On 7/18/2014 3:50 PM, Thomas D. wrote: > Hi, > > strange problem: > > All I did was upgrading a box from linux-3.10.49 to linux-3.14.13 kernel. > > But with 3.14.13, shorewall6 doesn't start: > >> # shorewall6 safe-restart >> Compiling... >> Processing /etc/shorewall6/params ... >> Processing /etc/shorewall6/shorewall6.conf... >> Loading Modules... >> Compiling /etc/shorewall6/zones... >> Compiling /etc/shorewall6/interfaces... >> Determining Hosts in Zones... >> Locating Action Files... >> Compiling /etc/shorewall6/policy... >> Compiling TCP Flags filtering... >> Compiling MAC Filtration -- Phase 1... >> Compiling /etc/shorewall6/blrules... >> ERROR: ipset names in Shorewall configuration files require Ipset Match >> in your kernel and iptables /etc/shorewall6/blrules (line 12) > > That's funny because shorewall (the ipv4 version) on the same system > works! And the blrules file is 100% identical: > > BLACKLIST net:+blacklist $FW > >> # ipset list blacklist >> Name: blacklist >> Type: list:set >> Revision: 2 >> Header: size 8 >> Size in memory: 112 >> References: 1 >> Members: >> blacklist4 >> blacklist6 > > > If I reboot into 3.10.49 shorewall6 works again. > > shorewall6 show -f capabilities between 3.10.49 and 3.14.13 doesn't show > a different: > >> --- /root/capas-3.10.49.txt 2014-07-19 00:26:36.176612168 +0200 >> +++ /root/capas-3.14.13.txt 2014-07-19 00:34:30.775595947 +0200 >> @@ -1,5 +1,5 @@ >> # >> -# Shorewall6 4.5.21.10 detected the following iptables/netfilter >> capabilities - Sat Jul 19 00:26:36 CEST 2014 >> +# Shorewall6 4.5.21.10 detected the following iptables/netfilter >> capabilities - Sat Jul 19 00:34:30 CEST 2014 >> # >> ACCOUNT_TARGET= >> ADDRTYPE= >> @@ -41,7 +41,7 @@ >> IPTABLES_S=Yes >> IRC0_HELPER= >> IRC_HELPER= >> -KERNELVERSION=31049 >> +KERNELVERSION=31413 >> KLUDGEFREE=Yes >> LENGTH_MATCH=Yes >> LOGMARK_TARGET= > > >> # grep -i ipset ~/capas-3.14.13.txt >> IPSET_MATCH=Yes >> IPSET_V5=Yes >> OLD_IPSET_MATCH= > > > Versions: > > - Shorewall6 4.5.21.10 > - ipset v6.21.1 > - iptables v1.4.21 > > > 3.14.13 kernel cfg: http://bpaste.net/show/476344/ > > As said, it is the same config like I am using with 3.10.49... only with > "make oldconfig"... > > I really don't understand what's going on because I have other boxes > where I did the same without any problems. > > Any hints/ideas?
Have you tried ipv6 ipset commands running 3.14.13. Shorewall executes ipset commands to learn if ipset support is present or not. If 'shorewall6 show -f capabilities | fgrep IPSET' shows no 'Yes' values, take a look at /usr/share/shorewall/lib.cli function determine_capabilities(); you can see the sequence of commands that the code uses to determine if ipset support is present or not. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
