On 02/06/2018 12:56 PM, Tom Eastep wrote: > On 02/06/2018 11:38 AM, Nicola Ferrari (#554252) wrote: >> On 06/02/2018 17:38, Nicola Ferrari (#554252) wrote: >>> Hi list! >>> >> >> >> I'm sorry guys.. In the previous message I forgot to mention that >> "shorewall show capabilities" gives me the following output: >> >> >> Shorewall has detected the following iptables/netfilter capabilities: >> ACCOUNT Target (ACCOUNT_TARGET): Available >> Address Type Match (ADDRTYPE): Available >> Amanda Helper: Available >> Arptables JF: Not available >> AUDIT Target (AUDIT_TARGET): Available >> Basic Ematch (BASIC_EMATCH): Available >> Basic Filter (BASIC_FILTER): Available >> Capabilities Version (CAPVERSION): 40600 >> Checksum Target: Available >> CLASSIFY Target (CLASSIFY_TARGET): Available >> Comments (COMMENTS): Available >> Condition Match (CONDITION_MATCH): Available >> Connection Tracking Match (CONNTRACK_MATCH): Available >> Connlimit Match (CONNLIMIT_MATCH): Available >> Connmark Match (CONNMARK_MATCH): Available >> CONNMARK Target (CONNMARK): Available >> CT Target (CT_TARGET): Available >> DSCP Match (DSCP_MATCH): Available >> DSCP Target (DSCP_TARGET): Available >> Enhanced Multi-port Match (EMULIPORT): Available >> Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH): >> Available >> Extended Connmark Match (XCONNMARK_MATCH): Available >> Extended CONNMARK Target (XCONNMARK): Available >> Extended MARK Target 2 (EXMARK): Available >> Extended MARK Target (XMARK): Available >> Extended Multi-port Match (XMULIPORT): Available >> Extended REJECT (ENHANCED_REJECT): Available >> FLOW Classifier (FLOW_FILTER): Available >> FTP-0 Helper: Not available >> FTP Helper: Available >> fwmark route mask (FWMARK_RT_MASK): Available >> Geo IP match: Not available >> Goto Support (GOTO_TARGET): Available >> H323 Helper: Available >> Hashlimit Match (HASHLIMIT_MATCH): Available >> Header Match (HEADER_MATCH): Not available >> Helper Match (HELPER_MATCH): Available >> IMQ Target (IMQ_TARGET): Not available >> IPMARK Target (IPMARK_TARGET): Available >> IPP2P Match (IPP2P_MATCH): Available >> IP range Match(IPRANGE_MATCH): Available >> ipset V5 (IPSET_V5): Available >> iptables -S (IPTABLES_S): Available >> IRC-0 Helper: Not available >> IRC Helper: Available >> Kernel Version (KERNELVERSION): 31600 >> LOGMARK Target (LOGMARK_TARGET): Available >> LOG Target (LOG_TARGET): Available >> Mangle FORWARD Chain (MANGLE_FORWARD): Available >> Mark in the filter table (MARK_ANYWHERE): Available >> MARK Target (MARK): Available >> MASQUERADE Target: Available >> Multi-port Match (MULTIPORT): Available >> NAT (NAT_ENABLED): Available >> Netbios_ns Helper: Available >> New tos Match: Available >> NFAcct match: Not available >> NFLOG Target (NFLOG_TARGET): Available >> NFQUEUE Target (NFQUEUE_TARGET): Available >> Owner Match (OWNER_MATCH): Available >> Owner Name Match (OWNER_NAME_MATCH): Available >> Packet length Match (LENGTH_MATCH): Available >> Packet Mangling (MANGLE_ENABLED): Available >> Packet Type Match (USEPKTTYPE): Available >> Persistent SNAT (PERSISTENT_SNAT): Available >> Physdev-is-bridged Support (PHYSDEV_BRIDGE): Available >> Physdev Match (PHYSDEV_MATCH): Available >> Policy Match (POLICY_MATCH): Available >> PPTP Helper: Available >> Rawpost Table (RAWPOST_TABLE): Not available >> Raw Table (RAW_TABLE): Available >> Realm Match (REALM_MATCH): Available >> Recent Match "--reap" option (REAP_OPTION): Available >> Recent Match (RECENT_MATCH): Available >> Repeat match (KLUDGEFREE): Available >> RPFilter match: Available >> SANE-0 Helper: Not available >> SANE Helper: Available >> SIP-0 Helper: Not available >> SIP Helper: Available >> SNMP Helper: Available >> Statistic Match (STATISTIC_MATCH): Available >> TCPMSS Match (TCPMSS_MATCH): Available >> TFTP-0 Helper: Not available >> TFTP Helper: Available >> Time Match (TIME_MATCH): Available >> TPROXY Target (TPROXY_TARGET): Available >> UDPLITE Port Redirection: Not available >> ULOG Target (ULOG_TARGET): Available >> > > Do you possibly have a stale /etc/shorewall/capabilities file? >
Actually, it appears as if your iptables/kernel do not have the ipset
match capability (IPSET_MATCH). You can see that by:
shorewall show -f capabilities | fgrep IPSET
Here is what I see on Debian 9.3:
root@gateway:~# shorewall show -f capabilities | fgrep IPSET
IPSET_MATCH_COUNTERS=Yes
IPSET_MATCH_NOMATCH=Yes
IPSET_MATCH=Yes
IPSET_V5=Yes
OLD_IPSET_MATCH=
root@gateway:~#
-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
