Hi Tom,
thank you for your reply. What I still don't understand:
shorewall6 reports
> Compiling /etc/shorewall6/blrules...
> ERROR: ipset names in Shorewall configuration files require Ipset Match in
> your kernel and iptables /etc/shorewall6/blrules (line 12)
when running kernel 3.14.13.
But the output of "shorewall6 show -f capabilities" from kernel 3.10.49
and 3.14.13 is identical (only the KERNELVERSION value is different).
Now you are writing
> Sorry -- I missed your point about 'show -f capabilities'. That means
> that the compiler is not detecting ipset capabilities. The code that
> does that is in the Config.pm Perl module in , also in the function
> determine_capabilities().
The compiler uses as different logic than 'show -f capabilities' to
detect ipset support?
As said, 'show -f capabilities' shows IPSET support:
# shorewall6 show -f capabilities | grep -i ipse
IPSET_MATCH=Yes
IPSET_V5=Yes
OLD_IPSET_MATCH=
So
> shorewall6 show -f capabilities > /etc/shorewall6/capabilities
will make shorewall6 to compile again. But I don't understand why I
would need the capabilities files on that box. No other box I am using
requires this. And running with 3.10.49 works without the file.
I tried to run
> shorewall6 compile -d
and set
> b Shorewall::Config::IPSet_Match
everything looks fine for me (i.e. the same 'show -f capabilities' seems
to do). But in the end, it will stop with
> Compiling /etc/shorewall6/blrules...
> ERROR: ipset names in Shorewall configuration files require Ipset Match in
> your kernel and iptables /etc/shorewall6/blrules (line 12)
> at /usr/share/shorewall/Shorewall/Config.pm line 1322.
> Shorewall::Config::fatal_error('ipset names in Shorewall
> configuration files require Ipset Ma...') called at
> /usr/share/shorewall/Shorewall/Config.pm line 4475
> Shorewall::Config::require_capability('IPSET_MATCH', 'ipset names in
> Shorewall configuration files', '') called at
> /usr/share/shorewall/Shorewall/Chains.pm line 5405
> Shorewall::Chains::get_set_flags('blacklist', 'src') called at
> /usr/share/shorewall/Shorewall/Chains.pm line 5564
> Shorewall::Chains::match_source_net('+blacklist', 4,
> 'SCALAR(0x392fdc0)') called at /usr/share/shorewall/Shorewall/Chains.pm line
> 7408
> Shorewall::Chains::expand_rule('HASH(0x463f1f8)', 4, '', '',
> '+blacklist', '::/0', '', 'DROP', '', ...) called at
> /usr/share/shorewall/Shorewall/Rules.pm line 2770
> Shorewall::Rules::process_rule(undef, '', 'DROP', '',
> 'net:+blacklist', 'fw', '-', '-', '-', ...) called at
> /usr/share/shorewall/Shorewall/Rules.pm line 3165
> Shorewall::Rules::process_raw_rule() called at
> /usr/share/shorewall/Shorewall/Rules.pm line 3320
> Shorewall::Rules::process_rules(0) called at
> /usr/share/shorewall/Shorewall/Compiler.pm line 831
> Shorewall::Compiler::compiler('script',
> '/var/lib/shorewall6/firewall', 'directory', '', 'verbosity', 1, 'timestamp',
> 0, 'debug', ...) called at /usr/share/shorewall/compiler.pl line 145
Can you help me debugging into this? What's the best breakpoint?
> Have you tried ipv6 ipset commands running 3.14.13.
# ipset create testv6 hash:net family inet6
# ipset add testv6 2a03:2880::/32
# ipset list testv6
Name: testv6
Type: hash:net
Revision: 4
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 17608
References: 0
Members:
2a03:2880::/32
So looks like ipv6 ipset support is working, not?
PS: When I set the breakpoint in "Shorewall::Config::IPSet_Match" I see
the ipset $sillyname created by the test script... also I see the test
ip6tables rule using that set...
I really don't understand why it is failing when 'show -f
capatibilities' shows that everything should work.
-Thomas
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
