Description of problem: I have had virtually the same configuration for shorewall & shorewall6 always since Mandriva times, for *6 since soon after it became available and they always worked fine. But with kernels 6.6.57 and 6.6.58 shorewall6 fails on two Cauldron machines, but shorewall (ipv4) works like before. I am not familiar with troubleshooting on iptables level etc. so i cannot determine the cause, nor do I recognise anything in kernel changelog to say that that might be the culprit. I still have kernel-desktop-6.6.54-1.mga10 installed and using same makes shorewall6 start without any problem at all ! Version-Release number of selected component (if applicable): I will attach some parts of journal to reflect the problem.
Created attachment 14720 [details] Output of journalctl -xeu shorewall6.service
Created attachment 14721 [details] Output of "journalctl -g tables"
Confirming the issue, the issue has been present since: okt 21 16:19:38 cauldronSL510 systemd[1]: Starting shorewall6.service... okt 21 16:19:38 cauldronSL510 systemd[1]: shorewall6.service: Main process exited, code=exited, status=143/n/a okt 21 16:19:38 cauldronSL510 systemd[1]: shorewall6.service: Failed with result 'exit-code'. okt 21 16:19:38 cauldronSL510 systemd[1]: Failed to start shorewall6.service. That was the first time I booted this system since installing kernel-desktop-6.6.57-1.mga10 almost two days earlier. I'll reboot into the Linus kernel to see whether the issue is present there, too
CC: (none) => marja11
Same issue with kernel-linus-6.6.58-1.mga10 Assigning to the kernel and drivers maintainers.
Assignee: bugsquad => kernelSummary: Shorewall6 fails from kernel-desktop-6.6.57 onwards => Shorewall6 fails from kernel-desktop-6.6.57 onwards (Warning: Extension MARK revision 0 not supported, missing kernel module?)
Summary: Shorewall6 fails from kernel-desktop-6.6.57 onwards (Warning: Extension MARK revision 0 not supported, missing kernel module?) => Shorewall6 fails since kernel-6.6.57 (Warning: Extension MARK revision 0 not supported, missing kernel module?)
systemctl status shorewall6.service × shorewall6.service - Shorewall IPv6 firewall Loaded: loaded (/usr/lib/systemd/system/shorewall6.service; enabled; preset: enabled) Active: failed (Result: exit-code) since Fri 2024-10-25 10:13:49 CST; 8min ago Process: 2171 ExecStart=/sbin/shorewall -6 $OPTIONS start $STARTOPTIONS (code=exited, status=143) Main PID: 2171 (code=exited, status=143) CPU: 234ms oct 25 10:13:49 jgrey.phoenix shorewall[2258]: ip6tables v1.8.9 (legacy): Couldn't load target `Ifw':No such file or directory oct 25 10:13:49 jgrey.phoenix shorewall[2258]: Try `ip6tables -h' or 'ip6tables --help' for more information. oct 25 10:13:49 jgrey.phoenix shorewall[2260]: iptables: Too many links. oct 25 10:13:49 jgrey.phoenix shorewall[2202]: Preparing ip6tables-restore input... oct 25 10:13:49 jgrey.phoenix shorewall[2202]: Running /sbin/ip6tables-restore --wait 60... oct 25 10:13:49 jgrey.phoenix shorewall[2202]: Processing /etc/shorewall6/stopped ... oct 25 10:13:49 jgrey.phoenix shorewall[2171]: Terminado oct 25 10:13:49 jgrey.phoenix systemd[1]: shorewall6.service: Main process exited, code=exited, status=143/n/a oct 25 10:13:49 jgrey.phoenix systemd[1]: shorewall6.service: Failed with result 'exit-code'. oct 25 10:13:49 jgrey.phoenix systemd[1]: Failed to start shorewall6.service. [root@jgrey ~]# systemctl restart shorewall6.service Job for shorewall6.service failed because the control process exited with error code. See "systemctl status shorewall6.service" and "journalctl -xeu shorewall6.service" for details. journalctl -xeu shorewall6.service oct 25 10:24:00 jgrey.phoenix shorewall[6088]: ERROR: ip6tables-restore Failed. Input is in /var/lib/shorewall6/.ip6tables-restor> oct 25 10:24:00 jgrey.phoenix shorewall[6088]: Processing /etc/shorewall6/stop ... oct 25 10:24:00 jgrey.phoenix shorewall[6141]: ip6tables v1.8.9 (legacy): Couldn't load target `Ifw':No such file or directory oct 25 10:24:00 jgrey.phoenix shorewall[6141]: Try `ip6tables -h' or 'ip6tables --help' for more information. oct 25 10:24:00 jgrey.phoenix shorewall[6143]: iptables: Too many links. oct 25 10:24:00 jgrey.phoenix shorewall[6144]: ipset v7.21: The set with the given name does not exist oct 25 10:24:00 jgrey.phoenix shorewall[6145]: ipset v7.21: The set with the given name does not exist oct 25 10:24:00 jgrey.phoenix shorewall[6088]: Preparing ip6tables-restore input... oct 25 10:24:00 jgrey.phoenix shorewall[6088]: Running /sbin/ip6tables-restore --wait 60... oct 25 10:24:00 jgrey.phoenix shorewall[6088]: Processing /etc/shorewall6/stopped ... oct 25 10:24:00 jgrey.phoenix shorewall[6059]: Terminado oct 25 10:24:00 jgrey.phoenix systemd[1]: shorewall6.service: Main process exited, code=exited, status=143/n/a Subject: Unit process exited Defined-By: systemd Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel An ExecStart= process belonging to unit shorewall6.service has exited. The process' exit code is 'exited' and its exit status is 143. oct 25 10:24:00 jgrey.phoenix systemd[1]: shorewall6.service: Failed with result 'exit-code'. Subject: Unit failed Defined-By: systemd Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel The unit shorewall6.service has entered the 'failed' state with result 'exit-code'. oct 25 10:24:00 jgrey.phoenix systemd[1]: Failed to start shorewall6.service. Subject: A start job for unit shorewall6.service has failed Defined-By: systemd Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel A start job for unit shorewall6.service has finished with a failure. The job identifier is 1685 and the job result is failed. ...skipping... oct 25 10:24:00 jgrey.phoenix shorewall[6088]: ERROR: ip6tables-restore Failed. Input is in /var/lib/shorewall6/.ip6tables-restor> oct 25 10:24:00 jgrey.phoenix shorewall[6088]: Processing /etc/shorewall6/stop ... oct 25 10:24:00 jgrey.phoenix shorewall[6141]: ip6tables v1.8.9 (legacy): Couldn't load target `Ifw':No such file or directory oct 25 10:24:00 jgrey.phoenix shorewall[6141]: Try `ip6tables -h' or 'ip6tables --help' for more information. oct 25 10:24:00 jgrey.phoenix shorewall[6143]: iptables: Too many links. oct 25 10:24:00 jgrey.phoenix shorewall[6144]: ipset v7.21: The set with the given name does not exist oct 25 10:24:00 jgrey.phoenix shorewall[6145]: ipset v7.21: The set with the given name does not exist oct 25 10:24:00 jgrey.phoenix shorewall[6088]: Preparing ip6tables-restore input... oct 25 10:24:00 jgrey.phoenix shorewall[6088]: Running /sbin/ip6tables-restore --wait 60... oct 25 10:24:00 jgrey.phoenix shorewall[6088]: Processing /etc/shorewall6/stopped ... oct 25 10:24:00 jgrey.phoenix shorewall[6059]: Terminado oct 25 10:24:00 jgrey.phoenix systemd[1]: shorewall6.service: Main process exited, code=exited, status=143/n/a Subject: Unit process exited Defined-By: systemd Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel An ExecStart= process belonging to unit shorewall6.service has exited. The process' exit code is 'exited' and its exit status is 143. oct 25 10:24:00 jgrey.phoenix systemd[1]: shorewall6.service: Failed with result 'exit-code'. Subject: Unit failed Defined-By: systemd Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel The unit shorewall6.service has entered the 'failed' state with result 'exit-code'. oct 25 10:24:00 jgrey.phoenix systemd[1]: Failed to start shorewall6.service. Subject: A start job for unit shorewall6.service has failed Defined-By: systemd Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel A start job for unit shorewall6.service has finished with a failure. The job identifier is 1685 and the job result is failed.
Whiteboard: (none) => MGA9TOOBlocks: (none) => 33667
my system has more or less the same issue: Warning: Extension MARK revision 0 not supported, missing kernel module? ip6tables-restore v1.8.9 (legacy): MARK: bad value for option "--set-mark", or out of range (0-4294967295). /var/lib/shorewall6/.ip6tables-restore-input:34: -A FORWARD -j MARK --set-mark 0/0xff # LANG=C shorewall6 -v start Starting Shorewall6.... Initializing... Processing /etc/shorewall6/init ... Setting up Proxy NDP... Preparing ip6tables-restore input... Running /sbin/ip6tables-restore --wait 60... Warning: Extension MARK revision 0 not supported, missing kernel module? ip6tables-restore v1.8.9 (legacy): MARK: bad value for option "--set-mark", or out of range (0-4294967295). Error occurred at line: 34 Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information. ERROR: ip6tables-restore Failed. Input is in /var/lib/shorewall6/.ip6tables-restore-input Processing /etc/shorewall6/stop ... Preparing ip6tables-restore input... Running /sbin/ip6tables-restore --wait 60... Processing /etc/shorewall6/stopped ... Terminated
CC: (none) => boulshet
Are you able to produce a minimal working example using plain iptables command? AFAIK there weren't changes in the network config of mga kernel between 6.6.55 and 6.6.58 kernels to justify the missing of some required module. Upstream kernel 6.6.55 and 6.6.57 had some patches to the netfilter code to fix some bug. Maybe shorewall should be aligned with that? shorewall has been frozen from long time but recently there was some activity, see: https://gitlab.com/shorewall/code/-/commits/master?ref_type=heads
CC: (none) => ghibomgx
I am afraid i cant. Ii just tried something : # iptables -A FORWARD -j MARK --set-mark 0/0xff # echo $? 0 where the arguments are the same as in my last comment. yet i dont know if it helps
Sorry, iptables is too complicated for my small brain ...
(In reply to Giuseppe Ghibò from comment #7) > Are you able to produce a minimal working example using plain > iptablescommand? > > AFAIK there weren't changes in the network config of mga kernel between > 6.6.55 and 6.6.58 kernels to justify the missing of some required module. > > Upstream kernel 6.6.55 and 6.6.57 had some patches to the netfilter code to > fix some bug. > > Maybe shorewall should be aligned with that? shorewall has been frozen from > long time but recently there was some activity, see: > > https://gitlab.com/shorewall/code/-/commits/master?ref_type=heads In uname -r 6.6.52-server-1.mga9 Works systemctl status shorewall6.service ● shorewall6.service - Shorewall IPv6 firewall Loaded: loaded (/usr/lib/systemd/system/shorewall6.service; enabled; preset: enabled) Active: active (exited) since Fri 2024-10-25 14:32:04 CST; 1min 25s ago Process: 2077 ExecStart=/sbin/shorewall -6 $OPTIONS start $STARTOPTIONS (code=exited, status=0/SUCCESS) Main PID: 2077 (code=exited, status=0/SUCCESS) CPU: 203ms oct 25 14:32:04 jgrey.phoenix shorewall[2115]: Processing /etc/shorewall6/start ... oct 25 14:32:04 jgrey.phoenix shorewall[2247]: iptables: Chain already exists. oct 25 14:32:04 jgrey.phoenix shorewall[2248]: ipset v7.21: Set cannot be created: set with the same name already exists oct 25 14:32:04 jgrey.phoenix shorewall[2250]: ipset v7.21: Set cannot be created: set with the same name already exists oct 25 14:32:04 jgrey.phoenix shorewall[2260]: ip6tables v1.8.9 (legacy): Couldn't load target `Ifw':No such file or directory oct 25 14:32:04 jgrey.phoenix shorewall[2260]: Try `ip6tables -h' or 'ip6tables --help' for more information. oct 25 14:32:04 jgrey.phoenix shorewall[2115]: Processing /etc/shorewall6/started ... oct 25 14:32:04 jgrey.phoenix root[2269]: Shorewall6 started oct 25 14:32:04 jgrey.phoenix shorewall[2115]: done. oct 25 14:32:04 jgrey.phoenix systemd[1]: Finished shorewall6.service. Perhaps iptables need update? From comment#5 oct 25 10:13:49 jgrey.phoenix shorewall[2258]: ip6tables v1.8.9 (legacy): Couldn't load target `Ifw':No such file or directory
I think i get something. Stracing the whole thing : [pid 358293] newfstatat(AT_FDCWD, "/lib64/iptables/libip6t_MARK.so", 0x7ffe37538c40, 0) = -1 ENOENT (Aucun fichier ou dossier de ce nom) where "(Aucun fichier ou dossier de ce nom)" it the french for "no file or directory with this name" # LANG=C ll /lib64/iptables/lib*MARK* -rwxr-xr-x 1 root root 24256 Apr 5 2024 /lib64/iptables/libxt_CONNMARK.so* -rwxr-xr-x 1 root root 15520 Apr 5 2024 /lib64/iptables/libxt_CONNSECMARK.so* -rwxr-xr-x 1 root root 19920 Apr 5 2024 /lib64/iptables/libxt_HMARK.so* -rwxr-xr-x 1 root root 16376 Apr 5 2024 /lib64/iptables/libxt_MARK.so* -rwxr-xr-x 1 root root 15760 Apr 5 2024 /lib64/iptables/libxt_SECMARK.so* # rpm -q -f /lib64/iptables/*|sort|uniq -c 124 iptables-1.8.9-9.mga10 i thought iptables build 'silently' failed but # rpm -q --changelog iptables * ven. avril 05 2024 wally <wally> 1.8.9-9.mga10 + Revision: 2054627 - basesystem rebuild for i686 so, it's not that recent that it would be consistent with this issue. Maybe an iptables rebuild would worth the try, wouldn't it ?
iptables last version is 1.8.10 https://git.netfilter.org/iptables/ tagged more than one year ago https://www.netfilter.org/projects/iptables/files/changes-iptables-1.8.10.txt
I think we hit this bug: https://bugzilla.kernel.org/show_bug.cgi?id=219409 https://lore.kernel.org/all/20241021094536.81487-1-pablo@netfilter.org/ There is also the minimal working example: root:~# ip6tables -N TEST_1 root:~# ip6tables -A TEST_1 -j NFLOG --nflog-prefix "Some prefix: " which returns in case of problems: Warning: Extension NFLOG revision 0 not supported, missing kernel module? ip6tables: No chain/target/match by that name. or empty string when things works correctly.
(In reply to GG HH from comment #12) > iptables last version is 1.8.10 > https://git.netfilter.org/iptables/ tagged more than one year ago > https://www.netfilter.org/projects/iptables/files/changes-iptables-1.8.10.txt Thanks for spotting. That's reminds also to pay attention (beyond the scope of this bug) for upgrade to current iptables and to shorewall.
I'm seeing the same issue/regression in shorewall6.service with the kernel 6.6.58-desktop-1.mga9. #### BEFORE NO ERROR #### # uname -a Linux jupiter 6.6.52-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Thu Sep 19 20:27:15 UTC 2024 x86_64 GNU/Linux # journalctl -b0 -u shorewall6 out 26 08:34:16 jupiter systemd[1]: Starting shorewall6.service... out 26 08:34:16 jupiter shorewall[1106]: Starting Shorewall6.... out 26 08:34:16 jupiter shorewall[1106]: Initializing... out 26 08:34:16 jupiter shorewall[1106]: Processing /etc/shorewall6/init ... out 26 08:34:16 jupiter shorewall[1106]: Setting up Proxy NDP... out 26 08:34:16 jupiter shorewall[1106]: Preparing ip6tables-restore input... out 26 08:34:16 jupiter shorewall[1106]: Running /sbin/ip6tables-restore --wait 60... out 26 08:34:16 jupiter shorewall[1106]: Processing /etc/shorewall6/start ... out 26 08:34:16 jupiter shorewall[1181]: iptables: Chain already exists. out 26 08:34:16 jupiter shorewall[1182]: ipset v7.21: Set cannot be created: set with the same name already exists out 26 08:34:16 jupiter shorewall[1184]: ipset v7.21: Set cannot be created: set with the same name already exists out 26 08:34:16 jupiter shorewall[1188]: ip6tables v1.8.9 (legacy): Couldn't load target `Ifw':No such file or directory out 26 08:34:16 jupiter shorewall[1188]: Try `ip6tables -h' or 'ip6tables --help' for more information. out 26 08:34:16 jupiter shorewall[1106]: Processing /etc/shorewall6/started ... out 26 08:34:16 jupiter shorewall[1106]: done. out 26 08:34:16 jupiter systemd[1]: Finished shorewall6.service. #### ERROR WITH NEW KERNEL #### # uname -a Linux jupiter 6.6.58-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Wed Oct 23 09:56:46 UTC 2024 x86_64 GNU/Linux # journalctl -b0 -u shorewall6 out 26 08:32:41 jupiter systemd[1]: Starting shorewall6.service... out 26 08:32:41 jupiter shorewall[1147]: Starting Shorewall6.... out 26 08:32:41 jupiter shorewall[1147]: Initializing... out 26 08:32:42 jupiter shorewall[1147]: Processing /etc/shorewall6/init ... out 26 08:32:42 jupiter shorewall[1147]: Setting up Proxy NDP... out 26 08:32:42 jupiter shorewall[1147]: Preparing ip6tables-restore input... out 26 08:32:42 jupiter shorewall[1147]: Running /sbin/ip6tables-restore --wait 60... out 26 08:32:42 jupiter shorewall[1190]: Warning: Extension MARK revision 0 not supported, missing kernel module? out 26 08:32:42 jupiter shorewall[1190]: ip6tables-restore v1.8.9 (legacy): MARK: bad value for option "--set-mark", or out of range (0-4294967295). out 26 08:32:42 jupiter shorewall[1190]: Error occurred at line: 34 out 26 08:32:42 jupiter shorewall[1190]: Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information. out 26 08:32:42 jupiter shorewall[1147]: ERROR: ip6tables-restore Failed. Input is in /var/lib/shorewall6/.ip6tables-restore-input out 26 08:32:42 jupiter shorewall[1147]: Processing /etc/shorewall6/stop ... out 26 08:32:42 jupiter shorewall[1201]: ip6tables v1.8.9 (legacy): Couldn't load target `Ifw':No such file or directory out 26 08:32:42 jupiter shorewall[1201]: Try `ip6tables -h' or 'ip6tables --help' for more information. out 26 08:32:42 jupiter shorewall[1203]: iptables: Too many links. out 26 08:32:42 jupiter shorewall[1147]: Preparing ip6tables-restore input... out 26 08:32:42 jupiter shorewall[1147]: Running /sbin/ip6tables-restore --wait 60... out 26 08:32:42 jupiter shorewall[1147]: Processing /etc/shorewall6/stopped ... out 26 08:32:42 jupiter shorewall[1116]: Terminado out 26 08:32:42 jupiter systemd[1]: shorewall6.service: Main process exited, code=exited, status=143/n/a out 26 08:32:42 jupiter systemd[1]: shorewall6.service: Failed with result 'exit-code'. out 26 08:32:42 jupiter systemd[1]: Failed to start shorewall6.service.
CC: (none) => mageia
Fixed with kernel 6.6.58-2. Thanks for same
Status: NEW => RESOLVEDResolution: (none) => FIXED