Re: fwbuilder iptables script, kernel 2.6.8-11-amd64-k8 and sarge
On Mon, Aug 08, 2005 at 10:28:19PM +0200, Matthias Wenthe wrote:
> Dear List,
>
> I hope this is not too off-topic since it it a question regarding sarge
> with
> kernel-image 2.6.8-11-amd64-k8 which to my understanding originates
> from the amd-64 port.
>
> I am running a Debian sarge installation on an Athlon 3200+ with an
> fwbuilder generated
> iptables paket filter skript which runs fine with kernel-image 2.6.8-2-686.
>
> When I boot the kernel from sarge's kernel-image 2.6.8-11-amd64-k8
> I get lots of messages like this one during execution of my iptables script:
>
> iptables v1.2.11: can't initialize iptables table `filter': Module is
> wrong version
> Perhaps iptables or your kernel needs to be upgraded.
>
> lsmod shows the following modules loaded:
>
> ipt_REJECT 7616 8
> ipt_multiport 2432 6
> ipt_LOG 7040 8
> ipt_state 2496 52
> ip_conntrack_tftp 4464 0
> ip_conntrack_irc 72368 0
> ip_conntrack_ftp 73200 0
> ip_conntrack_amanda 70368 0
> ip_conntrack 37412 5
> ipt_state,ip_conntrack_tftp,ip_conntrack_irc,ip_conntrack_ftp,ip_conntrack_amanda
> iptable_filter 3392 1
> ip_tables 18432 5
> ipt_REJECT,ipt_multiport,ipt_LOG,ipt_state,iptable_filter
>
> On another partitition I have an installation of the amd-64 port at hand
> and when my server
> has bootet I can mount this partiton, do a chroot and of course can
> execute my iptables fwbuilder
> script. Since this is a production mail server and I am eager to profit
> from the benefits of the
> better memory managment of the amd64 kernel this is my workaround after
> any reboot for the time beeing.
>
> Obviously the 32 bit iptables binary from sarge does not like the 64 bit
> kernel. So what would
> you suggest? Install the iptables package from the amd-64 port? But that
> would obviously cause
> a mess within the dependencies. Install just the binary in
> /usr/sbin/local together with a hand full
> of libraries? Or stick with the 32 bit 686 kernel?
>
> Changing completely to the amd-64 port is currently unfortunately not an
> option for several reasons
> ( no other amd64 servers available as backup hardware, no amd64 test
> machines available for
> compiling stuff before putting it on the production server, no 64bit CD
> (like knoppix) available for
> "exporting the offline booted server" via ssh to the admin for
> maintainance purposes since direct access to
> the console is limited to rare visits in the data processing center).
>
> Since it is a production system and I have no other amd64 system around
> my willingness for testing
> adventures is reletavely small. But of course I would appreciate any
> experiences or suggestions from
> other users with a similar configuration. Maybe somebody has already
> found an elegant way to solve this
> dilemma.
Are you running an amd64 kernel with a 32bit i386 sarge install? If so
that is your problem. iptables has to be 64bit to talk to a 64bit
kernel due to an alignment issue in the kernel structures for iptables
or something like that. So you do need at least the 64bit iptables
binary and associated libs. a 64bit chroot is one option for install it
easily, after which you can call it from 32bit install just fine.
A pure 64bit install would of course just work.
Len Sorensen
Reply to: