Hi,

Tom Eastep wrote:
>> Thought that only one box was affected but now I noticed that shorewall6
>> on all the other boxes running kernel >=3.14 won't compile anymore with
>> the same error.
>>
>> I didn't noticed that before, because shorewall was "current" on these
>> systems so there was no need to call the compiler and shorewall6 was
>> running :)
> 
> Interesting -- I have two boxes running 3.14 kernels (Debian Jessie and
> Fedora 18), and I don't see the issue on either of those. Which
> distribution are you running? And what is the rule that is triggering
> the error?

That's really interesting.

My primary boxes are Gentoo Linux systems (we are still at
shorewall-4.5.21.10).

But I was able to reproduce the same problem with Debian Jessie and
shorewall 4.6.1.2-1.

Steps to reproduce:

# ipset create ipv4_blacklist hash:net
# ipset create ipv6_blacklist hash:net
# ipset create blacklist list:set
# ipset add blacklist ipv4_blacklist
# ipset add blacklist ipv6_blacklist
# cd /etc/shorewall6
# cp /usr/share/shorewall6/configfiles/blrules .

Add

> DROP            net:+blacklist  $FW

to blrules.

And now it will fail:

# shorewall6 safe-restart
Compiling...
Processing /etc/shorewall6/params ...
Processing /etc/shorewall6/shorewall6.conf...
Loading Modules...
Compiling /etc/shorewall6/zones...
Compiling /etc/shorewall6/interfaces...
Determining Hosts in Zones...
Locating Action Files...
Compiling /etc/shorewall6/policy...
Compiling TCP Flags filtering...
Compiling MAC Filtration -- Phase 1...
Compiling /etc/shorewall6/blrules...
   ERROR: ipset names in Shorewall configuration files require Ipset
Match in your kernel and iptables /etc/shorewall6/blrules (line 12)


Notice: I am not running the stock Debian kernel. But this Debian Jessie
is on 3.14.13.

If you are still unable to reproduce, I will try to reproduce it with a
stock Debian Jessie kernel.


-Thomas



------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to