From 8a933ff98ab0419dee04d3e28a05929ecec86628 Mon Sep 17 00:00:00 2001 From: teastep Date: Thu, 28 Jun 2007 22:34:10 +0000 Subject: [PATCH] Remove error messages doc git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6700 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- docs/ErrorMessages.xml | 867 ----------------------------------------- 1 file changed, 867 deletions(-) delete mode 100644 docs/ErrorMessages.xml diff --git a/docs/ErrorMessages.xml b/docs/ErrorMessages.xml deleted file mode 100644 index bf7dffb36..000000000 --- a/docs/ErrorMessages.xml +++ /dev/null @@ -1,867 +0,0 @@ - - -
- - - - Shorewall Error Messages - - - - Tom - - Eastep - - - - - - - 2004 - - 2005 - - Thomas M. Eastep - - - - Permission is granted to copy, distribute and/or modify this - document under the terms of the GNU Free Documentation License, Version - 1.2 or any later version published by the Free Software Foundation; with - no Invariant Sections, with no Front-Cover, and with no Back-Cover - Texts. A copy of the license is included in the section entitled - GNU Free Documentation - License. - - - -
- Introduction - - Shorewall can produce a wide variety of error messages when a - problem is detected with your configuration. This article attempts to - explain the cause of and cures for some of these messages. -
- -
- Messages Produced by /sbin/shorewall - - Some error messages are produced by the /sbin/shorewall utility. - These messages are detailed in this section. - - - - ERROR: <label> must specify a simple file name: - <name> - - - This means that you have specified a restore file name with a - "/". Restore files must be simple file names with no slashes. - - - - - ERROR: Shorewall is not properly installed - - - The files /usr/share/shorewall/firewall - and/or /usr/share/shorewall/version do not - exist. - - - - - ERROR: <file name> exists and is not a saved Shorewall - configuration - - - The named file in /var/lib/shorewall - exists but is not executable. - - - - - ERROR: Reserved file name: <file name> - - - You have specified either save or - restore-base as the name of a restore file -- - those names are reserved for use by Shorewall. - - - - - ERROR: Currently-running Configuration Not Saved - - - During processing of a shorewall save - command, the iptables-save command failed. - - - - - ERROR: /var/lib/shorewall/restore-base does not exist - - - The shorewall start and shorewall - restart commands create a file called - /var/lib/shorewall/restore-base which forms the - basis for creating a restore file using shorewall - save. This error message is issued when shorewall - save is not able to find that file. - - - - - ERROR: The program specified in IPTABLES does not exist or is - not executable - - - The IPTABLES option in - /etc/shorewall/shorewall.conf specifies a file - that is not executable. - - - - - ERROR: Can't find iptables executable - - - There is no executable file named "iptables" in any directory - in $PATH. - - - - - ERROR: The program specified in SHOREWALL_SHELL does not exist - or is not executable - - - The SHOREWALL_SHELL option in - /etc/shorewall/shorewall.conf names does not - name an executable file. - - - - - ERROR: /var/lib/shorewall/<file> exists and is not a saved - Shorewall configuration - - - The restore file (<file>) specified or implied in a - shorewall save command already exists but is not - executable (and hence cannot be a value restore file). Either - remove/rename the file or specify a different file name. - - - -
- -
- Messages Produced by /usr/share/shorewall/firewall - - The program /usr/share/shorewall/firewall is - responsible for parsing the Shorewall configuration files and for creating - and changing the Netfilter configuration. Some of the error messages - generated by this program are listed below. - - - - ERROR: Invalid nested zone syntax: :<parent-zone> - - - The zone name in the ZONE column of - /etc/shorewall/zones may not start with a colon - (":"). - - - - - ERROR: Sub-zones of the firewall zone are not allowed - - - The firewall zone may not be defined to have zones nested - within it. - - - - - ERROR: Parent zone not defined: <parent-zone> - - - When defining nested zones in - /etc/shorewall/zones, the parent zone must be - defined before any zones nested inside of it. - - - - - ERROR: Zone name longer than 5 characters: <zone> - - - Zone names are restricted to 5 characters or less in - length. - - - - - ERROR: Illegal zone name "<zone>" in zones file - - - The zone name quoted in the error message begins with a digit - -- zone names must begin with an alphabetic character. - - - - - ERROR: Reserved zone name "<zone>" in zones file - - - The names "none" and "all" are reserved and may not be used as - zone names in /etc/shorewall/zones. - - - - - ERROR: Zone <zone> is defined more than once - - - There are two records in - /etc/shorewall/zones that define the named - zone. - - - - - ERROR: Your kernel and/or iptables does not support policy - match - - - You have defined a zone of type ipsec in - /etc/shorewall/zones or have specified the - ipsec option in an /etc/shorewall/hosts record - but your kernel and/or iptables don't include policy match support - -- see this article for - details. - - - - - ERROR: The firewall zone may not be nested - - - You have defined a zone of type firewall to be nested inside another zone. - Shorewall does not support such nesting. - - - - - ERROR: OPTIONS not allowed on the firewall zone - - - The zone of type firewall may - not have any options specified in the OPTIONS, IN OPTIONS or OUT - OPTIONS columns of /etc/shorewall/zones. - - - - - ERROR: Only one firewall zone may be defined - - - You may have only one record in - /etc/shorewall/zones that has type firewall. - - - - - ERROR: No ipv4 or ipsec Zones Defined - - - You must define at least one ipv4 or ipsec zone in - /etc/shorewall/zones. - - - - - ERROR: No Firewall Zone Defined - - - You must define one (and only one) zone if type firewall in - /etc/shorewall/zones. - - - - - ERROR: Invalid Mark or Mask value: <number> - - - Shorewall-assigned packet and connection marks are limited to - the range 1-255. - - - - - ERROR: Invalid zone definition for zone <zone> - - - The zone named in the message is defined to be associated with - an interface in /etc/shorewall/interfaces yet - it also has an entry for that same interface in - /etc/shorewall/hosts. - - - - - ERROR: Invalid zone (<zone>) in record - "<record>" - - - The zone named in the ZONE column of the listed record from - /etc/shorewall/interfaces or - /etc/shorewall/hosts is not defined in - /etc/shorewall/zones. - - - - - ERROR: The routeback option may not be specified on a multi-zone - interface - - - The ZONE column of a record in - /etc/shorewall/interfaces was empty ("-"). Such - interfaces may not specify the routeback option. - - - - - ERROR: The "detectnets" option may not be used with a wild-card - interface - - - The interface name in the INTERFACE column is a wild-card - (ends with "+"). Such interfaces may not specify the detectnets option. - - - - - ERROR: Duplicate Interface <interface> - - - The named interface has two entries in - /etc/shorewall/interfaces. - - - - - ERROR: Invalid Interface Name: <interface> - - - The interface name contains a colon (":") or is "+". If the - name includes a ":", you probably need to read this - article. - - - - - ERROR: The 'norfc1918' option may not be specified on an - interface with an RFC 1918 address. Interface: - <interface> - - - The <interface> named in the message is configured with - an IP address that is reserved by RFC 1918 -- that address is - incompatible with the norfc1918 - interface option. - - - - - ERROR: Unknown interface (<interface>) in record - "<record>" - - - The <interface> name listed in the - <record> from - /etc/shorewall/hosts was not defined in - /etc/shorewall/interfaces. - - - - - ERROR: Invalid HOST(S) column contents: <hosts> - - - The contests of the HOST(S) column in a record from - /etc/shorewall/hosts does not follow the proper - syntax for that column in that it doesn't contain at least one colon - (":"). See the /etc/shorewall/hosts - documentation. - - - - - ERROR: Bridged interfaces may not be defined in - /etc/shorewall/interfaces: <interface>[:<address>] - - - The named interface appears in /etc/shorewall/hosts and - appears as a bridge port (after a colon) but is also defined in - /etc/shorewall/interfaces. - - - - - ERROR: Undefined zone <zone> - - - The named zone appears in the /etc/shorewall/policy file but - not in the /etc/shorewall/zones file. - - - - - ERROR: <policy record>: NONE policy not allowed to/from - the <firewall-zone-name> zone - - - Shorewall does not support a policy of NONE when the source or - destination zone is the firewall itself. - - - - - ERROR: <policy record>: NONE policy not allowed with - "all" - - - Shorewall does not support a policy of NONE when the source or - destination zone is "all". - - - - - ERROR: Duplicate policy: <source zone> <destination - zone> <policy> - - - There is an earlier record in the file with the same - <source zone> and <destination zone> - - - - - ERROR: Can't determine the IP address of - <interface> - - - You have specified DETECT_DNAT_ADDRS=Yes in - /etc/shorewall/shorewall.conf and Shorewall is unablee to determine - the IP address of the named <interface>. - Be sure that the interface is started before starting Shorewall or - set DETECT_DNAT_ADDRS=No. - - - - - ERROR: Invalid gateway zone (<zone>) -- Tunnel - "<record> - - - The listed <zone> name appears in - the GATEWAY ZONE column of the listed - <record> from - /etc/shorewall/tunnels but is not defined in - /etc/shorewall/zones. - - - - - ERROR: No hosts on <interface> have the maclist option - specified - - - The named <interface> appears in a - record in /etc/shorewall/maclist yet that - interface's record in /etc/shorewall/interfaces - does not specify the maclist option - and no record in /etc/shorewall/hosts that - names that interface includes the maclist option. - - - - - ERROR: Interface <interface> must be up before Shorewall - can start - - - You have specified the maclist option for this interface but the - command ip list show <interface> - fails. - - - - - ERROR: Unknown interface <interface> - - - The interface appears in a configuration file but is not - defined in /etc/shorewall/interfaces. - - - - - ERROR: BRIDGING=Yes requires Physdev Match support in your - Kernel and iptables - - - You have set BRIDGING=Yes in - /etc/shorewall/shorewall.conf but it appears - that your kernel and/or iptables do not have physdev match - support. - - - - - ERROR: Invalid Action Name: <action> - - - The <action> contains one of the following characters: - ".", "-", or "%". Those characters are not allowed in an action - name. - - - - - ERROR: Invalid Macro Parameter in rule "<rule>" - - - The value being passed to a parameterized macro is not ACCEPT, - DROP, REJECT, LOG, QUEUE or CONTINUE. - - - - - ERROR: Missing Action File: action.<action name> - - - The specified <action name> has an entry in - /usr/share/shorewall/actions.std or in - /etc/shorewall/actions but the corresponding - action file does not exist on the CONFIG_PATH. - - - - - ERROR: Unknown interface <interface> in rule: - "<rule>" - - - You have BRIDGING=No in - /etc/shorewall/shorewall.conf and the - <interface> given in a rule does not - match an entry in - /etc/shorewall/interfaces. - - - - - ERROR: SNAT may no longer be specified in a DNAT rule; use - /etc/shorewall/masq instead - - - In earlier Shorewall versions, the ORIGINAL DEST column - allowed following the original destination IP address with ":" and - an address to use as the source of the forwarded connection request. - Now that /etc/shorewall/masq supports qualification of SNAT rules by - protocol and port, this feature is no longer required and has been - deimplemented. - - - - - ERROR: "Invalid Source in rule "<rule>" - - - The SOURCE column has the firewall zone name immediately - followed by "!". This syntax is use to exclude a subzone and - Shorewall currently doesn't support subzones of the firewall - zone. - - - - - ERROR: Rule "<rule>" - Destination may not be specified by - MAC Address - - - Netfilter (and hence Shorewall) does not allow qualification - of a rule by destination source IP address. - - - - - ERROR: Destination interface not allowed with - <action> - - - The named <action> will be ACCEPT+ - or NONAT. These actions are inforced in part in the PREROUTING nat - chain where the destination interface is not yet known (because the - packet has not yet been routed). As a result, the DESTINATION column - may not contain an interface name. - - - - - ERROR: Only DNAT and REDIRECT rules may specify destination - mapping; rule "<rule>" - - - The <rule> specifies a server - address that is different from the ORIGINAL DEST address and/or it - specifies a server port that is different from the destination port - but the ACTION is neither DNAT[-] nor REJECT[-]. - - - - - ERROR: Empty source zone or qualifier: rule - "<rule>" - - - The SOURCE column is of one of the forms - <zone>:, - :<qualifier> or :. - - - - - ERROR: Exclude list only allowed with DNAT or REDIRECT - - - In DNAT[-] and REDIRECT[-] rules, you can have a SOURCE of the - form - <zone>:<net1>!<net2>. - This means <net1> in the - <zone> zone except - for <net2>. This syntax is not - available with other ACTIONs. - - - - - ERROR: Invalid use of a user-qualification: rule - "<rule>" - - - The USER/GROUP column may only have and entry if the SOURCE is - the firewall zone. - - - - - ERROR: Empty destination zone or qualifier: rule - "<rule>" - - - The DEST column is of one of the forms - <zone>:, - :<qualifier> or :. - - - - - ERROR: Undefined Client Zone in rule "<rule>" - - - The zone given in the SOURCE column was not defined in - /etc/shorewall/zones. - - - - - ERROR: Undefined Server Zone in rule "<rule>" - - - The zone given in the DEST column was not defined in - /etc/shorewall/zones. - - - - - ERROR: Rules may not override a NONE policy: rule - "<rule>" - - - If the policy from zone z1 to zone z2 is NONE that means that - Shorewall sets up no infrastructure to handle traffic from z1 to z2. - Consequently, you cannot have any rules that control traffic from z1 - to z2. - - - - - ERROR: Invalid Action in rule "<rule>" - - - The ACTION column contains an action that is not one of the - built-in actions and it is not defined in - /etc/shorewall/actions or in - /usr/share/shorewall/actions.std. - - - - - ERROR: Unable to determine the routes through interface - <interface> - - - You have specified <interface> in - the SUBNET column of /etc/shorewall/masq which - means that Shorewall is supposed to determine the network(s) routed - through that interface. To do that, Shorewall issues the command - ip addr ls dev <interface> and that command - failed. This usually means that you are trying to start Shorewall - before the <interface> is brought - up. - - - - - ERROR: No appropriate chain for zone <z1> to zone - <z2> - - - There is no policy defined in - /etc/shorewall/policy for connections from zone - <z1> to zone - <z2>. - - - -
- -
- Warnings - - This sections describes some of the more common warnings generated - by Shorewall. - - - - Warning: default route ignored on interface - <interface> - - - This means that the interface named in the SUBNET column of - /etc/shorewall/masq has the default route. This - almost always means that you have the contents of the INTERFACE and - SUBNET columns reversed. - - - - - Warning: Zone <zone> is empty - - - This warning alerts you to the fact tha <zone> is - defined in /etc/shorewall/zones but has no - corresponding entries in - /etc/shorewall/interfaces or in - /etc/shorewall/hosts. - - - - - WARNING: Shorewall startup is disabled. To enable startup, set - STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf - - - If you need help understanding that warning message then you - probably need to take up another hobby or line of work. - - - -
- -
- Iptables Error Messages - - By far the most asked about iptables error messages are: - - - - iptables: No chain/target/match by that name - - - This almost always means that you are trying to use a - Shorewall feature that your iptables and/or kernel do not support. - Beginning with version 2.2.0, Shorewall follows this message with a - copy of the iptables command that is failing. Most commonly, the - problem is that one of the match types (keyword following "-m" in - the command) isn't supported by your iptables/kernel. The output of - "shorewall show capabilities" shows you what your iptables/kernel - support: - - gateway:~# shorewall show capabilities -Shorewall has detected the following iptables/netfilter capabilities: - NAT: Available - Packet Mangling: Available - Multi-port Match: Available - Extended Multi-port Match: Available - Connection Tracking Match: Available - Packet Type Match: Available - Policy Match: Available - Physdev Match: Available - IP range Match: Available - Recent Match: Available - Owner Match: Available - Ipset Match: Available - ROUTE Target: Not available - Extended MARK Target: Available - CONNMARK Target: Available - Connmark Match: Available - Raw Table: Available -gateway:~# - - - - - iptables: invalid argument - - - Answer: 99.999% of the time, this error is caused by a - mismatch between your iptables and kernel. - - - - Your iptables must be compiled against a kernel source - tree that is Netfilter-compatible with the kernel that you are - running. - - - - If you rebuild iptables using the defaults and install it, - it will be installed in /usr/local/sbin/iptables. As shown - above, you have the IPTABLES variable in shorewall.conf set to - "/sbin/iptables". - - - - - -
-
\ No newline at end of file