Hi, I am running 5.0.12 on Ubuntu 16.04.2 LTS with kernel 4.4.0-66 and
would like to use an ipset to control routing to a list of netblocks
(actually an entire country). I came up with the idea to set a Mark (based
on the ipset) in shorewall/mangle, and then route based on the Mark in
route_rules.
On 3/29/2017 8:30 AM, Norman Henderson wrote:
> Hi, I am running 5.0.12 on Ubuntu 16.04.2 LTS with kernel 4.4.0-66 and
> would like to use an ipset to control routing to a list of netblocks
> (actually an entire country). I came up with the idea to set a Mark (based
> on the ipset) in shorewall/man
Thanks Matt. I had looked at both articles; the netfilter.org one would
seem to require me to build a kernel - and doesn't give a lot of detail.
The shorewall one doesn't say "how" to set up xtables-addons.
There is no package xtables-addons in Ubuntu Xenial however I did install
the packages:
xta
On 3/29/2017 12:07 PM, Norman Henderson wrote:
> Thanks Matt. I had looked at both articles; the netfilter.org one would
> seem to require me to build a kernel - and doesn't give a lot of detail.
> The shorewall one doesn't say "how" to set up xtables-addons.
>
> There is no package xtables-addons
Interesting. Now, having installed xtables-addon-common and
xtables-addon-dkms (and failed with the red herring of ...-source); and
having installed the ipset utility:
# shorewall show capabilities |grep ipset
ipset V5 (IPSET_V5): Available
# shorewall check
Checking using Shorewall 5.0.12...
Pr
On 3/29/2017 1:04 PM, Norman Henderson wrote:
> Interesting. Now, having installed xtables-addon-common and
> xtables-addon-dkms (and failed with the red herring of ...-source); and
> having installed the ipset utility:
> # shorewall show capabilities |grep ipset
>ipset V5 (IPSET_V5): Available
Can you run the command "ipset" or not? If you can then shorewall can use
it.
If not on ubuntu 16.04 to install ipset just run "apt-get install ipset"
You don't have to recompile it to bring it into use.
On Wed, 29 Mar 2017 at 06:40 Matt Darfeuille wrote:
> On 3/29/2017 1:04 PM, Norman He
Thank you Ian. Matt, I've done some more tests and this really looks like a
shorewall bug.
The ipset utility as well as all of the iptables extensions are installed:
# lsmod |grep x_tables
x_tables 36864 62
xt_physdev,xt_pkttype,ip6table_filter,xt_statistic,xt_DSCP,xt_dccp,xt_dscp,x
On 3/30/2017 8:34 AM, Norman Henderson wrote:
> Thank you Ian. Matt, I've done some more tests and this really looks like a
> shorewall bug.
>
> The ipset utility as well as all of the iptables extensions are installed:
> # lsmod |grep x_tables
> x_tables 36864 62
> xt_physdev,xt_pk
On 03/30/2017 09:34 AM, Matt Darfeuille wrote:
> On 3/30/2017 8:34 AM, Norman Henderson wrote:
>> Thank you Ian. Matt, I've done some more tests and this really looks like a
>> shorewall bug.
Did you update your capabilities?
What's the output of
shorewall-lite show capabilities | grep -
Thanks, both of you. The possibly significant difference in ipset list is
that I have Revision: 6 versus 5. (ipset -v gives v6.29, protocol version:
6)
The output from shorewall show capabilities |grep -i ipset is the same as
the other poster cited:
Ipset Match Counters (IPSET_MATCH_COUNTERS):
On 03/30/2017 11:04 AM, Norman Henderson wrote:
> Thanks, both of you. The possibly significant difference in ipset list
> is that I have Revision: 6 versus 5. (ipset -v gives v6.29, protocol
> version: 6)
here, it's
ipset -v
ipset v6.32, protocol version: 6
as well
On 3/30/2017 8:14 PM, PGNet Dev wrote:
> On 03/30/2017 11:04 AM, Norman Henderson wrote:
>> Thanks, both of you. The possibly significant difference in ipset list
>> is that I have Revision: 6 versus 5. (ipset -v gives v6.29, protocol
>> version: 6)
>
>
> here, it's
>
> ipset -v
>
On 03/30/2017 11:14 AM, PGNet Dev wrote:
> And what's in your `capabilities` file for the FW you're compiling?
Just in case, consider also regenerating your capabilities file, to match your
actual/current capabilities, specifically including ipset after having
installed/upgraded it
cref:
That was it! I had never looked into the capabilities file and didn't realize
it is a static version of what is reported by show capabilities. I wonder if
that is such a good idea...
Anyway it's solved and thank you!
Sent from my iPhone
> On Mar 30, 2017, at 19:43, Matt Darfeuille wrote:
>
>
On 3/31/2017 11:47 AM, norm.aud...@gmail.com wrote:
> That was it! I had never looked into the capabilities file and didn't realize
> it is a static version of what is reported by show capabilities. I wonder if
> that is such a good idea...
>
> Anyway it's solved and thank you!
>
http://shorew
On 03/31/2017 02:47 AM, norm.aud...@gmail.com wrote:
> I wonder if that is such a good idea...
Actually quite handy when centrally managing/compiling multiple
firewalls for differently configured remotes. Each remote's data dir
gets its own capabilities file ...
---
On 3/31/2017 3:09 PM, PGNet Dev wrote:
> On 03/31/2017 02:47 AM, norm.aud...@gmail.com wrote:
>> I wonder if that is such a good idea...
>
> Actually quite handy when centrally managing/compiling multiple
> firewalls for differently configured remotes. Each remote's data dir
> gets its own capa
18 matches
Mail list logo
