-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 10/23/2016 09:56 PM, [email protected] wrote: >> Da: [email protected] [mailto:[email protected]] Inviato: >> lunedì 24 ottobre 2016 06:38 A: 'Shorewall Users' >> <[email protected]> Oggetto: >> [Shorewall-users] R: tcfilter problems with ipset >> >>> Da: Tom Eastep [mailto:[email protected]] >>> >>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 >>> >>> On 10/23/2016 12:09 AM, [email protected] wrote: >>>> Hi all >>>> >>>> >>>> >>>> Issue #2, Another problem I encounter is that I have to >>>> manually pre-create the wuhosts set, otherwise I get another >>>> error: >>>> >>>> Setting up Traffic Control... ipset: unknown set name >>>> 'wuhosts' ... ipset(wuhosts >>dst)<< ... ... >>>> ipset(>>wuhosts<< dst)... Usage: ipset(SETNAME FLAGS) where: >>>> SETNAME:= string FLAGS := { FLAG[,FLAGS] } FLAG := { src | >>>> dst } >>>> >>>> Example: 'ipset(bulk src,dst)' Illegal "ematch" ERROR: >>>> Command "tc filter add dev ifb0 protocol ip parent 2:0 prio 1 >>>> basic match ipset(wuhosts dst) flowid 2:140" Failed >>>> >>>> >>>> I am sure there is support in shorewall to automatically >>>> create ipsets when needed, because for example I use dynamic >>>> zones which are implemented with ipsets (and in fact it calls >>>> add_ipset($ipset); > ). >>>> Inspired by that I tried to simply do something like this: >>>> >>>> --- Tc.pm.orig 2016-10-23 07:41:55.000000000 +0200 +++ >>>> Tc.pm 2016-10-23 08:55:24.529013933 +0200 @@ -1517,8 +1517,9 >>>> @@ if ( $source ne '-' ) { $rule .= ' and' if $have_rule; >>>> >>>> - if ( $source =~ /^\+/ ) { + if ( $source =~ >>>> /^\+(\S+)/ ) { $rule .= join( '', "\\\n ", handle_ematch( >>>> $source, 'src' ) ); + add_ipset($1); } else { my >>>> @parts = decompose_net_u32( $source ); >>>> >>>> but it gave me this weird error. Apparently I have to know >>>> something more about ipset handling in Shorewall. Could this >>>> be addressed? >>> >>> Please see if the attached patch addresses your issue. >> >> Yes it did. Thank you again. >> > > Ehm, I apologize, but I did not do the test the right way. I had > the ipset defined elsewhere, and this made it get created right. If > the ipset is used only in tcfilter, the patch seems not be enough. > I still get the attached error. But if I simply add the following > line over the line you added with your patch, the issue is solved. > The line to add over add_ipset is: require_capability( > 'IPSET_MATCH', 'Dynamic nets', ''); > > Sorry for the mess. Luigi >
I just created the simple configuration in the attached tarball. Then, without any additional patch: root@debianvm:/home/teastep/shorewall/regressionLibrary/5.0.13# shorewall reload TC Compiling using Shorewall 5.0.13.3... Processing /home/teastep/shorewall/regressionLibrary/5.0.13/TC/shorewall.conf... Loading Modules... Compiling /home/teastep/shorewall/regressionLibrary/5.0.13/TC/zones... ... Shorewall configuration compiled to /var/lib/shorewall/.reload Reloading Shorewall.... Initializing... WARNING: ipset tcset does not exist; creating it as an hash:net set Processing /home/teastep/shorewall/regressionLibrary/5.0.13/TC/tcclear ... Setting up Route Filtering... ... IPv4 Forwarding Enabled done. root@debianvm:/home/teastep/shorewall/regressionLibrary/5.0.13# I also tested with the 'start' command. - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJYDiQaAAoJEJbms/JCOk0QIZQP/ij2BQL2gu7OhTU0solz5pJY 7XJOlw1U/WFeSAfsnFEVbA54dGS32LhXfTvAmXU4mPvCFCoSprQIt1DAtkO5ZJrZ ci94N91TVx1PirRp8PX0nlWj4k/7LlBOkro/9E0yP784G/2t3OqHyLTfalO/7lE9 J24BG2voVxrB0mMrHJ+n+YF1OLb9wzphf73zDtyqrix5aAIF6t5z+J6IJLskZkQZ g00kj5RM1rUYDZr62JG3zP4pSfv2gGhjClHlVotNPcMoluzjdYDcnrV2ny1BoT3E pOibsADoGVaCBWUMLB2HpjsWVSSJT77Cz7QSvWJsr1N06g0dUEDMLyyBtFbJQNvC UKAhdkoueS3h+a8Ebap7bz9wuG1W0t3dbSasGA3mAU+0RtjE7UUnfn3iSEVKO2jO zfB4u5bd5mO1azhBqlW89EIfIOFeokuCIq717OMLb9/jba1mONkMslcjFEznc3WO uyBaIOrwKyYi52M8pu3Lh75QTDAnsiI8B9bzyuXrxCUP9aXvFm00YkXRWAKwuZnb yDt3cIlNcYzXtYkOaTds8vPd7LUP6z+BoxJUJDzBlfYwiI4i1pQcL8cnzbF1kPIm WQ3mhYywVyrikHLYhhABOaoNo748gPb9NqhsQ/iQ9lwp3quwmiB8LJictEcxD2Ey uCbJycceq8DUpFDZ4aVp =1XWn -----END PGP SIGNATURE-----
TC.tar.bz2
Description: application/bzip
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
