Missing Netfilter feature in Kernel of Clearfog

This forum is for supported devices using an ARMv7 Marvell SoC.

Missing Netfilter feature in Kernel of Clearfog

Postby fanningert » Wed Jun 01, 2016 7:52 pm

Currently the kernel for Clearfog doesn't have Netfilter support. Please add the Netfilter feature to the kernel.

$this->bbcode_second_pass_code('', '# CONFIG_IP_NF_IPTABLES is not set
# CONFIG_IP6_NF_IPTABLES is not set')

https://github.com/archlinuxarm/PKGBUIL ... fog/config
Raspberry Pi | Raspberry Pi 2 | SolidRun ClearFog | USB Armory | Cubieboard 2 | Cubietruck
fanningert
 
Posts: 17
Joined: Wed Apr 09, 2014 7:59 pm
Location: Vienna

Re: Missing Netfilter feature in Kernel of Clearfog

Postby moonman » Wed Jun 01, 2016 8:42 pm

You can submit a Pull Reqest, or I will do it tonight
Pogoplug V4 | GoFlex Home | Raspberry Pi 4 4GB | CuBox-i4 Pro | ClearFog | BeagleBone Black | Odroid U2 | Odroid C1 | Odroid XU4
-----------------------------------------------------------------------------------------------------------------------
[armv5] Updated U-Boot | [armv5] NAND Rescue System
moonman
Developer
 
Posts: 3387
Joined: Sat Jan 15, 2011 3:36 am

Re: Missing Netfilter feature in Kernel of Clearfog

Postby fanningert » Thu Jun 02, 2016 4:13 am

Please, can you add the missing parts. My experience with kernel configuration is by null and I don't know if only this two flag are to change or other flags also.
Regards Thomas
Raspberry Pi | Raspberry Pi 2 | SolidRun ClearFog | USB Armory | Cubieboard 2 | Cubietruck
fanningert
 
Posts: 17
Joined: Wed Apr 09, 2014 7:59 pm
Location: Vienna

Re: Missing Netfilter feature in Kernel of Clearfog

Postby moonman » Thu Jun 02, 2016 6:46 pm

Ok there was more to it than just changing config since the switch to GCC6.1. I'm compiling a test build right now. If all is well, it should be in the repos tonight (UTC -7)
Pogoplug V4 | GoFlex Home | Raspberry Pi 4 4GB | CuBox-i4 Pro | ClearFog | BeagleBone Black | Odroid U2 | Odroid C1 | Odroid XU4
-----------------------------------------------------------------------------------------------------------------------
[armv5] Updated U-Boot | [armv5] NAND Rescue System
moonman
Developer
 
Posts: 3387
Joined: Sat Jan 15, 2011 3:36 am

Re: Missing Netfilter feature in Kernel of Clearfog

Postby fanningert » Thu Jun 02, 2016 8:48 pm

When the new build is online, I will test it on the ClearFog.

Thanks and Regards
Thomas
Raspberry Pi | Raspberry Pi 2 | SolidRun ClearFog | USB Armory | Cubieboard 2 | Cubietruck
fanningert
 
Posts: 17
Joined: Wed Apr 09, 2014 7:59 pm
Location: Vienna

Re: Missing Netfilter feature in Kernel of Clearfog

Postby moonman » Fri Jun 03, 2016 5:59 pm

Check for updates. New kernel is in repos.
Pogoplug V4 | GoFlex Home | Raspberry Pi 4 4GB | CuBox-i4 Pro | ClearFog | BeagleBone Black | Odroid U2 | Odroid C1 | Odroid XU4
-----------------------------------------------------------------------------------------------------------------------
[armv5] Updated U-Boot | [armv5] NAND Rescue System
moonman
Developer
 
Posts: 3387
Joined: Sat Jan 15, 2011 3:36 am

Re: Missing Netfilter feature in Kernel of Clearfog

Postby fanningert » Fri Jun 03, 2016 8:33 pm

Hi,
current status is that the systemd service for iptables is working (with no complex rule).

But when I activate shorewall with the configuration for two network interfaces (+ masq). I get following error.

$this->bbcode_second_pass_code('', 'xt_conntrack: cannot load conntrack support for proto=2
xt_conntrack: cannot load conntrack support for proto=2
Job for shorewall.service failed because the control process exited with error code. See "systemctl status shorewall.service" and "journalctl -xe" for details.')

journal output with "journalctl -xe" after "systemctl restart shorewall"
$this->bbcode_second_pass_code('', 'Jun 03 20:31:54 homeproxy shorewall[2586]: Compiling using Shorewall 5.0.4...
Jun 03 20:31:55 homeproxy shorewall[2586]: Processing /etc/shorewall/params ...
Jun 03 20:31:55 homeproxy shorewall[2586]: Processing /etc/shorewall/shorewall.conf...
Jun 03 20:31:55 homeproxy shorewall[2586]: Loading Modules...
Jun 03 20:31:55 homeproxy kernel: xt_conntrack: cannot load conntrack support for proto=2
Jun 03 20:31:55 homeproxy kernel: xt_conntrack: cannot load conntrack support for proto=2
Jun 03 20:31:55 homeproxy shorewall[2586]: ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system
Jun 03 20:31:55 homeproxy root[2647]: ERROR:Shorewall start failed
Jun 03 20:31:55 homeproxy systemd[1]: shorewall.service: Main process exited, code=exited, status=255/n/a
Jun 03 20:31:55 homeproxy systemd[1]: Failed to start Shorewall IPv4 firewall.
-- Subject: Unit shorewall.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit shorewall.service has failed.
--
-- The result is failed.
Jun 03 20:31:55 homeproxy systemd[1]: shorewall.service: Unit entered failed state.
Jun 03 20:31:55 homeproxy systemd[1]: shorewall.service: Failed with result 'exit-code'.')

The same problem for "systemctl restart shorewall6"
$this->bbcode_second_pass_code('', 'Jun 03 20:39:33 homeproxy kernel: ip6_tables: (C) 2000-2006 Netfilter Core Team
Jun 03 20:39:33 homeproxy shorewall6[2677]: Compiling using Shorewall6 5.0.4...
Jun 03 20:39:34 homeproxy shorewall6[2677]: Processing /etc/shorewall6/params ...
Jun 03 20:39:34 homeproxy shorewall6[2677]: Processing /etc/shorewall6/shorewall6.conf...
Jun 03 20:39:34 homeproxy shorewall6[2677]: Loading Modules...
Jun 03 20:39:34 homeproxy kernel: xt_conntrack: cannot load conntrack support for proto=10
Jun 03 20:39:34 homeproxy kernel: xt_conntrack: cannot load conntrack support for proto=10
Jun 03 20:39:34 homeproxy shorewall6[2677]: ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system
Jun 03 20:39:34 homeproxy root[2745]: ERROR:Shorewall6 start failed
Jun 03 20:39:34 homeproxy systemd[1]: shorewall6.service: Main process exited, code=exited, status=255/n/a
Jun 03 20:39:34 homeproxy systemd[1]: Failed to start Shorewall IPv6 firewall.
-- Subject: Unit shorewall6.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit shorewall6.service has failed.
--
-- The result is failed.
Jun 03 20:39:34 homeproxy systemd[1]: shorewall6.service: Unit entered failed state.
Jun 03 20:39:34 homeproxy systemd[1]: shorewall6.service: Failed with result 'exit-code'.
')

Here the output of "lsmod"
$this->bbcode_second_pass_code('', 'lsmod :(
Module Size Used by
xt_conntrack 2587 0
nf_conntrack 57841 1 xt_conntrack
iptable_filter 1061 0
ip_tables 10459 1 iptable_filter
x_tables 11076 3 ip_tables,xt_conntrack,iptable_filter
autofs4 21248 0')

After some search in the world wide net, I think two lines in the config need to be changed.
$this->bbcode_second_pass_code('', '# CONFIG_NF_CONNTRACK_IPV4 is not set')
to
$this->bbcode_second_pass_code('', 'CONFIG_NF_CONNTRACK_IPV4=m')

and

$this->bbcode_second_pass_code('', '# CONFIG_NF_CONNTRACK_IPV6 is not set')
to
$this->bbcode_second_pass_code('', 'CONFIG_NF_CONNTRACK_IPV6=m')

When you need more info, please call.
Raspberry Pi | Raspberry Pi 2 | SolidRun ClearFog | USB Armory | Cubieboard 2 | Cubietruck
fanningert
 
Posts: 17
Joined: Wed Apr 09, 2014 7:59 pm
Location: Vienna

Re: Missing Netfilter feature in Kernel of Clearfog

Postby moonman » Sat Jun 04, 2016 1:04 am

Fixed in 3.10.101-4
Pogoplug V4 | GoFlex Home | Raspberry Pi 4 4GB | CuBox-i4 Pro | ClearFog | BeagleBone Black | Odroid U2 | Odroid C1 | Odroid XU4
-----------------------------------------------------------------------------------------------------------------------
[armv5] Updated U-Boot | [armv5] NAND Rescue System
moonman
Developer
 
Posts: 3387
Joined: Sat Jan 15, 2011 3:36 am

Re: Missing Netfilter feature in Kernel of Clearfog

Postby fanningert » Sat Jun 04, 2016 6:07 am

Thanks for your work.
Now shorewall and shorewall6 are starting without error. I will test some more rules, but currently we can close this thread
Raspberry Pi | Raspberry Pi 2 | SolidRun ClearFog | USB Armory | Cubieboard 2 | Cubietruck
fanningert
 
Posts: 17
Joined: Wed Apr 09, 2014 7:59 pm
Location: Vienna


Return to Marvell

Who is online

Users browsing this forum: No registered users and 2 guests