On 8/18/12 12:02 PM, Aaron St. Pierre wrote: > > Tom, > > It appears that even though the rule is being deleted ipset believes > there is still a reference to the set. I added some line numbers so I > may be off a bit: > > lib.cli > > 2162 if [ -n "$have_ipset" ]; then > 2163 if qt $g_tool -A $chain -m set --match-set $chain > src -j ACCEPT; then > 2164 qt $g_tool -D $chain -m set --match-set $chain > src -j ACCEPT > 2165 IPSET_MATCH=Yes > 2166 elif qt $g_tool -A $chain -m set --set $chain src > -j ACCEPT; then > 2167 qt $g_tool -D $chain -m set --set $chain src -j > ACCEPT > 2168 IPSET_MATCH=Yes > 2169 OLD_IPSET_MATCH=Yes > 2170 fi > 2171 echo "--------------------- $chain" > 2172 ipset list > 2173 iptables -L -n > 2174 ipset -X $chain > 2175 fi > > When the ipset in line 2174 is invoked on my system I get the standard > ipset error: > > ipset v6.11: Set cannot be destroyed: it is in use by a kernel component > > If I move the ipset -X command to the end of the capabilities function > ~line 2244: > > ipset -X $chain > > The fooXdddd ipset is then removed.
Something must be broken with your kit -- that code works as expected on my systems. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
