On 7/19/2014 6:47 AM, Thomas D. wrote: > Hi Tom, > > thank you for your reply. What I still don't understand: > > shorewall6 reports > >> Compiling /etc/shorewall6/blrules... >> ERROR: ipset names in Shorewall configuration files require Ipset Match >> in your kernel and iptables /etc/shorewall6/blrules (line 12) > > when running kernel 3.14.13. > > But the output of "shorewall6 show -f capabilities" from kernel 3.10.49 > and 3.14.13 is identical (only the KERNELVERSION value is different). > > Now you are writing > >> Sorry -- I missed your point about 'show -f capabilities'. That means >> that the compiler is not detecting ipset capabilities. The code that >> does that is in the Config.pm Perl module in , also in the function >> determine_capabilities(). > > The compiler uses as different logic than 'show -f capabilities' to > detect ipset support? > > As said, 'show -f capabilities' shows IPSET support: > > # shorewall6 show -f capabilities | grep -i ipse > IPSET_MATCH=Yes > IPSET_V5=Yes > OLD_IPSET_MATCH= > > So > >> shorewall6 show -f capabilities > /etc/shorewall6/capabilities > > will make shorewall6 to compile again. But I don't understand why I > would need the capabilities files on that box. No other box I am using > requires this. And running with 3.10.49 works without the file. > > > I tried to run > >> shorewall6 compile -d > > and set > >> b Shorewall::Config::IPSet_Match > > everything looks fine for me (i.e. the same 'show -f capabilities' seems > to do). But in the end, it will stop with > >> Compiling /etc/shorewall6/blrules... >> ERROR: ipset names in Shorewall configuration files require Ipset Match >> in your kernel and iptables /etc/shorewall6/blrules (line 12) >> at /usr/share/shorewall/Shorewall/Config.pm line 1322. >> Shorewall::Config::fatal_error('ipset names in Shorewall >> configuration files require Ipset Ma...') called at >> /usr/share/shorewall/Shorewall/Config.pm line 4475 >> Shorewall::Config::require_capability('IPSET_MATCH', 'ipset names in >> Shorewall configuration files', '') called at >> /usr/share/shorewall/Shorewall/Chains.pm line 5405 >> Shorewall::Chains::get_set_flags('blacklist', 'src') called at >> /usr/share/shorewall/Shorewall/Chains.pm line 5564 >> Shorewall::Chains::match_source_net('+blacklist', 4, >> 'SCALAR(0x392fdc0)') called at /usr/share/shorewall/Shorewall/Chains.pm line >> 7408 >> Shorewall::Chains::expand_rule('HASH(0x463f1f8)', 4, '', '', >> '+blacklist', '::/0', '', 'DROP', '', ...) called at >> /usr/share/shorewall/Shorewall/Rules.pm line 2770 >> Shorewall::Rules::process_rule(undef, '', 'DROP', '', >> 'net:+blacklist', 'fw', '-', '-', '-', ...) called at >> /usr/share/shorewall/Shorewall/Rules.pm line 3165 >> Shorewall::Rules::process_raw_rule() called at >> /usr/share/shorewall/Shorewall/Rules.pm line 3320 >> Shorewall::Rules::process_rules(0) called at >> /usr/share/shorewall/Shorewall/Compiler.pm line 831 >> Shorewall::Compiler::compiler('script', >> '/var/lib/shorewall6/firewall', 'directory', '', 'verbosity', 1, >> 'timestamp', 0, 'debug', ...) called at /usr/share/shorewall/compiler.pl >> line 145 > > Can you help me debugging into this? What's the best breakpoint? > > >> Have you tried ipv6 ipset commands running 3.14.13. > > # ipset create testv6 hash:net family inet6 > # ipset add testv6 2a03:2880::/32 > # ipset list testv6 > Name: testv6 > Type: hash:net > Revision: 4 > Header: family inet6 hashsize 1024 maxelem 65536 > Size in memory: 17608 > References: 0 > Members: > 2a03:2880::/32 > > So looks like ipv6 ipset support is working, not? > > PS: When I set the breakpoint in "Shorewall::Config::IPSet_Match" I see > the ipset $sillyname created by the test script... also I see the test > ip6tables rule using that set... > > > I really don't understand why it is failing when 'show -f > capatibilities' shows that everything should work.
Please see if the attached patch corrects the problem. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index b257100..56e9a7f 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -4109,7 +4109,7 @@ sub Old_IPSet_Match() { sub IPSet_Match() { my $ipset = $config{IPSET} || 'ipset'; my $result = 0; - my $fam = $family == F_IPV4 ? 'inet' : 'inet6'; + my $have_ipset; $ipset = which $ipset unless $ipset =~ '/'; @@ -4118,18 +4118,36 @@ sub IPSet_Match() { if ( $ipset && -x $ipset ) { qt( "$ipset -X $sillyname" ); - if ( qt( "$ipset -N $sillyname iphash" ) || qt( "$ipset -N $sillyname hash:ip family $fam") ) { + if ( $family == F_IPV4 ) { + if ( qt("$ipset -N $sillyname hash:ip family inet") ) { + $capabilities{IPSET_V5} = 1; + $have_ipset = 1; + } elsif ( qt( "ipset -N $sillyname iphash" ) ) { + $have_ipset = 1; + } + + if ( $have_ipset ) { + if ( qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src -j ACCEPT" ) ) { + $capabilities{IPSET_MATCH_NOMATCH} = qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src --return-nomatch -j ACCEPT" ); + $capabilities{IPSET_MATCH_COUNTERS} = qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src --packets-lt 100 -j ACCEPT" ); + qt1( "$iptables $iptablesw -F $sillyname" ); + $result = ! ( $capabilities{OLD_IPSET_MATCH} = 0 ); + } elsif ( qt1( "iptables $iptablesw -A $sillyname -m set --set $sillyname src -j ACCEPT" ) ) { + qt1( "$iptables $iptablesw -F $sillyname" ); + $result = $capabilities{OLD_IPSET_MATCH} = 1; + } + + qt( "$ipset -X $sillyname" ); + } + } elsif ( qt( "$ipset -N $sillyname hash:ip family inet6" ) ) { + $capabilities{IPSET_V5} = 1; if ( qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src -j ACCEPT" ) ) { - $capabilities{IPSET_MATCH_NOMATCH} = qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src --return-nomatch -j ACCEPT" ); - $capabilities{IPSET_MATCH_COUNTERS} = qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src --packets-lt 100 -j ACCEPT" ); qt1( "$iptables $iptablesw -F $sillyname" ); - $result = ! ( $capabilities{OLD_IPSET_MATCH} = 0 ); - } else { - $result = have_capability 'OLD_IPSET_MATCH'; + $result = $capabilities{OLD_IPSET_MATCH} = 1; } - - qt( "$ipset -X $sillyname" ); } + + qt( "$ipset -X $sillyname" ); } $result;
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users