On Tue, Sep 17, 2019 at 08:38:20AM -0400, Eric Garver wrote:
On Mon, Sep 16, 2019 at 07:17:01PM +0000,
jose.nunez-zuleta(a)barclays.com wrote:
> Hello Eric,
>
> I'm using a custom kernel. Do you know what modules should be available? I see
the following with lsmod:
You'll want all the iptables modules. From the errors you gave below at
least the one for the "security" table is missing,
CONFIG_IP_NF_SECURITY. Don't forget about the ip6tables equivalent,
CONFIG_IP6_NF_SECURITY.
There were fixes in v0.6.4 and v0.7.0 that avoid using iptables tables
that aren't available. Not all of them a strictly necessary. Maybe you
can try upgrading firewalld.
To expand on this, see the bellow commit:
https://github.com/firewalld/firewalld/commit/c46b0892e1e4a540c959b4c1f6e...
commit c46b0892e1e4a540c959b4c1f6ea87de50d1bcf8
Author: Eric Garver <eric(a)garver.life>
Date: Wed Apr 17 15:57:22 2019 -0400
fix: ipXtables: don't use tables that aren't available
At least for the default ruleset we can avoid failure if some of these
tables are missing. But features that use those missing tables will
still fail if the user attempts to use those features.
Here is a probably incomplete mapping of tables -> features:
raw: helpers, IPv6_rpfilter
mangle: rich rule mark action
nat: masquerade, forward ports
security: none
Of course, direct rules apply to all tables. It is fatal if the "filter"
table is not available.
Fixes: #411
Fixes: #484