Bug 11127

Summary: shorewall start fails - kernel/iptables do not include state match support
Product: Mageia Reporter: Dave Hodgins <davidwhodgins>
Component: RPM PackagesAssignee: Thomas Backlund <tmb>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: Normal CC: alien, doktor5000, dvgevers, eeeemail, ennael1, mageia, nic, oe, stormi-mageia
Version: Cauldron   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
Whiteboard: 4alpha2
Source RPM: iptables-1.4.20-1.mga4.src.rpm CVE:
Status comment:
Attachments: Compressed contents of /etc/shorewall
Debugging output
Compressed output of journalctl -a
Compressed output of journalctl -b from 2nd boot after install

Description Dave Hodgins 2013-09-01 18:33:57 CEST 
From systemctl -a status shorewall.service
Sep 01 12:16:52 localhost shorewall[1371]: ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system
Sep 01 12:16:52 localhost systemd[1]: shorewall.service: main process exited, code=exited, status=3/NOTIMPLEMENTED

Using 4alpha2 kde i586 live cd, in live mode.

Message was different in gnome, but as gnome won't start, can't copy/paste the
message. IIRC, it was
ERROR TC_ENABLED=Internel requires Packet Mangling in your kernel and iptables.



Reproducible: 

Steps to Reproduce:
Comment 1 Dave Hodgins 2013-09-01 18:35:28 CEST 
I think this bug is a blocker for alpha2

CC: (none) => eeeemail, ennael1
Whiteboard: (none) => 4alpha2

Comment 2 David Walser 2013-09-01 20:45:43 CEST 
CC'ing Oden who updated the iptables package.

CC: (none) => oe

Comment 3 David Walser 2013-09-02 02:41:53 CEST 
blino just fixed something in iptables.  I'm not sure if it was meant to address this issue.

CC: (none) => mageia

Comment 4 Oden Eriksson 2013-09-02 11:57:03 CEST 
Do you still get this error?

If so please attach your shorewall config to this bugreport.
Comment 5 Dave Hodgins 2013-09-02 23:17:43 CEST 
Created attachment 4313 [details]
Compressed contents of /etc/shorewall

Note that this is a live cd, running in live mode, so any config changes
were done by /usr/sbin/finish-install.
Comment 6 Dave Hodgins 2013-09-02 23:49:18 CEST 
Note that this only occurs in live mode. Once installed on
the vb hard drive, and the network configured, shorewall
does start ok.
Comment 7 Dave Hodgins 2013-09-03 00:02:14 CEST 
This is really strange. I just booted the live cd again,
and this time shorewall started ok.

As it only seems to affect live mode, and it's inconsistent,
I'm lowering the priority.

Severity: critical => minor

Comment 8 Dave Hodgins 2013-09-03 22:12:07 CEST 
Created attachment 4319 [details]
Debugging output

It's a timing problem. Happened on first boot after installing from the gnome live cd (2nd build). Starting shorewall works after system is running.

Attached is the output of journalctl -a -b |grep -e finish -e eth0 -e enp0s3 -e shorewall -e iptables
Comment 9 Dave Hodgins 2013-09-03 22:24:21 CEST 
Created attachment 4320 [details]
Compressed output of journalctl -a
Comment 10 Dave Hodgins 2013-09-03 23:19:34 CEST 
Created attachment 4321 [details]
Compressed output of journalctl -b from 2nd boot after install

Doesn't just affect live mode and 1st boot after install.

Here's the output of journalctl -b from the 2nd (or 3rd) boot, after
install.
Comment 11 Dave Hodgins 2013-09-03 23:20:41 CEST 
Raising the severity again, as it isn't as limited as it appeared before.

Severity: minor => major

Comment 12 claire robinson 2013-09-06 11:22:14 CEST 
Confirmed here. shorewall fails to start 4alpha2 DVD 64
Comment 13 AL13N 2014-01-19 22:07:05 CET 
is this really a timing issue? can this be fixed by systemd "after=" stuff?

perhaps systemd-analyze plot in those cases where it happens and where it doesn't happen could be used...


what is the chance that NetworkManager is re-reloading the kernel modules to be used in iptables/ip6tables?

CC: (none) => alien

Comment 14 Dick Gevers 2014-02-01 14:12:59 CET 
@davidwhodgins

IMHO this bug is old. If you could close it: it is also listed in the errata ?

Thanks !

CC: (none) => dvgevers

Comment 15 Florian Hubold 2014-02-03 22:12:34 CET 
Can somebody please provide a more precise description for the Errata, or remove it from Errata when it doesn't happen anymore with final?

Otherwise we get questions like https://forums.mageia.org/en/viewtopic.php?f=7&t=6857

CC: (none) => doktor5000

Comment 16 Samuel Verschelde 2014-02-04 14:31:31 CET 
AFAIK it's fixed. Removing from Erratas, please add back with explanations if still valid.

CC: (none) => stormi

Comment 17 Nic Baxter 2016-01-24 12:23:26 CET 
Appears to be fixed so closed

Status: NEW => RESOLVED
CC: (none) => nic
Resolution: (none) => FIXED