Can you run the command "ipset" or not? If you can then shorewall can use
it.
If not on ubuntu 16.04 to install ipset just run "apt-get install ipset"
You don't have to recompile it to bring it into use.
On Wed, 29 Mar 2017 at 06:40 Matt Darfeuille <matd...@gmail.com> wrote:
> On 3/29/2017 1:04 PM, Norman Henderson wrote:
> > Interesting. Now, having installed xtables-addon-common and
> > xtables-addon-dkms (and failed with the red herring of ...-source); and
> > having installed the ipset utility:
> > # shorewall show capabilities |grep ipset
> > ipset V5 (IPSET_V5): Available
>
> See bottom of this e-mail.
>
> > # shorewall check
> > Checking using Shorewall 5.0.12...
> > Processing /etc/shorewall/params ...
> > Processing /etc/shorewall/shorewall.conf...
> > Loading Modules...
> > Checking /etc/shorewall/zones...
> > Checking /etc/shorewall/interfaces...
> > Checking /etc/shorewall/hosts...
> > Determining Hosts in Zones...
> > Locating Action Files...
> > Checking /etc/shorewall/policy...
> > Adding rules for DHCP
> > Checking TCP Flags filtering...
> > Checking Kernel Route Filtering...
> > Checking Martian Logging...
> > Checking /etc/shorewall/providers...
> > Checking /etc/shorewall/route_rules...
> > Checking /etc/shorewall/routes...
> > Checking /etc/shorewall/mangle...
> > ERROR: ipset names in Shorewall configuration files require Ipset
> Match
> > in your kernel and iptables /etc/shorewall/mangle (line 58)
> >
> > ??
> >
> > On Wed, Mar 29, 2017 at 11:45 AM, Matt Darfeuille <matd...@gmail.com>
> wrote:
> >
> >> On 3/29/2017 12:07 PM, Norman Henderson wrote:
> >>> Thanks Matt. I had looked at both articles; the netfilter.org one
> would
> >>> seem to require me to build a kernel - and doesn't give a lot of
> detail.
> >>> The shorewall one doesn't say "how" to set up xtables-addons.
> >>>
> >>> There is no package xtables-addons in Ubuntu Xenial however I did
> install
> >>> the packages:
> >>> xtables-addons-common xtables-addons-dkms xtables-addons-source
> >>>
> >>
> >> from:
> >> https://launchpad.net/ubuntu/xenial/+package/xtables-addons-dkms
> >>
> >> "The dkms package will automatically compile the driver for your current
> >> kernel version."
> >>
> >> Before installing the 'ipset' utility
> >>
> >> $ shorewall show capabilities | grep ipset
> >> ipset V5 (IPSET_V5): Not available
> >>
> >> and after installing the 'ipset' utility
> >>
> >> $ shorewall show capabilities | grep ipset
> >> ipset V5 (IPSET_V5): Available
> >>
> >> At least on Debian, Shorewall has now the ipset capability!
> >>
> >>> On Wed, Mar 29, 2017 at 10:41 AM, Matt Darfeuille <matd...@gmail.com>
> >> wrote:
> >>>
> >>>> On 3/29/2017 8:30 AM, Norman Henderson wrote:
> >>>>> Hi, I am running 5.0.12 on Ubuntu 16.04.2 LTS with kernel 4.4.0-66
> and
> >>>>> would like to use an ipset to control routing to a list of netblocks
> >>>>> (actually an entire country). I came up with the idea to set a Mark
> >>>> (based
> >>>>> on the ipset) in shorewall/mangle, and then route based on the Mark
> in
> >>>>> route_rules. What I get is:
> >>>>> ERROR: ipset names in Shorewall configuration files require Ipset
> Match
> >>>> in
> >>>>> your kernel and iptables.
> >>>>>
> >>>>> What isn't obvious after some searching, is how to enable IPset Match
> >>>>> support. In the kernel config file, there is a line:
> >>>>> CONFIG_NET_EMATCH_IPSET=m
> >>>>> So, I should be able to just load that should I not?
> >>>>> I attempted: modprobe em_ipset
> >>>>> which succeeded, but I still get the shorewall error.
> >>>>>
> >>>>> Help please and thank you!
> >>>>>
> >>>>
> >>>> Take a look at:
> >>>> http://shorewall.org/ipsets.html
> >>>>
> >>>> http://ipset.netfilter.org/
> >>>>
> >
>
> The xtables-addon-common isn't require with the dpks package (everything
> will be done automatically (including required packages)).
>
> It doesn't look like it's Shorewall related.
>
> try/rules
> ACCEPT net:+try $FW tcp 22
>
> $ shorewall -v0 check try
> Checking using Shorewall 5.1.4-Beta1...
> WARNING: Ipset try does not exist /root/try/rules (line 18)
> Shorewall configuration verified
>
> -Matt
> --
> Matt Darfeuille
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
