Hi Tom, thank you for your reply. What I still don't understand:
shorewall6 reports > Compiling /etc/shorewall6/blrules... > ERROR: ipset names in Shorewall configuration files require Ipset Match in > your kernel and iptables /etc/shorewall6/blrules (line 12) when running kernel 3.14.13. But the output of "shorewall6 show -f capabilities" from kernel 3.10.49 and 3.14.13 is identical (only the KERNELVERSION value is different). Now you are writing > Sorry -- I missed your point about 'show -f capabilities'. That means > that the compiler is not detecting ipset capabilities. The code that > does that is in the Config.pm Perl module in , also in the function > determine_capabilities(). The compiler uses as different logic than 'show -f capabilities' to detect ipset support? As said, 'show -f capabilities' shows IPSET support: # shorewall6 show -f capabilities | grep -i ipse IPSET_MATCH=Yes IPSET_V5=Yes OLD_IPSET_MATCH= So > shorewall6 show -f capabilities > /etc/shorewall6/capabilities will make shorewall6 to compile again. But I don't understand why I would need the capabilities files on that box. No other box I am using requires this. And running with 3.10.49 works without the file. I tried to run > shorewall6 compile -d and set > b Shorewall::Config::IPSet_Match everything looks fine for me (i.e. the same 'show -f capabilities' seems to do). But in the end, it will stop with > Compiling /etc/shorewall6/blrules... > ERROR: ipset names in Shorewall configuration files require Ipset Match in > your kernel and iptables /etc/shorewall6/blrules (line 12) > at /usr/share/shorewall/Shorewall/Config.pm line 1322. > Shorewall::Config::fatal_error('ipset names in Shorewall > configuration files require Ipset Ma...') called at > /usr/share/shorewall/Shorewall/Config.pm line 4475 > Shorewall::Config::require_capability('IPSET_MATCH', 'ipset names in > Shorewall configuration files', '') called at > /usr/share/shorewall/Shorewall/Chains.pm line 5405 > Shorewall::Chains::get_set_flags('blacklist', 'src') called at > /usr/share/shorewall/Shorewall/Chains.pm line 5564 > Shorewall::Chains::match_source_net('+blacklist', 4, > 'SCALAR(0x392fdc0)') called at /usr/share/shorewall/Shorewall/Chains.pm line > 7408 > Shorewall::Chains::expand_rule('HASH(0x463f1f8)', 4, '', '', > '+blacklist', '::/0', '', 'DROP', '', ...) called at > /usr/share/shorewall/Shorewall/Rules.pm line 2770 > Shorewall::Rules::process_rule(undef, '', 'DROP', '', > 'net:+blacklist', 'fw', '-', '-', '-', ...) called at > /usr/share/shorewall/Shorewall/Rules.pm line 3165 > Shorewall::Rules::process_raw_rule() called at > /usr/share/shorewall/Shorewall/Rules.pm line 3320 > Shorewall::Rules::process_rules(0) called at > /usr/share/shorewall/Shorewall/Compiler.pm line 831 > Shorewall::Compiler::compiler('script', > '/var/lib/shorewall6/firewall', 'directory', '', 'verbosity', 1, 'timestamp', > 0, 'debug', ...) called at /usr/share/shorewall/compiler.pl line 145 Can you help me debugging into this? What's the best breakpoint? > Have you tried ipv6 ipset commands running 3.14.13. # ipset create testv6 hash:net family inet6 # ipset add testv6 2a03:2880::/32 # ipset list testv6 Name: testv6 Type: hash:net Revision: 4 Header: family inet6 hashsize 1024 maxelem 65536 Size in memory: 17608 References: 0 Members: 2a03:2880::/32 So looks like ipv6 ipset support is working, not? PS: When I set the breakpoint in "Shorewall::Config::IPSet_Match" I see the ipset $sillyname created by the test script... also I see the test ip6tables rule using that set... I really don't understand why it is failing when 'show -f capatibilities' shows that everything should work. -Thomas ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users