[Shorewall-users] R: tcfilter problems with ipset

shorewall Sun, 23 Oct 2016 06:18:51 -0700

> -----Messaggio originale-----
> Da: [email protected] [mailto:[email protected]]


> Issue #2, Another problem I encounter is that I have to manually
pre-create
> the wuhosts set, otherwise I get another error:
> 
> Setting up Traffic Control...
> ipset: unknown set name 'wuhosts'
> ... ipset(wuhosts >>dst)<< ...
> ... ipset(>>wuhosts<< dst)...
> Usage: ipset(SETNAME FLAGS)
> where: SETNAME:= string
>        FLAGS  := { FLAG[,FLAGS] }
>        FLAG   := { src | dst }
> 
> Example: 'ipset(bulk src,dst)'
> Illegal "ematch"
>    ERROR: Command "tc filter add dev ifb0 protocol ip parent 2:0 prio 1
basic
> match ipset(wuhosts dst) flowid 2:140" Failed
> 
> 
> I am sure there is support in shorewall to automatically create ipsets
when
> needed, because for example I use dynamic zones which are implemented
> with ipsets (and in fact it calls add_ipset($ipset); ).
> Inspired by that I tried to simply do something like this:
> 
> --- Tc.pm.orig  2016-10-23 07:41:55.000000000 +0200
> +++ Tc.pm       2016-10-23 08:55:24.529013933 +0200
> @@ -1517,8 +1517,9 @@
>      if ( $source ne '-' ) {
>         $rule .= ' and' if $have_rule;
> 
> -       if ( $source =~ /^\+/ ) {
> +       if ( $source =~ /^\+(\S+)/ ) {
>             $rule .= join( '', "\\\n   ", handle_ematch( $source, 'src' )
);
> +           add_ipset($1);
>         } else {
>             my @parts = decompose_net_u32( $source );
> 
> but it gave me this weird error. Apparently I have to know something more
> about ipset handling in Shorewall. Could this be addressed?
> 
> Optimizing Ruleset...
> Creating iptables-restore input...
> Use of uninitialized value $capability in hash element at
> /usr/share/perl5/vendor_perl/Shorewall/Config.pm line 4937.
> Use of uninitialized value $capability in hash element at
> /usr/share/perl5/vendor_perl/Shorewall/Config.pm line 4924.
>    ERROR: Internal error in Shorewall::Config::detect_capability at
> /usr/share/perl5/vendor_perl/Shorewall/Config.pm line 4926 at
> /usr/share/perl5/vendor_perl/Shorewall/Config.pm line 1466.
>         Shorewall::Config::fatal_error('Internal error in
> Shorewall::Config::detect_capability at /us...') called at
> /usr/share/perl5/vendor_perl/Shorewall/Config.pm line 1506
>         Shorewall::Config::assert('') called at
> /usr/share/perl5/vendor_perl/Shorewall/Config.pm line 4926
>         Shorewall::Config::detect_capability(undef) called at
> /usr/share/perl5/vendor_perl/Shorewall/Config.pm line 4939
>         Shorewall::Config::have_capability(undef) called at
> /usr/share/perl5/vendor_perl/Shorewall/Config.pm line 4551
>         Shorewall::Config::IPSet_Match_Counters() called at
> /usr/share/perl5/vendor_perl/Shorewall/Config.pm line 4927
>         Shorewall::Config::detect_capability('IPSET_MATCH_COUNTERS')
called
> at /usr/share/perl5/vendor_perl/Shorewall/Config.pm line 4939
>         Shorewall::Config::have_capability('IPSET_MATCH_COUNTERS') called
at
> /usr/share/perl5/vendor_perl/Shorewall/Chains.pm line 8268
>         Shorewall::Chains::ensure_ipsets('wuhosts') called at
> /usr/share/perl5/vendor_perl/Shorewall/Chains.pm line 8348
>         Shorewall::Chains::create_save_ipsets() called at
> /usr/share/perl5/vendor_perl/Shorewall/Compiler.pm line 370
>         Shorewall::Compiler::generate_script_3(':none:') called at
> /usr/share/perl5/vendor_perl/Shorewall/Compiler.pm line 923
>         Shorewall::Compiler::compiler('script',
> '/var/lib/shorewall/.reload', 'directory', '/etc/shorewallConWinUpdSets',
> 'verbosity', 1, 'timestamp', 0, 'debug', ...) called at
> /usr/libexec/shorewall/compiler.pl line 142
> 
> 

Hallo I would like to post what seems a solution to my issue #2 above. I
noticed that the error raises only when there are no other ipsets define
elsewhere in shorewall config. This led me to think that I had to require
some shorewall function/module/capability. So I looked at other add_ipset
occurrences, particularly in Zones.pm, and the rest was easy.
Again, I would kindly ask if it can be reviewed and in case go into
mainstream. Thank you.
The patch:

--- Tc.pm.orig  2016-10-23 07:41:55.000000000 +0200
+++ Tc.pm       2016-10-23 15:03:18.855719688 +0200
@@ -1517,8 +1517,10 @@
     if ( $source ne '-' ) {
        $rule .= ' and' if $have_rule;
 
-       if ( $source =~ /^\+/ ) {
+       if ( $source =~ /^\+(\S+)/ ) {
            $rule .= join( '', "\\\n   ", handle_ematch( $source, 'src' ) );
+            require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
+           add_ipset($1);
        } else {
            my @parts = decompose_net_u32( $source );
 
@@ -1541,8 +1543,10 @@
     if ( $dest ne '-' ) {
        $rule .= ' and' if $have_rule;
 
-       if ( $dest =~ /^\+/ ) {
+       if ( $dest =~ /^\+(\S*)/ ) {
            $rule .= join( '', "\\\n   ", handle_ematch( $dest, 'dst' ) );
+            require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
+           add_ipset($1);
        } else {
            my @parts = decompose_net_u32( $dest );


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] R: tcfilter problems with ipset

Reply via email to