Hi Tom,

thank you for your reply. What I still don't understand:

shorewall6 reports

> Compiling /etc/shorewall6/blrules...
>    ERROR: ipset names in Shorewall configuration files require Ipset Match in 
> your kernel and iptables /etc/shorewall6/blrules (line 12)

when running kernel 3.14.13.

But the output of "shorewall6 show -f capabilities" from kernel 3.10.49
and 3.14.13 is identical (only the KERNELVERSION value is different).

Now you are writing

> Sorry -- I missed your point about 'show -f capabilities'. That means
> that the compiler is not detecting ipset capabilities. The code that
> does that is in the Config.pm Perl module in , also in the function
> determine_capabilities().

The compiler uses as different logic than 'show -f capabilities' to
detect ipset support?

As said, 'show -f capabilities' shows IPSET support:

# shorewall6 show -f capabilities | grep -i ipse
IPSET_MATCH=Yes
IPSET_V5=Yes
OLD_IPSET_MATCH=

So

> shorewall6 show -f capabilities > /etc/shorewall6/capabilities

will make shorewall6 to compile again. But I don't understand why I
would need the capabilities files on that box. No other box I am using
requires this. And running with 3.10.49 works without the file.


I tried to run

> shorewall6 compile -d

and set

> b Shorewall::Config::IPSet_Match

everything looks fine for me (i.e. the same 'show -f capabilities' seems
to do). But in the end, it will stop with

> Compiling /etc/shorewall6/blrules...
>    ERROR: ipset names in Shorewall configuration files require Ipset Match in 
> your kernel and iptables /etc/shorewall6/blrules (line 12)
>  at /usr/share/shorewall/Shorewall/Config.pm line 1322.
>         Shorewall::Config::fatal_error('ipset names in Shorewall 
> configuration files require Ipset Ma...') called at 
> /usr/share/shorewall/Shorewall/Config.pm line 4475
>         Shorewall::Config::require_capability('IPSET_MATCH', 'ipset names in 
> Shorewall configuration files', '') called at 
> /usr/share/shorewall/Shorewall/Chains.pm line 5405
>         Shorewall::Chains::get_set_flags('blacklist', 'src') called at 
> /usr/share/shorewall/Shorewall/Chains.pm line 5564
>         Shorewall::Chains::match_source_net('+blacklist', 4, 
> 'SCALAR(0x392fdc0)') called at /usr/share/shorewall/Shorewall/Chains.pm line 
> 7408
>         Shorewall::Chains::expand_rule('HASH(0x463f1f8)', 4, '', '', 
> '+blacklist', '::/0', '', 'DROP', '', ...) called at 
> /usr/share/shorewall/Shorewall/Rules.pm line 2770
>         Shorewall::Rules::process_rule(undef, '', 'DROP', '', 
> 'net:+blacklist', 'fw', '-', '-', '-', ...) called at 
> /usr/share/shorewall/Shorewall/Rules.pm line 3165
>         Shorewall::Rules::process_raw_rule() called at 
> /usr/share/shorewall/Shorewall/Rules.pm line 3320
>         Shorewall::Rules::process_rules(0) called at 
> /usr/share/shorewall/Shorewall/Compiler.pm line 831
>         Shorewall::Compiler::compiler('script', 
> '/var/lib/shorewall6/firewall', 'directory', '', 'verbosity', 1, 'timestamp', 
> 0, 'debug', ...) called at /usr/share/shorewall/compiler.pl line 145

Can you help me debugging into this? What's the best breakpoint?


> Have you tried ipv6 ipset commands running 3.14.13.

# ipset create testv6 hash:net family inet6
# ipset add testv6 2a03:2880::/32
# ipset list testv6
Name: testv6
Type: hash:net
Revision: 4
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 17608
References: 0
Members:
2a03:2880::/32

So looks like ipv6 ipset support is working, not?

PS: When I set the breakpoint in "Shorewall::Config::IPSet_Match" I see
the ipset $sillyname created by the test script... also I see the test
ip6tables rule using that set...


I really don't understand why it is failing when 'show -f
capatibilities' shows that everything should work.



-Thomas


------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to