> Da: [email protected] [mailto:[email protected]]
> Inviato: lunedì 24 ottobre 2016 06:38
> A: 'Shorewall Users' <[email protected]>
> Oggetto: [Shorewall-users] R: tcfilter problems with ipset
>
> > Da: Tom Eastep [mailto:[email protected]]
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> >
> > On 10/23/2016 12:09 AM, [email protected] wrote:
> > > Hi all
> > >
> > >
> > >
> > > Issue #2, Another problem I encounter is that I have to manually
> > > pre-create the wuhosts set, otherwise I get another error:
> > >
> > > Setting up Traffic Control... ipset: unknown set name 'wuhosts' ...
> > > ipset(wuhosts >>dst)<< ... ... ipset(>>wuhosts<< dst)... Usage:
> > > ipset(SETNAME FLAGS) where: SETNAME:= string FLAGS := {
> > > FLAG[,FLAGS] } FLAG := { src | dst }
> > >
> > > Example: 'ipset(bulk src,dst)' Illegal "ematch" ERROR: Command "tc
> > > filter add dev ifb0 protocol ip parent 2:0 prio 1 basic match
> > > ipset(wuhosts dst) flowid 2:140" Failed
> > >
> > >
> > > I am sure there is support in shorewall to automatically create
> > > ipsets when needed, because for example I use dynamic zones which
> > > are implemented with ipsets (and in fact it calls add_ipset($ipset);
).
> > > Inspired by that I tried to simply do something like this:
> > >
> > > --- Tc.pm.orig 2016-10-23 07:41:55.000000000 +0200 +++ Tc.pm
> > > 2016-10-23 08:55:24.529013933 +0200 @@ -1517,8 +1517,9 @@ if (
> > > $source ne '-' ) { $rule .= ' and' if $have_rule;
> > >
> > > - if ( $source =~ /^\+/ ) { + if ( $source =~
> > > /^\+(\S+)/ ) { $rule .= join( '', "\\\n ", handle_ematch(
> > > $source, 'src' ) ); + add_ipset($1); } else { my @parts =
> > > decompose_net_u32( $source );
> > >
> > > but it gave me this weird error. Apparently I have to know something
> > > more about ipset handling in Shorewall. Could this be addressed?
> >
> > Please see if the attached patch addresses your issue.
>
> Yes it did. Thank you again.
>
Ehm, I apologize, but I did not do the test the right way. I had the ipset
defined elsewhere, and this made it get created right. If the ipset is used
only in tcfilter, the patch seems not be enough. I still get the attached
error.
But if I simply add the following line over the line you added with your
patch, the issue is solved. The line to add over add_ipset is:
require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
Sorry for the mess.
Luigi
Compiling using Shorewall 5.0.13.1...
Processing /etc/shorewallConWinUpdEIPDiv/params ...
Processing /etc/shorewallConWinUpdEIPDiv/shorewall.conf...
Loading Modules...
Compiling /etc/shorewallConWinUpdEIPDiv/zones...
Compiling /etc/shorewallConWinUpdEIPDiv/interfaces...
Compiling /etc/shorewallConWinUpdEIPDiv/hosts...
Determining Hosts in Zones...
Locating Action Files...
Compiling /etc/shorewallConWinUpdEIPDiv/policy...
Running /etc/shorewallConWinUpdEIPDiv/initdone...
Adding Anti-smurf Rules
Compiling TCP Flags filtering...
Compiling Kernel Route Filtering...
Compiling Martian Logging...
Compiling Accept Source Routing...
Compiling /etc/shorewallConWinUpdEIPDiv/tcdevices...
Compiling /etc/shorewallConWinUpdEIPDiv/tcclasses...
Use of uninitialized value in numeric eq (==) at
/usr/share/perl5/vendor_perl/Shorewall/Tc.pm line 830, <$currentfile> line 11.
Priority of the eth1 packet mark 240 filter is 532
Priority of the eth1 packet mark 250 filter is 1300
Compiling /etc/shorewallConWinUpdEIPDiv/tcfilters...
Compiling /etc/shorewallConWinUpdEIPDiv/mangle...
Compiling /etc/shorewallConWinUpdEIPDiv/masq...
Compiling MAC Filtration -- Phase 1...
Compiling /etc/shorewallConWinUpdEIPDiv/rules...
Compiling /etc/shorewallConWinUpdEIPDiv/conntrack...
Compiling /etc/shorewallConWinUpdEIPDiv/tunnels...
Compiling MAC Filtration -- Phase 2...
Applying Policies...
Compiling /usr/share/shorewall/action.Reject for chain Reject...
Compiling /usr/share/shorewall/action.Broadcast for chain Broadcast...
Compiling /usr/share/shorewall/action.Drop for chain Drop...
Generating Rule Matrix...
Optimizing Ruleset...
Creating iptables-restore input...
Use of uninitialized value $capability in hash element at
/usr/share/perl5/vendor_perl/Shorewall/Config.pm line 4937.
Use of uninitialized value $capability in hash element at
/usr/share/perl5/vendor_perl/Shorewall/Config.pm line 4924.
ERROR: Internal error in Shorewall::Config::detect_capability at
/usr/share/perl5/vendor_perl/Shorewall/Config.pm line 4926 at
/usr/share/perl5/vendor_perl/Shorewall/Config.pm line 1466.
Shorewall::Config::fatal_error('Internal error in
Shorewall::Config::detect_capability at /us...') called at
/usr/share/perl5/vendor_perl/Shorewall/Config.pm line 1506
Shorewall::Config::assert('') called at
/usr/share/perl5/vendor_perl/Shorewall/Config.pm line 4926
Shorewall::Config::detect_capability(undef) called at
/usr/share/perl5/vendor_perl/Shorewall/Config.pm line 4939
Shorewall::Config::have_capability(undef) called at
/usr/share/perl5/vendor_perl/Shorewall/Config.pm line 4551
Shorewall::Config::IPSet_Match_Counters() called at
/usr/share/perl5/vendor_perl/Shorewall/Config.pm line 4927
Shorewall::Config::detect_capability('IPSET_MATCH_COUNTERS') called at
/usr/share/perl5/vendor_perl/Shorewall/Config.pm line 4939
Shorewall::Config::have_capability('IPSET_MATCH_COUNTERS') called at
/usr/share/perl5/vendor_perl/Shorewall/Chains.pm line 8268
Shorewall::Chains::ensure_ipsets('wuhosts') called at
/usr/share/perl5/vendor_perl/Shorewall/Chains.pm line 8348
Shorewall::Chains::create_save_ipsets() called at
/usr/share/perl5/vendor_perl/Shorewall/Compiler.pm line 370
Shorewall::Compiler::generate_script_3(':none:') called at
/usr/share/perl5/vendor_perl/Shorewall/Compiler.pm line 923
Shorewall::Compiler::compiler('script', '/var/lib/shorewall/.reload',
'directory', '/etc/shorewallConWinUpdEIPDiv', 'verbosity', 1, 'timestamp', 0,
'debug', ...) called at /usr/libexec/shorewall/compiler.pl line 142------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
