On Saturday, 18 April 2020 15:20:43 BST Wolf wrote: > On 2020-04-18 15:03, Peter Humphrey wrote: > ># grep NETFILTER_XT_MATCH_STATE /usr/src/linux/.config > >CONFIG_NETFILTER_XT_MATCH_STATE=m > > > >So yes, it is. > > > >I'm confused by having two apparently different sets of IP filtering > >options. Do I need the NF set or the older one? > > This depends on whether shorewall uses the older iptables stack, or the > newer nftables one. I don't know much about shorewall, but according to > a quick search online it seems to still rely on iptables. > > In that case, CONFIG_NETFILTER_XT_MATCH_STATE should be the correct > option to use. > > I'm using nftables myself, and I don't think there is a separate option > for match support, as it's contained in CONFIG_NFT_CT. > > There used to be CONFIG_IP_NF_MATCH_STATE, but that is for very old > kernels only (2.6.15 is the last one with that option). I'm assuming > that this option was at some point changed to XT_MATCH_STATE. > > In any case, you do seem to have the correct option set. Since you're > using it as a module, have you checked lsmod to see whether the > 'xt_state' module is loaded? Maybe there's some more information in > dmesg as well.
Thanks for the help. In the end I just enabled more-or-less everything to do with iptables and nftables. I reasoned that I was not opening any holes, just setting the ground for the firewall to operate on. -- Regards, Peter.
