel of Clearfog

Postby fanningert » Thu Jun 02, 2016 8:48 pm

When the new build is online, I will test it on the ClearFog.

Thanks and Regards
Thomas
Raspberry Pi | Raspberry Pi 2 | SolidRun ClearFog | USB Armory | Cubieboard 2 | Cubietruck
fanningert
 
Posts: 17
Joined: Wed Apr 09, 2014 7:59 pm
Location: Vienna

Re: Missing Netfilter feature in Kernel of Clearfog

Postby moonman » Fri Jun 03, 2016 5:59 pm

Check for updates. New kernel is in repos.
Pogoplug V4 | GoFlex Home | Raspberry Pi B 512 | CuBox-i4 Pro | ClearFog | BeagleBone Black | Odroid U2 | Odroid C1 | Odroid XU4
-----------------------------------------------------------------------------------------------------------------------
[armv5] Updated U-Boot | |[armv5] How to install my.pogoplug.com service | [armv5] NAND Rescue System
moonman
Developer
 
Posts: 3089
Joined: Sat Jan 15, 2011 3:36 am
Location: Calgary, Canada

Re: Missing Netfilter feature in Kernel of Clearfog

Postby fanningert » Fri Jun 03, 2016 8:33 pm

Hi,
current status is that the systemd service for iptables is working (with no complex rule).

But when I activate shorewall with the configuration for two network interfaces (+ masq). I get following error.

Code: Select all
xt_conntrack: cannot load conntrack support for proto=2
xt_conntrack: cannot load conntrack support for proto=2
Job for shorewall.service failed because the control process exited with error code. See "systemctl status shorewall.service" and "journalctl -xe" for details.


journal output with "journalctl -xe" after "systemctl restart shorewall"
Code: Select all
Jun 03 20:31:54 homeproxy shorewall[2586]: Compiling using Shorewall 5.0.4...
Jun 03 20:31:55 homeproxy shorewall[2586]: Processing /etc/shorewall/params ...
Jun 03 20:31:55 homeproxy shorewall[2586]: Processing /etc/shorewall/shorewall.conf...
Jun 03 20:31:55 homeproxy shorewall[2586]: Loading Modules...
Jun 03 20:31:55 homeproxy kernel: xt_conntrack: cannot load conntrack support for proto=2
Jun 03 20:31:55 homeproxy kernel: xt_conntrack: cannot load conntrack support for proto=2
Jun 03 20:31:55 homeproxy shorewall[2586]:    ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system
Jun 03 20:31:55 homeproxy root[2647]: ERROR:Shorewall start failed
Jun 03 20:31:55 homeproxy systemd[1]: shorewall.service: Main process exited, code=exited, status=255/n/a
Jun 03 20:31:55 homeproxy systemd[1]: Failed to start Shorewall IPv4 firewall.
-- Subject: Unit shorewall.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit shorewall.service has failed.
--
-- The result is failed.
Jun 03 20:31:55 homeproxy systemd[1]: shorewall.service: Unit entered failed state.
Jun 03 20:31:55 homeproxy systemd[1]: shorewall.service: Failed with result 'exit-code'.


The same problem for "systemctl restart shorewall6"
Code: Select all
Jun 03 20:39:33 homeproxy kernel: ip6_tables: (C) 2000-2006 Netfilter Core Team
Jun 03 20:39:33 homeproxy shorewall6[2677]: Compiling using Shorewall6 5.0.4...
Jun 03 20:39:34 homeproxy shorewall6[2677]: Processing /etc/shorewall6/params ...
Jun 03 20:39:34 homeproxy shorewall6[2677]: Processing /etc/shorewall6/shorewall6.conf...
Jun 03 20:39:34 homeproxy shorewall6[2677]: Loading Modules...
Jun 03 20:39:34 homeproxy kernel: xt_conntrack: cannot load conntrack support for proto=10
Jun 03 20:39:34 homeproxy kernel: xt_conntrack: cannot load conntrack support for proto=10
Jun 03 20:39:34 homeproxy shorewall6[2677]:    ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system
Jun 03 20:39:34 homeproxy root[2745]: ERROR:Shorewall6 start failed
Jun 03 20:39:34 homeproxy systemd[1]: shorewall6.service: Main process exited, code=exited, status=255/n/a
Jun 03 20:39:34 homeproxy systemd[1]: Failed to start Shorewall IPv6 firewall.
-- Subject: Unit shorewall6.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit shorewall6.service has failed.
--
-- The result is failed.
Jun 03 20:39:34 homeproxy systemd[1]: shorewall6.service: Unit entered failed state.
Jun 03 20:39:34 homeproxy systemd[1]: shorewall6.service: Failed with result 'exit-code'.


Here the output of "lsmod"
Code: Select all
lsmod                                                                                                                                                                 :(
Module                  Size  Used by
xt_conntrack            2587  0
nf_conntrack           57841  1 xt_conntrack
iptable_filter          1061  0
ip_tables              10459  1 iptable_filter
x_tables               11076  3 ip_tables,xt_conntrack,iptable_filter
autofs4                21248  0


After some search in the world wide net, I think two lines in the config need to be changed.
Code: Select all
# CONFIG_NF_CONNTRACK_IPV4 is not set

to
Code: Select all
CONFIG_NF_CONNTRACK_IPV4=m


and

Code: Select all
# CONFIG_NF_CONNTRACK_IPV6 is not set

to
Code: Select all
CONFIG_NF_CONNTRACK_IPV6=m


When you need more info, please call.
Raspberry Pi | Raspberry Pi 2 | SolidRun ClearFog | USB Armory | Cubieboard 2 | Cubietruck
fanningert
 
Posts: 17
Joined: Wed Apr 09, 2014 7:59 pm
Location: Vienna

Re: Missing Netfilter feature in Kernel of Clearfog

Postby moonman » Sat Jun 04, 2016 1:04 am

Fixed in 3.10.101-4
Pogoplug V4 | GoFlex Home | Raspberry Pi B 512 | CuBox-i4 Pro | ClearFog | BeagleBone Black | Odroid U2 | Odroid C1 | Odroid XU4
-----------------------------------------------------------------------------------------------------------------------
[armv5] Updated U-Boot | |[armv5] How to install my.pogoplug.com service | [armv5] NAND Rescue System
moonman
Developer
 
Posts: 3089
Joined: Sat Jan 15, 2011 3:36 am
Location: Calgary, Canada

Re: Missing Netfilter feature in Kernel of Clearfog

Postby fanningert » Sat Jun 04, 2016 6:07 am

Thanks for your work.
Now shorewall and shorewall6 are starting without error. I will test some more rules, but currently we can close this thread
Raspberry Pi | Raspberry Pi 2 | SolidRun ClearFog | USB Armory | Cubieboard 2 | Cubietruck
fanningert
 
Posts: 17
Joined: Wed Apr 09, 2014 7:59 pm
Location: Vienna


Return to Marvell

Who is online

Users browsing this forum: No registered users and 2 guests