diff --git a/Shorewall-docs2/Documentation_Index.xml b/Shorewall-docs2/Documentation_Index.xml
index 752a24d15..915368f2d 100644
--- a/Shorewall-docs2/Documentation_Index.xml
+++ b/Shorewall-docs2/Documentation_Index.xml
@@ -15,7 +15,7 @@
- 2004-09-23
+ 2004-10-05
2001-2004
@@ -296,6 +296,10 @@
Errata
+
+ Error Messages
+
+
Extension
Scripts (How to extend Shorewall without modifying Shorewall
diff --git a/Shorewall-docs2/ErrorMessages.xml b/Shorewall-docs2/ErrorMessages.xml
new file mode 100644
index 000000000..2d2fc558b
--- /dev/null
+++ b/Shorewall-docs2/ErrorMessages.xml
@@ -0,0 +1,505 @@
+
+
+
+
+
+
+ Shorewall Error Messages
+
+
+
+ Tom
+
+ Eastep
+
+
+
+ 2004-10-06
+
+
+ 2004
+
+ Thomas M. Eastep
+
+
+
+ Permission is granted to copy, distribute and/or modify this
+ document under the terms of the GNU Free Documentation License, Version
+ 1.2 or any later version published by the Free Software Foundation; with
+ no Invariant Sections, with no Front-Cover, and with no Back-Cover
+ Texts. A copy of the license is included in the section entitled
+ GNU Free Documentation
+ License
.
+
+
+
+
+ Introduction
+
+ Shorewall can produce a wide variety of error messages when a
+ problem is detected with your configuration. This article attempts to
+ explain the cause of and cures for some of these messages.
+
+
+
+ Messages Produced by /sbin/shorewall
+
+ Some error messages are produced by the /sbin/shorewall utility.
+ These messages are detailed in this section.
+
+
+
+ ERROR: <label> must specify a simple file name:
+ <name>
+
+
+ This means that you have specified a restore file name with a
+ "/". Restore files must be simple file names with no slashes.
+
+
+
+
+ ERROR: Shorewall is not properly installed
+
+
+ The files /usr/share/shorewall/firewall
+ and/or /usr/share/shorewall/version do not
+ exist.
+
+
+
+
+ ERROR: <file name> exists and is not a saved
+ Shorewall configuration
+
+
+ The named file in /var/lib/shorewall
+ exists but is not executable.
+
+
+
+
+ ERROR: Reserved file name: <file name>
+
+
+ You have specified either save or
+ restore-base as the name of a restore file --
+ those names are reserved for use by Shorewall.
+
+
+
+
+ ERROR: Currently-running Configuration Not
+ Saved
+
+
+ During processing of a shorewall save
+ command, the iptables-save command failed.
+
+
+
+
+ ERROR: /var/lib/shorewall/restore-base does not
+ exist
+
+
+ The shorewall start and shorewall
+ restart commands create a file called
+ /var/lib/shorewall/restore-base which forms the
+ basis for creating a restore file using shorewall
+ save. This error message is issued when shorewall
+ save is not able to find that file.
+
+
+
+
+
+
+ Messages Produced by /usr/share/shorewall/firewall
+
+ The program /usr/share/shorewall/firewall is
+ responsible for parsing the Shorewall configuration files and for creating
+ and changing the Netfilter configuration. Some of the error messages
+ generated by this program are listed below.
+
+
+
+ ERROR: Invalid zone definition for zone
+ <zone>
+
+
+ The zone named in the message is defined to be associated with
+ an interface in /etc/shorewall/interfaces yet
+ it also has an entry for that same interface in
+ /etc/shorewall/hosts.
+
+
+
+
+ ERROR: Invalid zone (<zone>) in record
+ "<record>"
+
+
+ The zone named in the ZONE column of the listed record from
+ /etc/shorewall/interfaces or
+ /etc/shorewall/hosts is not defined in
+ /etc/shorewall/zones.
+
+
+
+
+ ERROR: Duplicate Interface <interface>
+
+
+ The named interface has two entries in
+ /etc/shorewall/interfaces.
+
+
+
+
+ ERROR: Invalid Interface Name:
+ <interface>
+
+
+ The interface name contains a colon (":") or is "+". If the
+ name includes a ":", you probably need to read this
+ article.
+
+
+
+
+ ERROR: Unknown interface (<interface>) in record
+ "<record>"
+
+
+ The <interface> name listed in the
+ <record> from
+ /etc/shorewall/hosts was not defined in
+ /etc/shorewall/interfaces.
+
+
+
+
+ ERROR: Bridged interfaces may not be defined in
+ /etc/shorewall/interfaces:
+ <interface>[:<address>]
+
+
+ The named interface appears in /etc/shorewall/hosts and
+ appears as a bridge port (after a colon) but is also defined in
+ /etc/shorewall/interfaces.
+
+
+
+
+ ERROR: Your kernel and/or iptables does not support policy
+ match: ipsec
+
+
+ You have specified the ipsec
+ option in an /etc/shorewall/hosts record but
+ your kernel and/or iptables is missing policy match support. That
+ support in turn requires a set of ipsec-netfilter patches in order
+ to work correctly.
+
+
+
+
+ ERROR: Undefined zone <zone>
+
+
+ The named zone appears in the /etc/shorewall/policy file but
+ not in the /etc/shorewall/zones file.
+
+
+
+
+ ERROR: Can't determine the IP address of
+ <interface>
+
+
+ You have specified DETECT_DNAT_ADDRS=Yes in
+ /etc/shorewall/shorewall.conf and Shorewall is unablee to determine
+ the IP address of the named <interface>.
+ Be sure that the interface is started before starting Shorewall or
+ set DETECT_DNAT_ADDRS=No.
+
+
+
+
+ ERROR: Invalid gateway zone (<zone>) -- Tunnel
+ "<record>
+
+
+ The listed <zone> name appears in
+ the GATEWAY ZONE column of the listed
+ <record> from
+ /etc/shorewall/tunnels but is not defined in
+ /etc/shorewall/zones.
+
+
+
+
+ ERROR: Your kernel and/or iptables does not support policy
+ match
+
+
+ Your /etc/shorewall/ipsec file is non-empty but your kernel
+ and/or iptables do not include policy match support. That support in
+ turn requires a set of ipsec-netfilter patches in order to work
+ correctly.
+
+
+
+
+ ERROR: No hosts on <interface> have the maclist
+ option specified
+
+
+ The named <interface> appears in a
+ record in /etc/shorewall/maclist yet that
+ interface's record in /etc/shorewall/interfaces
+ does not specify the maclist option
+ and no record in /etc/shorewall/hosts that
+ names that interface includes the maclist option.
+
+
+
+
+ ERROR: Interface <interface> must be up before
+ Shorewall can start
+
+
+ You have specified the maclist option for this interface but the
+ command ip list show <interface>
+ fails.
+
+
+
+
+ ERROR: Unknown interface <interface>
+
+
+ The interface appears in a configuration file but is not
+ defined in /etc/shorewall/interfaces.
+
+
+
+
+ ERROR: BRIDGING=Yes requires Physdev Match support in your
+ Kernel and iptables
+
+
+ You have set BRIDGING=Yes in
+ /etc/shorewall/shorewall.conf but it appears
+ that your kernel and/or iptables do not have physdev match
+ support.
+
+
+
+
+ ERROR: Unknown interface <interface> in rule:
+ "<rule>"
+
+
+ You have BRIDGING=No in
+ /etc/shorewall/shorewall.conf and the
+ <interface> given in a rule does not
+ match an entry in
+ /etc/shorewall/interfaces.
+
+
+
+
+ ERROR: SNAT may no longer be specified in a DNAT rule; use
+ /etc/shorewall/masq instead
+
+
+ In earlier Shorewall versions, the ORIGINAL DEST column
+ allowed following the original destination IP address with ":" and
+ an address to use as the source of the forwarded connection request.
+ Now that /etc/shorewall/masq supports qualification of SNAT rules by
+ protocol and port, this feature is no longer required and has been
+ deimplemented.
+
+
+
+
+ ERROR: "Invalid Source in rule "<rule>"
+
+
+ The SOURCE column has the firewall zone name immediately
+ followed by "!". This syntax is use to exclude a subzone and
+ Shorewall currently doesn't support subzones of the firewall
+ zone.
+
+
+
+
+ ERROR: Rule "<rule>" - Destination may not be
+ specified by MAC Address
+
+
+ Netfilter (and hence Shorewall) does not allow qualification
+ of a rule by destination source IP address.
+
+
+
+
+ ERROR: Destination interface not allowed with
+ <action>
+
+
+ The named <action> will be ACCEPT+
+ or NONAT. These actions are inforced in part in the PREROUTING nat
+ chain where the destination interface is not yet known (because the
+ packet has not yet been routed). As a result, the DESTINATION column
+ may not contain an interface name.
+
+
+
+
+ ERROR: Only DNAT and REDIRECT rules may specify destination
+ mapping; rule "<rule>"
+
+
+ The <rule> specifies a server
+ address that is different from the ORIGINAL DEST address and/or it
+ specifies a server port that is different from the destination port
+ but the ACTION is neither DNAT[-] nor REJECT[-].
+
+
+
+
+ ERROR: Empty source zone or qualifier: rule
+ "<rule>"
+
+
+ The SOURCE column is of one of the forms
+ <zone>:,
+ :<qualifier> or :.
+
+
+
+
+ ERROR: Exclude list only allowed with DNAT or
+ REDIRECT
+
+
+ In DNAT[-] and REDIRECT[-] rules, you can have a SOURCE of the
+ form
+ <zone>:<net1>!<net2>.
+ This means <net1> in the
+ <zone> zone except
+ for <net2>. This syntax is not
+ available with other ACTIONs.
+
+
+
+
+ ERROR: Invalid use of a user-qualification: rule
+ "<rule>"
+
+
+ The USER/GROUP column may only have and entry if the SOURCE is
+ the firewall zone.
+
+
+
+
+ ERROR: Empty destination zone or qualifier: rule
+ "<rule>"
+
+
+ The DEST column is of one of the forms
+ <zone>:,
+ :<qualifier> or :.
+
+
+
+
+ ERROR: Undefined Client Zone in rule
+ "<rule>"
+
+
+ The zone given in the SOURCE column was not defined in
+ /etc/shorewall/zones.
+
+
+
+
+ ERROR: Undefined Server Zone in rule
+ "<rule>"
+
+
+ The zone given in the DEST column was not defined in
+ /etc/shorewall/zones.
+
+
+
+
+ ERROR: Rules may not override a NONE policy: rule
+ "<rule>"
+
+
+ If the policy from zone z1 to zone z2 is NONE that means that
+ Shorewall sets up no infrastructure to handle traffic from z1 to z2.
+ Consequently, you cannot have any rules that control traffic from z1
+ to z2.
+
+
+
+
+ ERROR: Invalid Action in rule "<rule>"
+
+
+ The ACTION column contains an action that is not one of the
+ built-in actions and it is not defined in
+ /etc/shorewall/actions or in
+ /usr/share/shorewall/actions.std.
+
+
+
+
+ ERROR: Unable to determine the routes through interface
+ <interface>
+
+
+ You have specified <interface> in
+ the SUBNET column of /etc/shorewall/masq which
+ means that Shorewall is supposed to determine the network(s) routed
+ through that interface. To do that, Shorewall issues the command
+ ip addr ls dev <interface> and that command
+ failed. This usually means that you are trying to start Shorewall
+ before the <interface> is brought
+ up.
+
+
+
+
+
+
+ Warnings
+
+ This sections describes some of the more warnings generated by
+ Shorewall.
+
+
+
+ Warning: default route ignored on interface
+ <interface>
+
+
+ This means that the interface named in the SUBNET column of
+ /etc/shorewall/masq has the default route. This
+ almost always means that you have the contents of the INTERFACE and
+ SUBNET columns reversed.
+
+
+
+
+
\ No newline at end of file