On 7/18/2014 5:44 PM, Tom Eastep wrote: > On 7/18/2014 3:50 PM, Thomas D. wrote: >> Hi, >> >> strange problem: >> >> All I did was upgrading a box from linux-3.10.49 to linux-3.14.13 kernel. >> >> But with 3.14.13, shorewall6 doesn't start: >> >>> # shorewall6 safe-restart >>> Compiling... >>> Processing /etc/shorewall6/params ... >>> Processing /etc/shorewall6/shorewall6.conf... >>> Loading Modules... >>> Compiling /etc/shorewall6/zones... >>> Compiling /etc/shorewall6/interfaces... >>> Determining Hosts in Zones... >>> Locating Action Files... >>> Compiling /etc/shorewall6/policy... >>> Compiling TCP Flags filtering... >>> Compiling MAC Filtration -- Phase 1... >>> Compiling /etc/shorewall6/blrules... >>> ERROR: ipset names in Shorewall configuration files require Ipset Match >>> in your kernel and iptables /etc/shorewall6/blrules (line 12) >> >> That's funny because shorewall (the ipv4 version) on the same system >> works! And the blrules file is 100% identical: >> >> BLACKLIST net:+blacklist $FW >> >>> # ipset list blacklist >>> Name: blacklist >>> Type: list:set >>> Revision: 2 >>> Header: size 8 >>> Size in memory: 112 >>> References: 1 >>> Members: >>> blacklist4 >>> blacklist6 >> >> >> If I reboot into 3.10.49 shorewall6 works again. >> >> shorewall6 show -f capabilities between 3.10.49 and 3.14.13 doesn't show >> a different: >> >>> --- /root/capas-3.10.49.txt 2014-07-19 00:26:36.176612168 +0200 >>> +++ /root/capas-3.14.13.txt 2014-07-19 00:34:30.775595947 +0200 >>> @@ -1,5 +1,5 @@ >>> # >>> -# Shorewall6 4.5.21.10 detected the following iptables/netfilter >>> capabilities - Sat Jul 19 00:26:36 CEST 2014 >>> +# Shorewall6 4.5.21.10 detected the following iptables/netfilter >>> capabilities - Sat Jul 19 00:34:30 CEST 2014 >>> # >>> ACCOUNT_TARGET= >>> ADDRTYPE= >>> @@ -41,7 +41,7 @@ >>> IPTABLES_S=Yes >>> IRC0_HELPER= >>> IRC_HELPER= >>> -KERNELVERSION=31049 >>> +KERNELVERSION=31413 >>> KLUDGEFREE=Yes >>> LENGTH_MATCH=Yes >>> LOGMARK_TARGET= >> >> >>> # grep -i ipset ~/capas-3.14.13.txt >>> IPSET_MATCH=Yes >>> IPSET_V5=Yes >>> OLD_IPSET_MATCH= >> >> >> Versions: >> >> - Shorewall6 4.5.21.10 >> - ipset v6.21.1 >> - iptables v1.4.21 >> >> >> 3.14.13 kernel cfg: http://bpaste.net/show/476344/ >> >> As said, it is the same config like I am using with 3.10.49... only with >> "make oldconfig"... >> >> I really don't understand what's going on because I have other boxes >> where I did the same without any problems. >> >> Any hints/ideas? > > Have you tried ipv6 ipset commands running 3.14.13. Shorewall executes > ipset commands to learn if ipset support is present or not. If > 'shorewall6 show -f capabilities | fgrep IPSET' shows no 'Yes' values, > take a look at /usr/share/shorewall/lib.cli function > determine_capabilities(); you can see the sequence of commands that the > code uses to determine if ipset support is present or not.
Sorry -- I missed your point about 'show -f capabilities'. That means that the compiler is not detecting ipset capabilities. The code that does that is in the Config.pm Perl module in , also in the function determine_capabilities(). You can, of course, work around the problem by: - shorewall6 show -f capabilities > /etc/shorewall6/capabilities - Edit /etc/shorewall6/capabilities, and set both IPSET_MATCH and IPSET_V5 to 'Yes'. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
