I have a Ubiquiti EdgeRouter PoE router on which I've been running
Shorewall since 2014. It runs Shorewall 4.4.11 on Linux kernel 3.4.27.

I'm currently in the process of setting up a new Ubiquiti EdgeRouter X,
which is running kernel 3.10.14, and on which I have just installed
shorewall 4.5.5, the latest available Shorewall package for debian
wheezy mipsel. My first step after installing was to copy the ruleset
from the Shorewall 4.4.11 installation on the old router to 4.5.5 on the
new one.

Shorewall 4.5.5 APPEARS to process all the rules properly, but spits out
some errors during initialization. It emits no errors after the
initialization phase (i.e, once it starts compiling).

Running 'shorewall trace restart >shorewall.out 2>&1' yielded the
following among the output:


SYS----> /sbin/iptables -A fooX23872 -m recent --update -j ACCEPT
SYS----> /sbin/iptables -A fooX23872 -m owner --uid-owner 0 -j ACCEPT
iptables: No chain/target/match by that name.
SYS----> /sbin/iptables -A fooX23872 -m owner --uid-owner root


SYS----> /sbin/iptables -A fooX23872 -p tcp -m ipp2p --edk -j ACCEPT
SYS----> /sbin/iptables -A fooX23872 -p tcp -m ipp2p --ipp2p -j ACCEPT
iptables v1.4.20: unknown option "--ipp2p"
Try `iptables -h' or 'iptables --help' for more information.


SYS----> /sbin/iptables -t mangle -A fooX23872 -j CLASSIFY --set-class 1:1
SYS----> /sbin/iptables -t mangle -A fooX23872 -j IPMARK --addr src
iptables v1.4.20: unknown option "--addr"


SYS----> /sbin/iptables -t mangle -A fooX23872 -p tcp -j TPROXY
--on-port 0 --tproxy-mark 1
iptables: No chain/target/match by that name.


SYS----> /sbin/iptables -t rawpost -L -n
iptables v1.4.20: can't initialize iptables table `rawpost': Table does
not exist (do you need to insmod?)


SYS----> /sbin/ipset -X fooX23872
ipset v6.23: The set with the given name does not exist
SYS----> /sbin/ipset -N fooX23872 iphash
SYS----> /sbin/ipset -N fooX23872 hash:ip family inet
ipset v6.23: Set cannot be created: set with the same name already exists


SYS----> /sbin/iptables -A fooX23872 -j LOGMARK
iptables v1.4.20: Couldn't load target `LOGMARK':No such file or directory


SYS----> /sbin/iptables -A fooX23872 -j ACCOUNT --addr 192.168.1.0/29
--tname fooX23872
iptables v1.4.20: unknown option "--addr"
Try `iptables -h' or 'iptables --help' for more information.
SYS----> /sbin/iptables -A fooX23872 -j AUDIT --type drop
iptables: No chain/target/match by that name.
SYS----> /sbin/ipset -X fooX23872
ipset v6.23: The set with the given name does not exist
SYS----> /sbin/ipset -N fooX23872 hash:ip family inet
SYS----> /sbin/iptables -A fooX23872 -m condition --condition foo
iptables: No chain/target/match by that name.


SYS----> /sbin/iptables -A fooX23872 -m geoip --src-cc US
iptables v1.4.20: Couldn't load match `geoip':No such file or directory


SYS----> /sbin/iptables -t nat -F fooX23872
iptables: No chain/target/match by that name.
SYS----> /sbin/iptables -t nat -X fooX23872
iptables: No chain/target/match by that name.



Now, not being even remotely close to an iptables expert ... how
serious are these? Need I be concerned? If so, is there anything I can
likely do about them, remembering that I am running an embedded device
and have no control over the kernel configuration? Is it likely I have
misconfigured anything? I have intentionally not touched anything
whatsoever in shorewall.conf.

(I assume the geoip-related error is because I haven't installed a geoip
tool, because I don't know yet what to install to support it.)