On Sat, Aug 18, 2012 at 9:48 PM, Tom Eastep <[email protected]> wrote:
> On 8/18/12 6:20 PM, Aaron St. Pierre wrote:
>
> > Hi Tom,
> >
> > Here is some more info:
> >
> > # shorewall show capabilities
> > /sbin/iptables -A fooX29429 -m set --match-set fooX29429 src -j ACCEPT
> > 1 *********here@@@@@@@@@@@@@@@@
> > /sbin/iptables -D fooX29429 -m set --match-set fooX29429 src -j ACCEPT
> > iptables: Bad rule (does a matching rule exist in that chain?).
> > ipset v6.11: Set cannot be destroyed: it is in use by a kernel component
> > after IPset section
> > Chain fooX29429 (0 references)
> > ACCEPT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0
> > <http://0.0.0.0/0> match-set fooX29429 src
> > Chain fooX294291 (0 references)
> >
> > So the problem appears to be with
> >
> > $g_tool -D $chain -m set --match-set $chain src -j ACCEPT
> >
> > Since that fails so does the
> >
> > ipset -X $chain
> >
> > Changing the iptables command to flush the chain does in fact get rid of
> > the rules and then I'm able to remove the ipset as expected.
> >
> > Again this is happening on a vanilla system so I mustn't have my system
> > configured properly. Is there anything I need to do on my end to be able
> > to have iptables delete these rules? I'm running the same everything on
> > both boxes but one is a completely fresh install and the other is a host
> > I've been using for awhile.
>
> While you were doing this, I was installing Foobar Linux 6.3; like
> Centos, Foobar is a RHEL derivative. Foobar 6.3 shows the same result. I
> think that the best patch is to substitute:
>
> $g_tool -F
>
> for the existing '$g_tool -D' commands.
>
> Patch against the current 4.5.7 branch attached (should apply with
> offset to you configuration).
>
> This iptables/Netfilter bug is fixed in Fedora 17, so the fix should
> make it into RHEL and CentOS/Foobar eventually.
>
> -Tom
> --
> Tom Eastep \ When I die, I want to go like my Grandfather who
> Shoreline, \ died peacefully in his sleep. Not screaming like
> Washington, USA \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Shorewall-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
Awesome! Thanks Tom!
--
Aaron
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
