On 7/19/2014 8:15 AM, Thomas D. wrote: > Hi Tom, > > you wrote: >> Please see if the attached patch corrects the problem. > > Yup! This patch fixes the problem. > > I had to manually apply the patch. I think that's because you created > the patch against v4.6 and I am using v4.5.21.10. > > But as said, it fixes the problem. Shorewall6 will start again. > > On start I am getting the following 4 deprecated messages BTW: > >> --set option deprecated, please use --match-set >> --set option deprecated, please use --match-set >> --set option deprecated, please use --match-set >> --set option deprecated, please use --match-set > > > And now it seems like that's not a specific box issue, right? >
No, it is a bug in the patch. Corrected patch attached. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index b257100..6b9494f 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -4109,7 +4109,7 @@ sub Old_IPSet_Match() {
sub IPSet_Match() {
my $ipset = $config{IPSET} || 'ipset';
my $result = 0;
- my $fam = $family == F_IPV4 ? 'inet' : 'inet6';
+ my $have_ipset;
$ipset = which $ipset unless $ipset =~ '/';
@@ -4118,18 +4118,36 @@ sub IPSet_Match() {
if ( $ipset && -x $ipset ) {
qt( "$ipset -X $sillyname" );
- if ( qt( "$ipset -N $sillyname iphash" ) || qt( "$ipset -N $sillyname hash:ip family $fam") ) {
+ if ( $family == F_IPV4 ) {
+ if ( qt("$ipset -N $sillyname hash:ip family inet") ) {
+ $capabilities{IPSET_V5} = 1;
+ $have_ipset = 1;
+ } elsif ( qt( "ipset -N $sillyname iphash" ) ) {
+ $have_ipset = 1;
+ }
+
+ if ( $have_ipset ) {
+ if ( qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src -j ACCEPT" ) ) {
+ $capabilities{IPSET_MATCH_NOMATCH} = qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src --return-nomatch -j ACCEPT" );
+ $capabilities{IPSET_MATCH_COUNTERS} = qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src --packets-lt 100 -j ACCEPT" );
+ qt1( "$iptables $iptablesw -F $sillyname" );
+ $result = ! ( $capabilities{OLD_IPSET_MATCH} = 0 );
+ } elsif ( qt1( "iptables $iptablesw -A $sillyname -m set --set $sillyname src -j ACCEPT" ) ) {
+ qt1( "$iptables $iptablesw -F $sillyname" );
+ $result = ! ( $capabilities{OLD_IPSET_MATCH} = 0 );
+ }
+
+ qt( "$ipset -X $sillyname" );
+ }
+ } elsif ( qt( "$ipset -N $sillyname hash:ip family inet6" ) ) {
+ $capabilities{IPSET_V5} = 1;
if ( qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src -j ACCEPT" ) ) {
- $capabilities{IPSET_MATCH_NOMATCH} = qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src --return-nomatch -j ACCEPT" );
- $capabilities{IPSET_MATCH_COUNTERS} = qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src --packets-lt 100 -j ACCEPT" );
qt1( "$iptables $iptablesw -F $sillyname" );
$result = ! ( $capabilities{OLD_IPSET_MATCH} = 0 );
- } else {
- $result = have_capability 'OLD_IPSET_MATCH';
}
-
- qt( "$ipset -X $sillyname" );
}
+
+ qt( "$ipset -X $sillyname" );
}
$result;
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
