Re: fwbuilder iptables script, kernel 2.6.8-11-amd64-k8 and sarge

[lsorense@csclub.uwaterloo.ca (Lennart Sorensen)]

On Mon, Aug 08, 2005 at 10:28:19PM +0200, Matthias Wenthe wrote:
> Dear List,
> 
> I hope this is not too off-topic since it it a question regarding sarge 
> with
> kernel-image 2.6.8-11-amd64-k8 which to my understanding originates
> from the amd-64 port.
> 
> I am running a Debian sarge installation on an Athlon 3200+ with an 
> fwbuilder generated
> iptables paket filter skript which runs fine with kernel-image 2.6.8-2-686.
> 
> When I boot the  kernel from sarge's kernel-image 2.6.8-11-amd64-k8
> I get lots of messages like this one during execution of my iptables script:
> 
> iptables v1.2.11: can't initialize iptables table `filter': Module is 
> wrong version
> Perhaps iptables or your kernel needs to be upgraded.
> 
> lsmod shows the following modules loaded:
> 
> ipt_REJECT              7616  8
> ipt_multiport           2432  6
> ipt_LOG                 7040  8
> ipt_state               2496  52
> ip_conntrack_tftp       4464  0
> ip_conntrack_irc       72368  0
> ip_conntrack_ftp       73200  0
> ip_conntrack_amanda    70368  0
> ip_conntrack           37412  5 
> ipt_state,ip_conntrack_tftp,ip_conntrack_irc,ip_conntrack_ftp,ip_conntrack_amanda
> iptable_filter          3392  1
> ip_tables              18432  5 
> ipt_REJECT,ipt_multiport,ipt_LOG,ipt_state,iptable_filter
> 
> On another partitition I have an installation of the amd-64 port at hand 
> and when my server
> has bootet I can mount this partiton, do a chroot and of course can 
> execute my iptables fwbuilder
> script. Since this is a production mail server and I am eager to profit 
> from the benefits of  the
> better memory managment of the amd64 kernel this is my workaround after 
> any reboot for the time beeing.
> 
> Obviously the 32 bit iptables binary from sarge does not like the 64 bit 
> kernel. So what would
> you suggest? Install the iptables package from the amd-64 port? But that 
> would obviously cause
> a mess within the dependencies. Install just the binary in 
> /usr/sbin/local together with a hand full
> of libraries? Or stick with the 32 bit 686 kernel?
> 
> Changing completely to the amd-64 port is currently unfortunately not an 
> option for several reasons
> ( no other amd64 servers available as backup hardware, no amd64 test 
> machines available for
> compiling stuff before putting it on the production server, no 64bit CD 
> (like knoppix) available for
> "exporting the offline booted server" via ssh to the admin for 
> maintainance purposes since direct access to
> the console is limited to rare visits in the data processing center).
> 
> Since it is a production system and I have no other amd64 system around 
> my willingness for testing
> adventures is reletavely small. But of course I would appreciate any 
> experiences or suggestions from
> other users with a similar configuration. Maybe somebody has already 
> found an elegant way to solve this
> dilemma.

Are you running an amd64 kernel with a 32bit i386 sarge install?  If so
that is your problem.  iptables has to be 64bit to talk to a 64bit
kernel due to an alignment issue in the kernel structures for iptables
or something like that.  So you do need at least the 64bit iptables
binary and associated libs.  a 64bit chroot is one option for install it
easily, after which you can call it from 32bit install just fine.

A pure 64bit install would of course just work.

Len Sorensen