On 8/18/12 6:20 PM, Aaron St. Pierre wrote: > Hi Tom, > > Here is some more info: > > # shorewall show capabilities > /sbin/iptables -A fooX29429 -m set --match-set fooX29429 src -j ACCEPT > 1 *********here@@@@@@@@@@@@@@@@ > /sbin/iptables -D fooX29429 -m set --match-set fooX29429 src -j ACCEPT > iptables: Bad rule (does a matching rule exist in that chain?). > ipset v6.11: Set cannot be destroyed: it is in use by a kernel component > after IPset section > Chain fooX29429 (0 references) > ACCEPT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 > <http://0.0.0.0/0> match-set fooX29429 src > Chain fooX294291 (0 references) > > So the problem appears to be with > > $g_tool -D $chain -m set --match-set $chain src -j ACCEPT > > Since that fails so does the > > ipset -X $chain > > Changing the iptables command to flush the chain does in fact get rid of > the rules and then I'm able to remove the ipset as expected. > > Again this is happening on a vanilla system so I mustn't have my system > configured properly. Is there anything I need to do on my end to be able > to have iptables delete these rules? I'm running the same everything on > both boxes but one is a completely fresh install and the other is a host > I've been using for awhile.
While you were doing this, I was installing Foobar Linux 6.3; like
Centos, Foobar is a RHEL derivative. Foobar 6.3 shows the same result. I
think that the best patch is to substitute:
$g_tool -F
for the existing '$g_tool -D' commands.
Patch against the current 4.5.7 branch attached (should apply with
offset to you configuration).
This iptables/Netfilter bug is fixed in Fedora 17, so the fix should
make it into RHEL and CentOS/Foobar eventually.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli
index 5412ba5..bf9b1cc 100644
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -2235,10 +2235,10 @@ determine_capabilities() {
if [ -n "$have_ipset" ]; then
if qt $g_tool -A $chain -m set --match-set $chain src -j
ACCEPT; then
- qt $g_tool -D $chain -m set --match-set $chain src -j ACCEPT
+ qt $g_tool -F
IPSET_MATCH=Yes
elif qt $g_tool -A $chain -m set --set $chain src -j ACCEPT;
then
- qt $g_tool -D $chain -m set --set $chain src -j ACCEPT
+ qt $g_tool -F
IPSET_MATCH=Yes
OLD_IPSET_MATCH=Yes
fi
@@ -2247,10 +2247,10 @@ determine_capabilities() {
elif qt ipset -N $chain hash:ip family inet6; then
IPSET_V5=Yes
if qt $g_tool -A $chain -m set --match-set $chain src -j ACCEPT;
then
- qt $g_tool -D $chain -m set --match-set $chain src -j ACCEPT
+ qt $g_tool -F
IPSET_MATCH=Yes
elif qt $g_tool -A $chain -m set --set $chain src -j ACCEPT; then
- qt $g_tool -D $chain -m set --set $chain src -j ACCEPT
+ qt $g_tool -F
IPSET_MATCH=Yes
OLD_IPSET_MATCH=Yes
fi
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
