Detect the lack of state match

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7001 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-common/changelog.txt

@@ -23,6 +23,8 @@ Changes in 4.0.1
 
 11) Allow '/min' in RATE/BURST column.
 
+12) Check for state match
+
 Changes in 4.0.0 Final
 
 1)  Fix lite install.sh manpage problem.

Shorewall-common/releasenotes.txt

@@ -114,6 +114,13 @@ Other changes in Shorewall 4.0.1.
 	 all	 all	  REJECT    info
 	 loc	 net	  ACCEPT
 
+4)  Recent kernels are apparently hard to configure and we have been
+    seeing a lot of problem reports where the root cause is the lack of
+    state match support in the kernel. This problem is difficult to
+    diagnose when using Shorewall-perl so the generated shell program
+    now checks specifically for this problem and terminates with an
+    error if the capability doesn't exist.
+
 Migration Considerations:
 
 1)  Beginning with Shorewall 4.0.0, there is no single 'shorewall'

Shorewall-perl/Shorewall/Compiler.pm

@@ -166,6 +166,18 @@ sub generate_script_1() {
 	   '[ -d ${VARDIR} ] || mkdir -p ${VARDIR}'
 	   );
 
+    emit ( '',
+	   '#',
+	   '# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here',
+	   '#',
+	   '$IPTABLES -N foox1234',
+	   '$IPTABLES -A foox1234 -m state --state ESTABLISHED,RELATED -j ACCEPT',
+	   'result=$?',
+	   '$IPTABLES -F foox1234',
+	   '$IPTABLES -X foox1234',
+	   '[ $result = 0 ] || startup_error "Your kernel/iptables do not include state match support. No version of Shorewall will run on this system"',
+	   '' );
+
     pop_indent;
 
     emit "}\n"; # End of initialize()