-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: 22 October 2009 21:39
To: Kedar Sovani; fedora-arm(a)redhat.com
Subject: Re: [fedora-arm] Fedora-11 Status
On Tuesday 06 October 2009 04:45:33 am you wrote:
> > I was wondering if in the next kernel build if
> > netfilter/iptables can be
> > enabled?
>
> We do not disable it.
>
> The kernel build just picks the default fedora kernel
configuration and
> merges the arch-specific ("config-arm" in our case)
exception file. This
> file hasn't disabled iptables:
>
http://cvs.fedoraproject.org/viewvc/rpms/kernel/devel/config-
arm?revision=
> 1.5
OK, I assumed it was not working because:
iptables-restore /etc/sysconfig/iptables
FATAL: Could not load /lib/modules/2.6.30-00000-
v2.6.30/modules.dep: No such
file or directory
iptables-restore v1.4.3.1: iptables-restore: unable to
initialize table
'filter'
Error occurred at line: 3
Try `iptables-restore -h' or 'iptables-restore --help' for more
information.
Have you installed all the kernel modules for your kernel at
install_root/lib/modules/<kernel_version> ?
May be it does not find the kernel modules to load?
Kedar.
I traced through the initscript and decided to just try
iptables-restore by
itself. The initscripts really want a loadable module. Anyways,
based on your
comment, I tried setting --modprobe=/bin/true to trick it. No
luck. It
doesn't complain about not being able to load the module
anymore, but still
fails at line 3. The firewall rules are simple:
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
Running strace, it dies like this:
socket(PF_INET, SOCK_RAW, IPPROTO_RAW) = 4
getsockopt(4, SOL_IP, 0x40 /* IP_??? */, 0xbeda7ee8,
0xbeda7ee0) = -1
ENOPROTOOPT (Protocol not available)
close(4) = 0
-Steve