On Sat, Aug 18, 2012 at 7:03 PM, Aaron St. Pierre <[email protected]> wrote:
> On Sat, Aug 18, 2012 at 5:42 PM, Tom Eastep <[email protected]> wrote:
>
>> On 8/18/12 12:02 PM, Aaron St. Pierre wrote:
>>
>> >
>> > Tom,
>> >
>> > It appears that even though the rule is being deleted ipset believes
>> > there is still a reference to the set. I added some line numbers so I
>> > may be off a bit:
>> >
>> > lib.cli
>> >
>> > 2162 if [ -n "$have_ipset" ]; then
>> > 2163 if qt $g_tool -A $chain -m set --match-set $chain
>> > src -j ACCEPT; then
>> > 2164 qt $g_tool -D $chain -m set --match-set $chain
>> > src -j ACCEPT
>> > 2165 IPSET_MATCH=Yes
>> > 2166 elif qt $g_tool -A $chain -m set --set $chain src
>> > -j ACCEPT; then
>> > 2167 qt $g_tool -D $chain -m set --set $chain src -j
>> > ACCEPT
>> > 2168 IPSET_MATCH=Yes
>> > 2169 OLD_IPSET_MATCH=Yes
>> > 2170 fi
>> > 2171 echo "--------------------- $chain"
>> > 2172 ipset list
>> > 2173 iptables -L -n
>> > 2174 ipset -X $chain
>> > 2175 fi
>> >
>> > When the ipset in line 2174 is invoked on my system I get the standard
>> > ipset error:
>> >
>> > ipset v6.11: Set cannot be destroyed: it is in use by a kernel component
>> >
>> > If I move the ipset -X command to the end of the capabilities function
>> > ~line 2244:
>> >
>> > ipset -X $chain
>> >
>> > The fooXdddd ipset is then removed.
>>
>> Something must be broken with your kit -- that code works as expected on
>> my systems.
>>
>> -Tom
>> --
>> Tom Eastep \ When I die, I want to go like my Grandfather who
>> Shoreline, \ died peacefully in his sleep. Not screaming like
>> Washington, USA \ all of the passengers in his car
>> http://shorewall.net \________________________________________________
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> Shorewall-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>>
>>
> Tom,
>
> I may have accepted that but I just setup a completely fresh install of
> centos 6.3 final, installed shorewall and the *same* things is happening.
>
> One thing that may be worthy of noting is that these are VPS(es) running
> over at linode so the kernels are linode kernels. This one happens to be
> running 3.0.18-linode43.
>
> I suppose it's not the end of the world as I do have a work around, but I
> certainly don't think I'm the only person that is going to face this
> problem.
>
> Another nasty side effect of the problem would be the lists being
> preserved if you have ipset save turned on.
>
> Moving the ipset -X $chain to the bottom of the function seemed to take
> care of the problem. I'll do some more testing and report back.
>
> --
>
> Aaron
>
Hi Tom,
Here is some more info:
# shorewall show capabilities
/sbin/iptables -A fooX29429 -m set --match-set fooX29429 src -j ACCEPT
1 *********here@@@@@@@@@@@@@@@@
/sbin/iptables -D fooX29429 -m set --match-set fooX29429 src -j ACCEPT
iptables: Bad rule (does a matching rule exist in that chain?).
ipset v6.11: Set cannot be destroyed: it is in use by a kernel component
after IPset section
Chain fooX29429 (0 references)
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 match-set
fooX29429 src
Chain fooX294291 (0 references)
So the problem appears to be with
$g_tool -D $chain -m set --match-set $chain src -j ACCEPT
Since that fails so does the
ipset -X $chain
Changing the iptables command to flush the chain does in fact get rid of
the rules and then I'm able to remove the ipset as expected.
Again this is happening on a vanilla system so I mustn't have my system
configured properly. Is there anything I need to do on my end to be able to
have iptables delete these rules? I'm running the same everything on both
boxes but one is a completely fresh install and the other is a host I've
been using for awhile.
Thanks again Tom your help is greatly appreciated!
--
Aaron
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
