Gentoo Wiki


This article is part of the HOWTO series.
Installation Kernel & Hardware Networks Portage Software System X Server Gaming Non-x86 Emulators Misc



Software versions used in this document:

This document will try to explain how to get the Shorewall Firewall system working with the 2.6 Gentoo kernel and IPsec. For IPsec, OpenSwan and ipsec-tools/Racoon were used.

At the moment, Gentoo's kernel and iptables are not patched with Policy Match support. This must be done manually.

Note: If you try to use your Shorewall box in bridge mode, the 2.6.12 kernel won't work. You should try 2.6.11 instead or grab Gentoo's 2.6.9-r9.

Update: As of kernel 2.6.16, policy match support is built-in. No patching needed (tested with gentoo-sources-2.6.16-r1, iptables-1.3.5 + extensions USE flag, ipsec-tools-0.6.2-r1 on ~x86). Just follow this guide until the first emerge instruction in "Get the software" section (if necessary, add sys-kernel/gentoo-sources to /etc/portage/package.keywords), then jump to "Recompile your kernel" and finally jump down to "Test Shorewall".

Preconfigure Portage

Create (if necessary) or edit /etc/portage/package.keywords and change the following:

File: /etc/portage/package.keywords

This will grab the latest test versions. As far as these packages are concerned this is usually a good idea.

Get the software

# emerge gentoo-sources iptables openswan shorewall ipsec-tools bind-tools genkernel gentoolkit

You might also want to

# emerge -a links

If it's already installed, just answer no to the question.

Next, download the following files in a temporary directory such as /tmp:

# cd /tmp
# links2

Select the latest .tar.bz2 and press D to download and Q to quit links2. Unpack patch-o-matic-ng:

# tar –jxvf patch-o-matic-ng-<version>.tar.bz2
# links2

Move into your kernel version dir (2.6.12) and download the 5 patches. Then move them to your Linux kernel source dir and patch:

# mv /tmp/*.diff /usr/src/linux
# cd /usr/src/linux
# cat *.diff | patch –p 1

Determine iptables ebuild script and remember this path (should be /usr/portage/net-firewall/iptables/iptables-<version>.ebuild but we will refer to it as /path/to/iptables.ebuild):

# equery which iptables

Let's make sure the source is available:

# ebuild /path/to/iptables.ebuild clean
# ebuild /path/to/iptables.ebuild unpack

Determine iptables source directory which should be /var/tmp/portage/iptables-<version>/work/iptables-<version>. We will refer to it as /path/to/iptables.source/. Apply the policy match patch:

# export KERNEL_DIR=/usr/src/linux
# export IPTABLES_DIR=/path/to/iptables.source/
# cd /tmp/patch-o-matic-ng-<version>/
# ./runme extra

Just press ENTER to all patches except policy match. When you reach policy match, press y and enter and then type q and enter to quit. Make sure you see the following files in place:

If not, copy them over from:

Finally, you need to add policy to the PF_EXT_SLIB variable in /path/to/iptables.source/extensions/Makefile.

Recompile the kernel with ipsec and policy match

# genkernel --menuconfig all
Linux Kernel Configuration: genkernel --menuconfig all

you should have similar options:

Device Drivers --->
    Networking Support --->
         Networking Options --->
               <*> PF_KEY sockets
               <*> IP: AH transformations
               <*> IP: ESP transformations
               <*> IP: IPComp transformations
               <*> IP: tunnel transformations
               <*> IPsec user configuration interface
               Network Packet Filtering --->
                   IP: Netfilter Configuration --->
                       <*> IPsec policy match support

kernel modules

You could also specify pf_key, ah?, esp?, ipcomp and xfrm_user as modules (M) but then you would have to load them at boot time by including them in /etc/modules.autoload.d/kernel-<version>.


Make sure genkernel exits without errors. The new kernel image should be ready to load (usually in /boot/). Reboot the system

Recompile iptables with policy match

Netfilter's iptables also needs to be recompiled with policy match support. Let's do that and install the software as well.

# ebuild /path/to/iptables.ebuild compile
# ebuild /path/to/iptables.ebuild install
# ebuild /path/to/iptables.ebuild qmerge

Test Shorewall

Finally the system should be ready and Shorewall shouldn't complain about policy match when you define IPsec tunnels. Run the following test:

# shorewall show capabilities

You should see:

Code: shorewall show capabilities
  Policy Match: Available

Shorewall IPsec

You can now define IPsec tunnels within Shorewall's configuration files in /etc/shorewall/. For OpenSwan and Racoon configurations, you can visit the website.

Related Links

Retrieved from ""

Last modified: Tue, 09 May 2006 20:24:00 +0000 Hits: 34,551