On Sat, Aug 18, 2012 at 9:26 AM, Aaron St. Pierre <[email protected]> wrote:
> On Fri, Aug 17, 2012 at 11:21 AM, Tom Eastep <[email protected]>wrote:
>
>> On 08/16/2012 02:35 PM, Aaron St. Pierre wrote:
>> > On Thu, Aug 16, 2012 at 5:24 PM, Tom Eastep <[email protected]
>> > <mailto:[email protected]>> wrote:
>> >
>> > On 8/16/12 2:02 PM, Aaron St. Pierre wrote:
>> >
>> > > Just Awesome! I created my list and added the rule and
>> everything is
>> > > working great! Yes I did turn on SAVE_IPSETS in the configuration
>> > file.
>> > >
>> > > One thing I noticed is that there are some 'fooTMPID' hanging
>> around
>> > > with no members. I'm assuming that shorewall created them but not
>> > sure:
>> > >
>> > > Name: fooX25739
>> > > Type: hash:ip
>> > > Header: family inet hashsize 1024 maxelem 65536
>> > > Size in memory: 8252
>> > > References: 0
>> > > Members:
>> > >
>> > > Are they needed for anything?
>> >
>> > No -- Which shorewall version are you using?
>> >
>> >
>> > 4.5.4 on centos 6.3
>>
>> I'm not seeing this problem on any of my systems. Can you determine what
>> command is causing these sets to be left behind?
>>
>> BTW: They are created when Shorewall is determining the capabilities of
>> your system.
>>
>> -Tom
>> --
>> Tom Eastep \ When I die, I want to go like my Grandfather who
>> Shoreline, \ died peacefully in his sleep. Not screaming like
>> Washington, USA \ all of the passengers in his car
>> http://shorewall.net \________________________________________________
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> Shorewall-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>>
>
>
> Tom, I'll make some time to take a look at this today.
> --
>
> Aaron
>
Tom,
It appears that even though the rule is being deleted ipset believes there
is still a reference to the set. I added some line numbers so I may be off
a bit:
lib.cli
2162 if [ -n "$have_ipset" ]; then
2163 if qt $g_tool -A $chain -m set --match-set $chain src
-j ACCEPT; then
2164 qt $g_tool -D $chain -m set --match-set $chain src
-j ACCEPT
2165 IPSET_MATCH=Yes
2166 elif qt $g_tool -A $chain -m set --set $chain src -j
ACCEPT; then
2167 qt $g_tool -D $chain -m set --set $chain src -j
ACCEPT
2168 IPSET_MATCH=Yes
2169 OLD_IPSET_MATCH=Yes
2170 fi
2171 echo "--------------------- $chain"
2172 ipset list
2173 iptables -L -n
2174 ipset -X $chain
2175 fi
When the ipset in line 2174 is invoked on my system I get the standard
ipset error:
ipset v6.11: Set cannot be destroyed: it is in use by a kernel component
If I move the ipset -X command to the end of the capabilities function
~line 2244:
ipset -X $chain
The fooXdddd ipset is then removed.
I've gotta run now but I'll do a bit more testing later tonight!
--
Aaron
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
