FirewallBuilder

Generated script fails to load module nf_conntrack when it is executed on the firewall

This problem is specific to iptables. The answer below has been written in September 2006, most likely the situation and relevant recommendations will change as the module nf_conntrack matures and gets wider deployment.

Here is an example of an error message:

FATAL: Error inserting nf_conntrack_ipv4
(/lib/modules/2.6.13-15.11-default/kernel/net/ipv4/netfilter/nf_conntrack_ipv4.ko):
Device or resource busy
        

Here is the link to the nf_conntrack page in patch-o-matic catalog. Here is the link to the discussion on netfilter-devel mailing list.

It appears you can load either ip_conntrack or nf_conntrack but not both at the same time since nf_conntrack is a replacement for ip_conntrack. As of this writing, nf_conntrack does not support NAT just yet and is marked as having status "TESTING" on the patch-o-matic catalog page.

This actually represents a problem for fwbuilder. I would like to avoid having to write extensive GUI to let user choose which modules they want to load. One of the reasons is that the GUI may be working on one machine, while generated firewall script will be executed on another. In this situation the GUI cannot determine which modules are available on the firewall. Currently generated script simply tries to load all modules but it aborts if it detects an error in the command that does it (modprobe).

Until a better solution is found, you would probably need to remove the module that conflicts with others or disable the feature that makes the generated script load modules and write your own script to load modules you need. You can for example add commands to load modules explicitly to the "prolog" section of the generated script.