problems applying ipset patch

problems applying ipset patch

[Andrea]

hi, this is my first post here.  [don't know if I have to use the 
developer mailing list, sorry if i'm wrong].

I've tried to apply the ipset patch in my CentOS 4.4 distribution, 
without success.

I've followed instructions here 
http://www.howtoforge.com/kernel_compilation_centos_p2?s=aabdb730a09fa747d00f2b9a3ff431cc& 
   (CentOS Kernel Compile) and here 
http://ipset.netfilter.org/install.html (ipset patch apply).

The patch is applied successfully, but when I try to recompile, I obtain 
these errors (after a long list of compiled files):

...
   LD      .tmp_vmlinux1
net/built-in.o(.init.text+0x16f1): In function `ipt_ipset_init':
net/ipv4/netfilter/ipt_set.c:133: undefined reference to `xt_register_match'
net/built-in.o(.init.text+0x1700): In function `ipt_SET_init':
net/ipv4/netfilter/ipt_SET.c:151: undefined reference to 
`xt_register_target'
net/built-in.o(.exit.text+0x41): In function `ipt_ipset_fini':
net/ipv4/netfilter/ipt_set.c:138: undefined reference to 
`xt_unregister_match'
net/built-in.o(.exit.text+0x50): In function `ipt_SET_fini':
net/ipv4/netfilter/ipt_SET.c:156: undefined reference to 
`xt_unregister_target'
make: *** [.tmp_vmlinux1] Error 1

I've tried twice, using two combinations of kernel (downloaded from 
www.kernel.org) and patch-o-matic (downloaded first time from 
http://ipset.netfilter.org/, second from patch-o-matic snaptshots).

I've applied only the ipset patch (launching only the  ./runme set 
command, just as explained in the ipset site).

Maybe do I need to apply other patches from patch-o-matic?

Thanks for the help

problems applying ipset patch

[Andrea]

I've tried to apply the ipset patch in my CentOS 4.4 distribution, 
without success.

I've followed instructions here 
http://www.howtoforge.com/kernel_compilation_centos_p2?s=aabdb730a09fa747d00f2b9a3ff431cc& 
   (CentOS Kernel Compile) and here 
http://ipset.netfilter.org/install.html (ipset patch apply).

The patch is applied successfully, but when I try to recompile, I obtain 
these errors (after a long list of compiled files):

...
   LD      .tmp_vmlinux1
net/built-in.o(.init.text+0x16f1): In function `ipt_ipset_init':
net/ipv4/netfilter/ipt_set.c:133: undefined reference to `xt_register_match'
net/built-in.o(.init.text+0x1700): In function `ipt_SET_init':
net/ipv4/netfilter/ipt_SET.c:151: undefined reference to 
`xt_register_target'
net/built-in.o(.exit.text+0x41): In function `ipt_ipset_fini':
net/ipv4/netfilter/ipt_set.c:138: undefined reference to 
`xt_unregister_match'
net/built-in.o(.exit.text+0x50): In function `ipt_SET_fini':
net/ipv4/netfilter/ipt_SET.c:156: undefined reference to 
`xt_unregister_target'
make: *** [.tmp_vmlinux1] Error 1

I've tried twice, using two combinations of kernel (downloaded from 
www.kernel.org) and patch-o-matic (downloaded first time from 
http://ipset.netfilter.org/, second from patch-o-matic snaptshots).

I've applied only the ipset patch (launching only the  ./runme set 
command, just as explained in the ipset site).

Maybe do I need to apply other patches from patch-o-matic?

Thanks for the help

Re: problems applying ipset patch

[Henrik Nordstrom]

[-- Attachment #1: Type: text/plain, Size: 562 bytes --]

ons 2007-05-23 klockan 09:47 +0200 skrev Andrea:
> I've tried to apply the ipset patch in my CentOS 4.4 distribution, 
> without success.
> 
> I've followed instructions here 
> http://www.howtoforge.com/kernel_compilation_cent§os_p2?s=aabdb730a09fa747d00f2b9a3ff431cc& 
>    (CentOS Kernel Compile) and here 
> http://ipset.netfilter.org/install.html (ipset patch apply).
> 
> The patch is applied successfully, but when I try to recompile, I obtain 
> these errors (after a long list of compiled files):

Which kernel version?

Regards
Henrik

[-- Attachment #2: Detta är en digitalt signerad meddelandedel --]
[-- Type: application/pgp-signature, Size: 307 bytes --]

Re: problems applying ipset patch

[Andrea]

Henrik Nordstrom ha scritto:

> 
> Which kernel version?


In the second try used linux-2.6.16.51.tar from www.kernel.org and 
patch-o-matic-ng-20070521

Re: problems applying ipset patch

[Henrik Nordstrom]

[-- Attachment #1: Type: text/plain, Size: 435 bytes --]

ons 2007-05-23 klockan 10:50 +0200 skrev Andrea:
> Henrik Nordstrom ha scritto:
> 
> > 
> > Which kernel version?
> 
> 
> In the second try used linux-2.6.16.51.tar from www.kernel.org and 
> patch-o-matic-ng-20070521

Try with a newer kernel. There is more than a year difference between
your kernel and your pom-ng release.

Also make sure CONFIG_NETFILTER_XTABLES is enabled in your kernel
config.

Regards
Henrik

[-- Attachment #2: Detta är en digitalt signerad meddelandedel --]
[-- Type: application/pgp-signature, Size: 307 bytes --]

Re: problems applying ipset patch

[Andrea]

Henrik Nordstrom ha scritto:
> ons 2007-05-23 klockan 10:50 +0200 skrev Andrea:
>> Henrik Nordstrom ha scritto:
>>
>>> Which kernel version?
>>
>> In the second try used linux-2.6.16.51.tar from www.kernel.org and 
>> patch-o-matic-ng-20070521
> 
> Try with a newer kernel. There is more than a year difference between
> your kernel and your pom-ng release.

????

2.6.16.51 has been released in 09 May 2007, as stated in 
http://www.kernel.org/pub/linux/kernel/v2.6/?C=M;O=A

> 
> Also make sure CONFIG_NETFILTER_XTABLES is enabled in your kernel
> config.

it seems it's not set. Maybe the problem is here. I'll try again.

Thanks

Re: problems applying ipset patch

[Henrik Nordstrom]

[-- Attachment #1: Type: text/plain, Size: 247 bytes --]

ons 2007-05-23 klockan 11:10 +0200 skrev Andrea:

> 2.6.16.51 has been released in 09 May 2007, as stated in 
> http://www.kernel.org/pub/linux/kernel/v2.6/?C=M;O=A

Well, it's mostly 2.6.16 which is more than a year old.

Regards
Henrik

[-- Attachment #2: Detta är en digitalt signerad meddelandedel --]
[-- Type: application/pgp-signature, Size: 307 bytes --]

Re: problems applying ipset patch

[Andrea]

Henrik Nordstrom ha scritto:
> ons 2007-05-23 klockan 11:10 +0200 skrev Andrea:
> 
>> 2.6.16.51 has been released in 09 May 2007, as stated in 
>> http://www.kernel.org/pub/linux/kernel/v2.6/?C=M;O=A
> 
> Well, it's mostly 2.6.16 which is more than a year old.

ok, you are right, I've choose wrong version (I had ordered the page 
according to modified date, latest file was 2.6.16.51) :-)

Re: problems applying ipset patch

[Andrea]

Andrea ha scritto:
> Henrik Nordstrom ha scritto:
>> ons 2007-05-23 klockan 11:10 +0200 skrev Andrea:
>>
>>> 2.6.16.51 has been released in 09 May 2007, as stated in 
>>> http://www.kernel.org/pub/linux/kernel/v2.6/?C=M;O=A
>>
>> Well, it's mostly 2.6.16 which is more than a year old.
> 

Tried again with   linux-2.6.21.1 kernel. It seems that kernet has been 
compiled, but I've these warnings and errors:

make all


....
Root device is (253, 0)
Boot sector 512 bytes.
Setup is 7354 bytes.
System is 1559 kB
Kernel: arch/i386/boot/bzImage is ready  (#1)
   Building modules, stage 2.
   MODPOST 758 modules
WARNING: drivers/atm/lanai.o - Section mismatch: reference to 
.init.text: from . 
                        text between 'sram_test_pass' (at offset 0x171) 
and 'sram_test_and_clear'
WARNING: drivers/net/sis900.o - Section mismatch: reference to 
.init.text:sis900 
                       _mii_probe from .text between 'sis900_probe' (at 
offset 0x4ce) and 'sis900_defau 
                                     lt_phy'
WARNING: drivers/net/sunhme.o - Section mismatch: reference to 
.init.text: from 
                       .text between 'happy_meal_pci_probe' (at offset 
0x289c) and 'happy_meal_pci_remo 
                                      ve'
WARNING: drivers/net/tokenring/3c359.o - Section mismatch: reference to 
.init.te 
              xt:xl_init from .text between 'xl_probe' (at offset 0x203) 
and 'xl_hw_reset'
WARNING: "ipt_unregister_match" [net/ipv4/netfilter/ipt_set.ko] undefined!
WARNING: "ipt_register_match" [net/ipv4/netfilter/ipt_set.ko] undefined!
WARNING: "ipt_unregister_target" [net/ipv4/netfilter/ipt_SET.ko] undefined!
WARNING: "ipt_register_target" [net/ipv4/netfilter/ipt_SET.ko] undefined!
make[1]: *** [__modpost] Error 1
make: *** [modules] Error 2


Maybe because I've iptables just installed, before kernel recompilation?
are these warnings important?

Re: problems applying ipset patch

[Henrik Nordstrom]

[-- Attachment #1: Type: text/plain, Size: 772 bytes --]

tor 2007-05-24 klockan 11:39 +0200 skrev Andrea:

> WARNING: "ipt_unregister_match" [net/ipv4/netfilter/ipt_set.ko]
> undefined!
> WARNING: "ipt_register_match" [net/ipv4/netfilter/ipt_set.ko]
> undefined!
> WARNING: "ipt_unregister_target" [net/ipv4/netfilter/ipt_SET.ko]
> undefined!
> WARNING: "ipt_register_target" [net/ipv4/netfilter/ipt_SET.ko]
> undefined!
> make[1]: *** [__modpost] Error 1
> make: *** [modules] Error 2
> 
> 
> Maybe because I've iptables just installed, before kernel
> recompilation?
> are these warnings important?

The driver warnings is something to send to the kernel janitor to take
care of.. not related to ipset.

But the above warnings is important. The module won't work with these
warnings..

Regards
Henrik

[-- Attachment #2: Detta är en digitalt signerad meddelandedel --]
[-- Type: application/pgp-signature, Size: 307 bytes --]

Re: problems applying ipset patch

[Jozsef Kadlecsik]

On Thu, 24 May 2007, Andrea wrote:

> Tried again with   linux-2.6.21.1 kernel. It seems that kernet has been 
> compiled, but I've these warnings and errors:
>
> WARNING: "ipt_unregister_match" [net/ipv4/netfilter/ipt_set.ko] undefined!
> WARNING: "ipt_register_match" [net/ipv4/netfilter/ipt_set.ko] undefined!
> WARNING: "ipt_unregister_target" [net/ipv4/netfilter/ipt_SET.ko] undefined!
> WARNING: "ipt_register_target" [net/ipv4/netfilter/ipt_SET.ko] undefined!

Please check out patch-o-matic-ng from the svn repository: I committed 
the required changes yesterday to support kernel versions 2.6.21 and 
above.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
           H-1525 Budapest 114, POB. 49, Hungary

Re: problems applying ipset patch

[Andrea]

> Please check out patch-o-matic-ng from the svn repository: I committed 
> the required changes yesterday to support kernel versions 2.6.21 and above.

is this snapshot compatible with 2.6.21?

http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20070523.tar.bz2

Re: problems applying ipset patch

[Jozsef Kadlecsik]

On Thu, 24 May 2007, Andrea wrote:

>> Please check out patch-o-matic-ng from the svn repository: I committed the 
>> required changes yesterday to support kernel versions 2.6.21 and above.
>
> is this snapshot compatible with 2.6.21?
>
> http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20070523.tar.bz2

I believe the snapshot is created early in the morning, so it's not.
Download http://ipset.netfilter.org/patch-o-matic-ng-20070524.tar.bz2 
instead.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
           H-1525 Budapest 114, POB. 49, Hungary

Re: problems applying ipset patch

[Henrik Nordstrom]

[-- Attachment #1: Type: text/plain, Size: 249 bytes --]

tor 2007-05-24 klockan 12:25 +0200 skrev Jozsef Kadlecsik:

> I believe the snapshot is created early in the morning, so it's not.

From what I can tell the snapshots is generated late in the evening
23:55 CEST (21:55 GMT).

Regards
Henrik

[-- Attachment #2: Detta är en digitalt signerad meddelandedel --]
[-- Type: application/pgp-signature, Size: 307 bytes --]

Re: problems applying ipset patch

[Henrik Nordstrom]

[-- Attachment #1: Type: text/plain, Size: 663 bytes --]

tor 2007-05-24 klockan 12:18 +0200 skrev Andrea:
> > Please check out patch-o-matic-ng from the svn repository: I committed 
> > the required changes yesterday to support kernel versions 2.6.21 and above.
> 
> is this snapshot compatible with 2.6.21?
> 
> http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20070523.tar.bz2

Should be fine. That snapshot is 10.5 hours old, and Jozsef's changed
ipset 25 hours ago.

If in doubt verify that
patchlets/set/linux-2.6/net/ipv4/netfilter/ipt_SET.c is modified
yesterday after unpacking the snapshot.

  ls -l patchlets/set/linux-2.6/net/ipv4/netfilter/ipt_SET.c

Regards
Henrik

[-- Attachment #2: Detta är en digitalt signerad meddelandedel --]
[-- Type: application/pgp-signature, Size: 307 bytes --]

Re: problems applying ipset patch

[Andrea]

Henrik Nordstrom ha scritto:
> tor 2007-05-24 klockan 12:18 +0200 skrev Andrea:
>>> Please check out patch-o-matic-ng from the svn repository: I committed 
>>> the required changes yesterday to support kernel versions 2.6.21 and above.
>> is this snapshot compatible with 2.6.21?
>>
>> http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20070523.tar.bz2
> 
> Should be fine. That snapshot is 10.5 hours old, and Jozsef's changed
> ipset 25 hours ago.
> 
> If in doubt verify that
> patchlets/set/linux-2.6/net/ipv4/netfilter/ipt_SET.c is modified
> yesterday after unpacking the snapshot.
> 
>   ls -l patchlets/set/linux-2.6/net/ipv4/netfilter/ipt_SET.c

I've just patched with patch-o-matic-ng-20070524.tar.bz2. So my config is:

-linux-2.6.21.1.tar.bz2
-patch-o-matic-ng-20070524.tar.bz2
-iptables-1.3.7.tar.bz2
-ipset-2.2.9a-20061009.tar.bz2  (maybe too old?)

Waiting compile-phase done, some questions:

- in make oldconfig I've set ipsets entries as modules (m): am I right?
- do I need to uninstall iptables before patch-compile-reinstall new 
version of iptables?

Thanks for the patience

Re: problems applying ipset patch

[Jozsef Kadlecsik]

On Thu, 24 May 2007, Andrea wrote:

> Henrik Nordstrom ha scritto:
>>> 
>>> http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20070523.tar.bz2
>> 
>> Should be fine. That snapshot is 10.5 hours old, and Jozsef's changed
>> ipset 25 hours ago.
>> 
>> If in doubt verify that
>> patchlets/set/linux-2.6/net/ipv4/netfilter/ipt_SET.c is modified
>> yesterday after unpacking the snapshot.
>>
>>   ls -l patchlets/set/linux-2.6/net/ipv4/netfilter/ipt_SET.c
>
> I've just patched with patch-o-matic-ng-20070524.tar.bz2. So my config is:
>
> -linux-2.6.21.1.tar.bz2
> -patch-o-matic-ng-20070524.tar.bz2
> -iptables-1.3.7.tar.bz2
> -ipset-2.2.9a-20061009.tar.bz2  (maybe too old?)

That's good. (There was no need to fix the userspace tool since then.)

> Waiting compile-phase done, some questions:
>
> - in make oldconfig I've set ipsets entries as modules (m): am I right?

Fine.

> - do I need to uninstall iptables before patch-compile-reinstall new version 
> of iptables?

No, 'make install' will overwrite existing shared libraries and binaries. 
Just make sure you use the correct iptables binary if you have got one 
installed in another directory, too, from your distribution.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
           H-1525 Budapest 114, POB. 49, Hungary

Re: problems applying ipset patch

[Andrea]

> 
> No, 'make install' will overwrite existing shared libraries and 
> binaries. Just make sure you use the correct iptables binary if you have 
> got one installed in another directory, too, from your distribution.
> 

Kernel now works fine!

I've rebooted the system with the new kernel, compiled and installed 
iptables and ipset, rebooted again.

At the startup, however, iptables failed to start, (and so the shorewall 
script), with the message "iptables-restore: line 10 failed"

Re: problems applying ipset patch

[Jozsef Kadlecsik]

On Thu, 24 May 2007, Andrea wrote:

>> No, 'make install' will overwrite existing shared libraries and binaries. 
>> Just make sure you use the correct iptables binary if you have got one 
>> installed in another directory, too, from your distribution.
>
> Kernel now works fine!
>
> I've rebooted the system with the new kernel, compiled and installed iptables 
> and ipset, rebooted again.
>
> At the startup, however, iptables failed to start, (and so the shorewall 
> script), with the message "iptables-restore: line 10 failed"

What's in line 10??

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
           H-1525 Budapest 114, POB. 49, Hungary

Re: problems applying ipset patch

[Andrea]

Jozsef Kadlecsik ha scritto:
> On Thu, 24 May 2007, Andrea wrote:
> 
>>> No, 'make install' will overwrite existing shared libraries and 
>>> binaries. Just make sure you use the correct iptables binary if you 
>>> have got one installed in another directory, too, from your 
>>> distribution.
>>
>> Kernel now works fine!
>>
>> I've rebooted the system with the new kernel, compiled and installed 
>> iptables and ipset, rebooted again.
>>
>> At the startup, however, iptables failed to start, (and so the 
>> shorewall script), with the message "iptables-restore: line 10 failed"
> 
> What's in line 10??

In what file do I have to find? /etc/sysconfig/iptables, maybe?

Here it is:

# Generated by iptables-save v1.2.11 on Mon May 14 10:59:07 2007
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth2 -j ACCEPT
-A FORWARD -o eth2 -j ACCEPT
-A OUTPUT -j ACCEPT
COMMIT
# Completed on Mon May 14 10:59:07 2007
# Generated by iptables-save v1.2.11 on Mon May 14 10:59:07 2007
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Mon May 14 10:59:07 2007
# Generated by iptables-save v1.2.11 on Mon May 14 10:59:07 2007
*mangle
:PREROUTING ACCEPT [10461:714412]
:INPUT ACCEPT [5007:406609]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3176:400160]
:POSTROUTING ACCEPT [3176:400160]
COMMIT
# Completed on Mon May 14 10:59:07 2007

Re: problems applying ipset patch

[Andrea]

when I reboot with the old kernel, iptables works even if this it's 
patched and updated to the version 1.3.7.

I suspect that I've forgotten some module or some kernel setting

Re: problems applying ipset patch

[Andrea]

Another issue: trying to modify iptables rules file, I obtain something 
like:

"iptables-restore v1.2.11: no command specified"

Maybe is there a mess between old and new version of iptables?

Re: problems applying ipset patch

[Jozsef Kadlecsik]

On Thu, 24 May 2007, Andrea wrote:

> Another issue: trying to modify iptables rules file, I obtain something like:
>
> "iptables-restore v1.2.11: no command specified"
>
> Maybe is there a mess between old and new version of iptables?

Yes, it seem so. You wrote that you upgraded to the version 1.3.7.
So there must be at least two sets of iptables(-save|restore) commands on 
your machine.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
           H-1525 Budapest 114, POB. 49, Hungary

Re: problems applying ipset patch

[Andrea]

Jozsef Kadlecsik ha scritto:

> Yes, it seem so. You wrote that you upgraded to the version 1.3.7.
> So there must be at least two sets of iptables(-save|restore) commands 
> on your machine.

is there a method to resolve this mess? I could try to remove old 
version of iptables with "yum remove iptables", but this command also 
removes dependency of Shorewall, wich I would preserve.

Re: problems applying ipset patch

[Henrik Nordstrom]

[-- Attachment #1: Type: text/plain, Size: 428 bytes --]

fre 2007-05-25 klockan 18:53 +0200 skrev Andrea:

> is there a method to resolve this mess? I could try to remove old 
> version of iptables with "yum remove iptables", but this command also 
> removes dependency of Shorewall, wich I would preserve.

Specify the full path to the correct binary. You most likely have the
yum installed one in /sbin, and the manually installed one
in /usr/local/sbin/

Regards
Henrik

[-- Attachment #2: Detta är en digitalt signerad meddelandedel --]
[-- Type: application/pgp-signature, Size: 307 bytes --]

Re: problems applying ipset patch

[Andrea]

Henrik Nordstrom ha scritto:
> fre 2007-05-25 klockan 18:53 +0200 skrev Andrea:
> 
>> is there a method to resolve this mess? I could try to remove old 
>> version of iptables with "yum remove iptables", but this command also 
>> removes dependency of Shorewall, wich I would preserve.
> 
> Specify the full path to the correct binary. You most likely have the
> yum installed one in /sbin, and the manually installed one
> in /usr/local/sbin/

I've unistalled the original iptables, then I've tried to manually pass 
  rules:

- iptables -A FORWARD -i eth1 -j ACCEPT      ---- ok
- iptables -A FORWARD -o eth1 -j ACCEPT      ---- ok

but

- iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE ===>

iptables v1.3.7: can't initialize iptables table `nat': Table does not 
exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

At this point I think the problem is in some missing settings in the 
kernel conf

Re: problems applying ipset patch

[Maximilian Wilhelm]

Am Monday, den 28 May hub Andrea folgendes in die Tasten:

[...]
> - iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE ===>

> iptables v1.3.7: can't initialize iptables table `nat': Table does not 
> exist (do you need to insmod?)
> Perhaps iptables or your kernel needs to be upgraded.

> At this point I think the problem is in some missing settings in the 
> kernel conf

I guess, that you do not have the 'CONFIG_NF_NAT' option activated?
So your kernel will also lack the 'CONFIG_IP_NF_TARGET_MASQUERADE'
option.

If you use the "old" layer 3 depended conntrack, you need
'CONFIG_IP_NF_NAT' instead of 'CONFIG_NF_NAT'.

You can check this looking in "menuconfig" at:
 Networking
  -> Networking options
   -> Network packet filtering framework (Netfilter)
    -> Core Netfilter Configuration
     -> Netfilter connection tracking support

HTH
Ciao
Max
-- 
	Follow the white penguin.

Re: problems applying ipset patch

[Andrea]

Maximilian Wilhelm ha scritto:
> Am Monday, den 28 May hub Andrea folgendes in die Tasten:
> 
> [...]
>> - iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE ===>
> 
>> iptables v1.3.7: can't initialize iptables table `nat': Table does not 
>> exist (do you need to insmod?)
>> Perhaps iptables or your kernel needs to be upgraded.
> 
>> At this point I think the problem is in some missing settings in the 
>> kernel conf
> 
> I guess, that you do not have the 'CONFIG_NF_NAT' option activated?
> So your kernel will also lack the 'CONFIG_IP_NF_TARGET_MASQUERADE'
> option.
> 
> If you use the "old" layer 3 depended conntrack, you need
> 'CONFIG_IP_NF_NAT' instead of 'CONFIG_NF_NAT'.

In the old .config there's CONFIG_IP_NF_NAT=m, instead in the new 
.config there aren't neither CONFIG_IP_NF_NAT nor CONFIG_NF_NAT. I 
thought that the "make oldconfig" had imported the full old kernel 
configuration.

So, I have do add this option and recompile again (argh!); and how can I 
be sure that the oldconfig has not missed other entries again?

Re: problems applying ipset patch

[Maximilian Wilhelm]

Am Monday, den 28 May hub Andrea folgendes in die Tasten:

Hi!

> In the old .config there's CONFIG_IP_NF_NAT=m, instead in the new 
> .config there aren't neither CONFIG_IP_NF_NAT nor CONFIG_NF_NAT. I 
> thought that the "make oldconfig" had imported the full old kernel 
> configuration.

> So, I have do add this option and recompile again (argh!); and how can I 
> be sure that the oldconfig has not missed other entries again?

'make oldconfig' should ask you about new items.
In the past there were some Kconfig items added and renamed, so you
should be carefull if 'make oldconfig' asks you about things.

Ciao
Max
-- 
	Follow the white penguin.

Re: problems applying ipset patch

[Andrea]

> 'make oldconfig' should ask you about new items.
> In the past there were some Kconfig items added and renamed, so you
> should be carefull if 'make oldconfig' asks you about things.

This is my old .config netfilter setting section (kernel 2.6.9.42.10)

#
# IP: Netfilter Configuration
#
CONFIG_IP_NF_CONNTRACK=m
CONFIG_IP_NF_CT_ACCT=y
CONFIG_IP_NF_CT_PROTO_SCTP=m
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_IRC=m
CONFIG_IP_NF_TFTP=m
CONFIG_IP_NF_AMANDA=m
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_LIMIT=m
CONFIG_IP_NF_MATCH_IPRANGE=m
CONFIG_IP_NF_MATCH_MAC=m
CONFIG_IP_NF_MATCH_PKTTYPE=m
CONFIG_IP_NF_MATCH_MARK=m
CONFIG_IP_NF_MATCH_MULTIPORT=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_DSCP=m
CONFIG_IP_NF_MATCH_AH_ESP=m
CONFIG_IP_NF_MATCH_LENGTH=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_TCPMSS=m
CONFIG_IP_NF_MATCH_HELPER=m
CONFIG_IP_NF_MATCH_STATE=m
CONFIG_IP_NF_MATCH_CONNTRACK=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_MATCH_PHYSDEV=m
CONFIG_IP_NF_MATCH_ADDRTYPE=m
CONFIG_IP_NF_MATCH_REALM=m
CONFIG_IP_NF_MATCH_SCTP=m
CONFIG_IP_NF_MATCH_COMMENT=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_TARGET_TCPMSS=m
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_IP_NF_TARGET_SAME=m
CONFIG_IP_NF_NAT_LOCAL=y
CONFIG_IP_NF_NAT_SNMP_BASIC=m
CONFIG_IP_NF_NAT_IRC=m
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_NAT_TFTP=m
CONFIG_IP_NF_NAT_AMANDA=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_DSCP=m
CONFIG_IP_NF_TARGET_MARK=m
CONFIG_IP_NF_TARGET_CLASSIFY=m
CONFIG_IP_NF_RAW=m
CONFIG_IP_NF_TARGET_NOTRACK=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m
# CONFIG_IP_NF_COMPAT_IPCHAINS is not set
# CONFIG_IP_NF_COMPAT_IPFWADM is not set

----------------------

this is my new .config section:

#
# IP: Netfilter Configuration
#
CONFIG_NF_CONNTRACK_IPV4=m
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_IPRANGE=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_AH=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_MATCH_ADDRTYPE=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_TTL=m
CONFIG_IP_NF_RAW=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m
CONFIG_IP_NF_SET=m
CONFIG_IP_NF_SET_MAX=256
CONFIG_IP_NF_SET_HASHSIZE=1024
CONFIG_IP_NF_SET_IPMAP=m
CONFIG_IP_NF_SET_MACIPMAP=m
CONFIG_IP_NF_SET_PORTMAP=m
CONFIG_IP_NF_SET_IPHASH=m
CONFIG_IP_NF_SET_NETHASH=m
CONFIG_IP_NF_SET_IPPORTHASH=m
CONFIG_IP_NF_SET_IPTREE=m
CONFIG_IP_NF_MATCH_SET=m
CONFIG_IP_NF_TARGET_SET=m

------------

How can I decide what values I have to manual reinsert in the new config 
  file?