Re: [Shorewall-users] "ERROR: ipset names in Shorewall configuration files require Ipset Match in your kernel and iptables" with 3.14.13 kernel

Sat, 19 Jul 2014 10:35:09 -0700 

On 7/19/2014 10:01 AM, Tom Eastep wrote:
> On 7/19/2014 9:41 AM, Thomas D. wrote:
>> On 2014-07-19 18:28, Thomas D. wrote:
>>> If you are still unable to reproduce, I will try to reproduce it with a
>>> stock Debian Jessie kernel.
>>
>> I was able to reproduce it on a stock Debian Jessie with
>>
>>> # uname -a
>>> Linux vm-jessie-x64 3.14-1-amd64 #1 SMP Debian 3.14.12-1 (2014-07-11) 
>>> x86_64 GNU/Linux
>>
>> So I think you should be able, too.
> 
> Yes -- I have reproduced it.

And I have come up with a *much* simpler patch.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index b257100..8dc387e 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -4118,7 +4118,7 @@ sub IPSet_Match() {
     if ( $ipset && -x $ipset ) {
 	qt( "$ipset -X $sillyname" );
 
-	if ( qt( "$ipset -N $sillyname iphash" ) || qt( "$ipset -N $sillyname hash:ip family $fam") ) {
+	if ( qt( "$ipset -N $sillyname hash:ip family $fam") || qt( "$ipset -N $sillyname iphash" ) ) {
 	    if ( qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src -j ACCEPT" ) ) {
 		$capabilities{IPSET_MATCH_NOMATCH}  = qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src --return-nomatch -j ACCEPT" );
 		$capabilities{IPSET_MATCH_COUNTERS} = qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src --packets-lt 100 -j ACCEPT" );

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to