On Tuesday 05 July 2011 00:18:02 Tom Eastep wrote:
> Steven,
>
> I think you should report this to the netfilter team. With
> LOAD_HELPERS_ONLY=Yes, neither Shorewall nor Shorewall6 loads xt_set
> explicitly. I've added a modules.ipset file to Shorewall6 and I've added
> xt_set to both such files. That change will be included in RC3.
>
> -Tom
> -
Tom
Whilst getting information to report the issue, I have been looking at
lib.cli.
shorewall/lib.cli contains:
if [ -n "$have_ipset" ]; then
if qt $IPTABLES -A $chain -m set --match-set $chain src -j ACCEPT; then
qt $IPTABLES -D $chain -m set --match-set $chain src -j ACCEPT
IPSET_MATCH=Yes
elif qt $IPTABLES -A $chain -m set --set $chain src -j ACCEPT; then
qt $IPTABLES -D $chain -m set --set $chain src -j ACCEPT
IPSET_MATCH=Yes
OLD_IPSET_MATCH=Yes
fi
qt ipset -X $chain
fi
shorewall6/lib.cli contains:
if qt ipset -N $chain hash:ip family inet6; then
IPSET_V5=Yes
if qt $IP6TABLES -A $chain -m set --set $chain src -j ACCEPT; then
qt $IP6TABLES -D $chain -m set --set $chain src -j ACCEPT
IPSET_MATCH=Yes
elif qt $IP6TABLES -A $chain -m set --set $chain src -j ACCEPT; then
qt $IP6TABLES -D $chain -m set --set $chain src -j ACCEPT
IPSET_MATCH=Yes
OLD_IPSET_MATCH=Yes
fi
qt ipset -X $chain
fi
shorewall/lib.cli tries "-m set --match-set" then "-m set --set" but
shorewall6/lib/cli tries "-m set --set" twice.
Is this correct?
Steven.
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
