Re: [Shorewall-users] "ERROR: ipset names in Shorewall configuration files require Ipset Match in your kernel and iptables" with 3.14.13 kernel

[Tom Eastep]

On 7/19/2014 6:47 AM, Thomas D. wrote:
> Hi Tom,
> 
> thank you for your reply. What I still don't understand:
> 
> shorewall6 reports
> 
>> Compiling /etc/shorewall6/blrules...
>>    ERROR: ipset names in Shorewall configuration files require Ipset Match 
>> in your kernel and iptables /etc/shorewall6/blrules (line 12)
> 
> when running kernel 3.14.13.
> 
> But the output of "shorewall6 show -f capabilities" from kernel 3.10.49
> and 3.14.13 is identical (only the KERNELVERSION value is different).
> 
> Now you are writing
> 
>> Sorry -- I missed your point about 'show -f capabilities'. That means
>> that the compiler is not detecting ipset capabilities. The code that
>> does that is in the Config.pm Perl module in , also in the function
>> determine_capabilities().
> 
> The compiler uses as different logic than 'show -f capabilities' to
> detect ipset support?
> 
> As said, 'show -f capabilities' shows IPSET support:
> 
> # shorewall6 show -f capabilities | grep -i ipse
> IPSET_MATCH=Yes
> IPSET_V5=Yes
> OLD_IPSET_MATCH=
> 
> So
> 
>> shorewall6 show -f capabilities > /etc/shorewall6/capabilities
> 
> will make shorewall6 to compile again. But I don't understand why I
> would need the capabilities files on that box. No other box I am using
> requires this. And running with 3.10.49 works without the file.
> 
> 
> I tried to run
> 
>> shorewall6 compile -d
> 
> and set
> 
>> b Shorewall::Config::IPSet_Match
> 
> everything looks fine for me (i.e. the same 'show -f capabilities' seems
> to do). But in the end, it will stop with
> 
>> Compiling /etc/shorewall6/blrules...
>>    ERROR: ipset names in Shorewall configuration files require Ipset Match 
>> in your kernel and iptables /etc/shorewall6/blrules (line 12)
>>  at /usr/share/shorewall/Shorewall/Config.pm line 1322.
>>         Shorewall::Config::fatal_error('ipset names in Shorewall 
>> configuration files require Ipset Ma...') called at 
>> /usr/share/shorewall/Shorewall/Config.pm line 4475
>>         Shorewall::Config::require_capability('IPSET_MATCH', 'ipset names in 
>> Shorewall configuration files', '') called at 
>> /usr/share/shorewall/Shorewall/Chains.pm line 5405
>>         Shorewall::Chains::get_set_flags('blacklist', 'src') called at 
>> /usr/share/shorewall/Shorewall/Chains.pm line 5564
>>         Shorewall::Chains::match_source_net('+blacklist', 4, 
>> 'SCALAR(0x392fdc0)') called at /usr/share/shorewall/Shorewall/Chains.pm line 
>> 7408
>>         Shorewall::Chains::expand_rule('HASH(0x463f1f8)', 4, '', '', 
>> '+blacklist', '::/0', '', 'DROP', '', ...) called at 
>> /usr/share/shorewall/Shorewall/Rules.pm line 2770
>>         Shorewall::Rules::process_rule(undef, '', 'DROP', '', 
>> 'net:+blacklist', 'fw', '-', '-', '-', ...) called at 
>> /usr/share/shorewall/Shorewall/Rules.pm line 3165
>>         Shorewall::Rules::process_raw_rule() called at 
>> /usr/share/shorewall/Shorewall/Rules.pm line 3320
>>         Shorewall::Rules::process_rules(0) called at 
>> /usr/share/shorewall/Shorewall/Compiler.pm line 831
>>         Shorewall::Compiler::compiler('script', 
>> '/var/lib/shorewall6/firewall', 'directory', '', 'verbosity', 1, 
>> 'timestamp', 0, 'debug', ...) called at /usr/share/shorewall/compiler.pl 
>> line 145
> 
> Can you help me debugging into this? What's the best breakpoint?
> 
> 
>> Have you tried ipv6 ipset commands running 3.14.13.
> 
> # ipset create testv6 hash:net family inet6
> # ipset add testv6 2a03:2880::/32
> # ipset list testv6
> Name: testv6
> Type: hash:net
> Revision: 4
> Header: family inet6 hashsize 1024 maxelem 65536
> Size in memory: 17608
> References: 0
> Members:
> 2a03:2880::/32
> 
> So looks like ipv6 ipset support is working, not?
> 
> PS: When I set the breakpoint in "Shorewall::Config::IPSet_Match" I see
> the ipset $sillyname created by the test script... also I see the test
> ip6tables rule using that set...
> 
> 
> I really don't understand why it is failing when 'show -f
> capatibilities' shows that everything should work.

Please see if the attached patch corrects the problem.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index b257100..56e9a7f 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -4109,7 +4109,7 @@ sub Old_IPSet_Match() {
 sub IPSet_Match() {
     my $ipset  = $config{IPSET} || 'ipset';
     my $result = 0;
-    my $fam    = $family == F_IPV4 ? 'inet' : 'inet6';
+    my $have_ipset;
 
     $ipset = which $ipset unless $ipset =~ '/';
 
@@ -4118,18 +4118,36 @@ sub IPSet_Match() {
     if ( $ipset && -x $ipset ) {
 	qt( "$ipset -X $sillyname" );
 
-	if ( qt( "$ipset -N $sillyname iphash" ) || qt( "$ipset -N $sillyname hash:ip family $fam") ) {
+	if ( $family == F_IPV4 ) {
+	    if ( qt("$ipset -N $sillyname hash:ip family inet") ) {
+		$capabilities{IPSET_V5} = 1;
+		$have_ipset = 1;
+	    } elsif ( qt( "ipset -N $sillyname iphash" ) ) {
+		$have_ipset = 1;
+	    }
+
+	    if ( $have_ipset ) {
+		if ( qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src -j ACCEPT" ) ) {
+		    $capabilities{IPSET_MATCH_NOMATCH}  = qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src --return-nomatch -j ACCEPT" );
+		    $capabilities{IPSET_MATCH_COUNTERS} = qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src --packets-lt 100 -j ACCEPT" );
+		    qt1( "$iptables $iptablesw -F $sillyname" );
+		    $result = ! ( $capabilities{OLD_IPSET_MATCH} = 0 );
+		} elsif ( qt1( "iptables $iptablesw -A $sillyname -m set --set $sillyname src -j ACCEPT" ) ) {
+		    qt1( "$iptables $iptablesw -F $sillyname" );
+		    $result = $capabilities{OLD_IPSET_MATCH} = 1;
+		}
+
+		qt( "$ipset -X $sillyname" );
+	    }
+	} elsif ( qt( "$ipset -N $sillyname hash:ip family inet6" ) ) {
+	    $capabilities{IPSET_V5} = 1;
 	    if ( qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src -j ACCEPT" ) ) {
-		$capabilities{IPSET_MATCH_NOMATCH}  = qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src --return-nomatch -j ACCEPT" );
-		$capabilities{IPSET_MATCH_COUNTERS} = qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src --packets-lt 100 -j ACCEPT" );
 		qt1( "$iptables $iptablesw -F $sillyname" );
-		$result = ! ( $capabilities{OLD_IPSET_MATCH} = 0 );
-	    } else {
-		$result = have_capability 'OLD_IPSET_MATCH';
+		$result = $capabilities{OLD_IPSET_MATCH} = 1;
 	    }
-
-	    qt( "$ipset -X $sillyname" );
 	}
+
+	qt( "$ipset -X $sillyname" );
     }
 
     $result;

signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users