Red Hat Bugzilla – Bug 40429
ipchains says "Incompatible with this kernel" if no /etc/sysconfig/ipchains exists
Last modified: 2007-04-18 12:33:12 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)
Description of problem:
Issuing "/sbin/ipchains -L" or other ipchains commands will cause it to
say "Incompatible with this kernel" if /etc/sysconfig/ipchains has not at
least once been present when ipchains was run since reboot.
Steps to Reproduce:
1.Remove /etc/sysconfig/ipchains (if present)
3.Issue "/sbin/ipchains -L" or "/sbin/ipchains -F" etc.
Actual Results: ipchains: Incompatible with this kernel
Expected Results: It should have said something like: "Config
file /etc/sysconfig/ipchains not found"
Additional info: If you create /etc/sysconfig/ipchains and
run /sbin/ipchains just once with the file present, every subsequent time
it will work, even if you remove the config file.
This is not a bug. The 2.4.x kernel has a totally brand new firewall interface
called "netfilter". When used in its native mode, netfilter is configured using
the "iptables" command. netfilter also has backward compatibility modules
however so that you can use an ipchains or ipfwadm based firewall script
with the new netfilter without worrying about having to completely rewrite all
of your existing firewall code. In order to maintain backward compatibility
with our previous releases, we decided to continue using ipchains as the
supported firewall interface. All of our distribution supplied tools use
the netfilter ipchains interface. Our startup scripts for ipchains firewalling
load the iptables "ipchains" personality module when the firewall is enabled.
If you disable our supplied firewall script, then the module does not get
If you want to use an alternative ipchains based firewall script, you will
have to manually load the ipchains personality module yourself from your own
scripts, or even better - avoid ipchains, and use iptables natively.
Hope this helps.