On Tue, Sep 17, 2019 at 08:38:20AM -0400, Eric Garver wrote:
On Mon, Sep 16, 2019 at 07:17:01PM +0000, jose.nunez-zuleta@barclays.com wrote:
Hello Eric,
I'm using a custom kernel. Do you know what modules should be available? I see the following with lsmod:
You'll want all the iptables modules. From the errors you gave below at least the one for the "security" table is missing, CONFIG_IP_NF_SECURITY. Don't forget about the ip6tables equivalent, CONFIG_IP6_NF_SECURITY.
There were fixes in v0.6.4 and v0.7.0 that avoid using iptables tables that aren't available. Not all of them a strictly necessary. Maybe you can try upgrading firewalld.
To expand on this, see the bellow commit:
https://github.com/firewalld/firewalld/commit/c46b0892e1e4a540c959b4c1f6ea87...
commit c46b0892e1e4a540c959b4c1f6ea87de50d1bcf8 Author: Eric Garver eric@garver.life Date: Wed Apr 17 15:57:22 2019 -0400
fix: ipXtables: don't use tables that aren't available
At least for the default ruleset we can avoid failure if some of these tables are missing. But features that use those missing tables will still fail if the user attempts to use those features.
Here is a probably incomplete mapping of tables -> features:
raw: helpers, IPv6_rpfilter mangle: rich rule mark action nat: masquerade, forward ports security: none
Of course, direct rules apply to all tables. It is fatal if the "filter" table is not available.
Fixes: #411 Fixes: #484