On Mon, September 20, 2004 11:28 am, Samuel Jean said: > On Mon, September 20, 2004 4:20 am, d l said: >> Hi, >> I am using vanilla Fedora Core 2, without configuring >> firewall in anaconda during initial install. >> > > Custom compiled kernel ? > > >> Simple rules seems to works with built in modules. e.g. >> iptables -A INPUT -p ICMP -j DROP >> >> However when I tried to use extension modules like >> <connlimit> and <owner>, iptables always gives me error. >> >> For <owner>: >> iptables -m owner --help >> ....... >> OWNER match v1.2.9 options: >> [!] --uid-owner userid Match local uid >> [!] --gid-owner groupid Match local gid >> [!] --pid-owner processid Match local pid >> [!] --sid-owner sessionid Match local sid >> [!] --cmd-owner name Match local command name >> > > When you get the help displayed, the dynamic library is properly > installed. > >> # iptables -A INPUT -m owner --cmd-owner mlnet -j test >> iptables: Invalid argument > > That means the dynamic library is using a structure different from the one > used by the module. > > If no module was present, you would get the > "No match/chain/target by that name" error. > > So your module is there but at the time of loading the rule, it compares > the size of structure it uses against the one your dynamic library uses. > > When there`s something wrong in the checkentry function, iptables simply > says "iptables: Invalid arguments" > > Most of the time, you have a newer library than your module is. > Patch applied with pom-ng should take care of fixing your problem > if you do recompile the iptables userspace as well as the kernel > netfilter's module. > In addition, most of the netfilter's modules are logging via syslog whenever there`s something wrong while doing their 'checkentry'. Take a look at /var/log/syslog just in case. Personally, I've never used/tried that match. So, could it be that you are loading it in the wrong chain (not supported by the module) ? Good luck, Samuel Jean CookingLinux.org
