On 7/18/2014 5:44 PM, Tom Eastep wrote:
> On 7/18/2014 3:50 PM, Thomas D. wrote:
>> Hi,
>>
>> strange problem:
>>
>> All I did was upgrading a box from linux-3.10.49 to linux-3.14.13 kernel.
>>
>> But with 3.14.13, shorewall6 doesn't start:
>>
>>> # shorewall6 safe-restart
>>> Compiling...
>>> Processing /etc/shorewall6/params ...
>>> Processing /etc/shorewall6/shorewall6.conf...
>>> Loading Modules...
>>> Compiling /etc/shorewall6/zones...
>>> Compiling /etc/shorewall6/interfaces...
>>> Determining Hosts in Zones...
>>> Locating Action Files...
>>> Compiling /etc/shorewall6/policy...
>>> Compiling TCP Flags filtering...
>>> Compiling MAC Filtration -- Phase 1...
>>> Compiling /etc/shorewall6/blrules...
>>>    ERROR: ipset names in Shorewall configuration files require Ipset Match 
>>> in your kernel and iptables /etc/shorewall6/blrules (line 12)
>>
>> That's funny because shorewall (the ipv4 version) on the same system
>> works! And the blrules file is 100% identical:
>>
>> BLACKLIST    net:+blacklist          $FW
>>
>>> # ipset list blacklist
>>> Name: blacklist
>>> Type: list:set
>>> Revision: 2
>>> Header: size 8
>>> Size in memory: 112
>>> References: 1
>>> Members:
>>> blacklist4
>>> blacklist6
>>
>>
>> If I reboot into 3.10.49 shorewall6 works again.
>>
>> shorewall6 show -f capabilities between 3.10.49 and 3.14.13 doesn't show
>> a different:
>>
>>> --- /root/capas-3.10.49.txt 2014-07-19 00:26:36.176612168 +0200
>>> +++ /root/capas-3.14.13.txt 2014-07-19 00:34:30.775595947 +0200
>>> @@ -1,5 +1,5 @@
>>>  #
>>> -# Shorewall6 4.5.21.10 detected the following iptables/netfilter 
>>> capabilities - Sat Jul 19 00:26:36 CEST 2014
>>> +# Shorewall6 4.5.21.10 detected the following iptables/netfilter 
>>> capabilities - Sat Jul 19 00:34:30 CEST 2014
>>>  #
>>>  ACCOUNT_TARGET=
>>>  ADDRTYPE=
>>> @@ -41,7 +41,7 @@
>>>  IPTABLES_S=Yes
>>>  IRC0_HELPER=
>>>  IRC_HELPER=
>>> -KERNELVERSION=31049
>>> +KERNELVERSION=31413
>>>  KLUDGEFREE=Yes
>>>  LENGTH_MATCH=Yes
>>>  LOGMARK_TARGET=
>>
>>
>>> # grep -i ipset ~/capas-3.14.13.txt 
>>> IPSET_MATCH=Yes
>>> IPSET_V5=Yes
>>> OLD_IPSET_MATCH=
>>
>>
>> Versions:
>>
>> - Shorewall6 4.5.21.10
>> - ipset v6.21.1
>> - iptables v1.4.21
>>
>>
>> 3.14.13 kernel cfg: http://bpaste.net/show/476344/
>>
>> As said, it is the same config like I am using with 3.10.49... only with
>> "make oldconfig"...
>>
>> I really don't understand what's going on because I have other boxes
>> where I did the same without any problems.
>>
>> Any hints/ideas?
> 
> Have you tried ipv6 ipset commands running 3.14.13. Shorewall executes
> ipset commands to learn if ipset support is present or not. If
> 'shorewall6 show -f capabilities | fgrep IPSET' shows no 'Yes' values,
> take a look at /usr/share/shorewall/lib.cli function
> determine_capabilities(); you can see the sequence of commands that the
> code uses to determine if ipset support is present or not.

Sorry -- I missed your point about 'show -f capabilities'. That means
that the compiler is not detecting ipset capabilities. The code that
does that is in the Config.pm Perl module in , also in the function
determine_capabilities().

You can, of course, work around the problem by:

- shorewall6 show -f capabilities > /etc/shorewall6/capabilities
- Edit /etc/shorewall6/capabilities, and set both IPSET_MATCH
  and IPSET_V5 to 'Yes'.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to