I'm using the latest test patch for grsec (2.6.24.2) on my kernel.
Long story short - CONFIG_NETFILTER_XT_MATCH_STATE is missing from the kernel config. It's almost as if it's been removed from the kernel. It's just not building the xt_state.ko module that iptables needs, and as a result, I get this when I try to start it:
- Code: Select all
[root@forums ~]# /etc/init.d/iptables restart
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: iptables-restore: line 21 failed
[FAILED]
Line 21 is the "COMMIT" command. If I remove all the lines with "-m state", it starts just fine.
I tried to force it to build, but it didn't work.
- Code: Select all
[root@forums linux-2.6.24.3-grsec]# make CONFIG_NETFILTER_XT_MATCH_STATE=m M=net/netfilter
CC [M] net/netfilter/xt_state.o
In file included from net/netfilter/xt_state.c:13:
include/net/netfilter/nf_conntrack.h:99: error: field âct_generalâ has incomplete type
include/net/netfilter/nf_conntrack.h: In function ânf_ct_getâ:
include/net/netfilter/nf_conntrack.h:160: error: âconst struct sk_buffâ has no member named ânfctâ
include/net/netfilter/nf_conntrack.h: In function ânf_ct_putâ:
include/net/netfilter/nf_conntrack.h:167: error: implicit declaration of function ânf_conntrack_putâ
include/net/netfilter/nf_conntrack.h: In function ânf_ct_is_untrackedâ:
include/net/netfilter/nf_conntrack.h:249: error: âconst struct sk_buffâ has no member named ânfctâ
make[1]: *** [net/netfilter/xt_state.o] Error 1
make: *** [_module_net/netfilter] Error 2
I'm using iptables-1.3.8 with the grsec-iptables patch (slightly modified to fix the Makefile headers). It doesn't work with the stock-rpm iptables either.
iptables works with the regular EL5 kernel, but not with the latest kernel with the grsecurity patch. Probably not caused by the grsecurity patch, but nonetheless I'm stuck with a grsecurity kernel with no firewall.
Ideas anyone?