diff --git a/docs/FAQ.xml b/docs/FAQ.xml index ac4db1ec0..311673781 100644 --- a/docs/FAQ.xml +++ b/docs/FAQ.xml @@ -1631,6 +1631,28 @@ iptables: Invalid argument /etc/shorewall/modules and modify the copy to include only the modules that you need. + +
+ (FAQ 61) I just installed the latest Debian kernel and now + "shorewall start" fails with the message "ipt_policy: matchsize 116 != + 308". What's wrong? + + Answer: Your iptables is incompatible with your kernel. Either + + + + + rebuild iptables using the kernel headers that match your new + kernel; or + + + + if you don't need policy match support (you are not using the + IPSEC implementation built into the 2.6 kernel) then you can rename + /lib/iptables/libipt_policy.so. + + +
diff --git a/docs/PacketMarking.xml b/docs/PacketMarking.xml index 5d6bbe4fa..90d11fdf0 100644 --- a/docs/PacketMarking.xml +++ b/docs/PacketMarking.xml @@ -339,7 +339,7 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0 #R Remember that even though 'ping' packets were marked in one of - the first two rules, they are still passed on to rule 3 (note that + the first two rules, they are still passed on to rule 5 (note that packets marked by rules 3 and 4 are not processed by this rule since it is in a different program). That rule moves the connection mark to the packet mark, if the packet mark is still zero