> -----Messaggio originale----- > Da: Tom Eastep [mailto:[email protected]] > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > On 10/23/2016 09:56 PM, [email protected] wrote: > >> Da: [email protected] [mailto:[email protected]] Inviato: > >> lunedì 24 ottobre 2016 06:38 A: 'Shorewall Users' > >> <[email protected]> Oggetto: > >> [Shorewall-users] R: tcfilter problems with ipset > >> > >>> Da: Tom Eastep [mailto:[email protected]] > >>> > >>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > >>> > >>> On 10/23/2016 12:09 AM, [email protected] wrote: > >>>> Hi all > >>>> > >>>> > >>>> > >>>> Issue #2, Another problem I encounter is that I have to manually > >>>> pre-create the wuhosts set, otherwise I get another > >>>> error: > >>>> > >>>> Setting up Traffic Control... ipset: unknown set name 'wuhosts' ... > >>>> ipset(wuhosts >>dst)<< ... ... > >>>> ipset(>>wuhosts<< dst)... Usage: ipset(SETNAME FLAGS) where: > >>>> SETNAME:= string FLAGS := { FLAG[,FLAGS] } FLAG := { src | > >>>> dst } > >>>> > >>>> Example: 'ipset(bulk src,dst)' Illegal "ematch" ERROR: > >>>> Command "tc filter add dev ifb0 protocol ip parent 2:0 prio 1 basic > >>>> match ipset(wuhosts dst) flowid 2:140" Failed > >>>> > >>>> > >>>> I am sure there is support in shorewall to automatically create > >>>> ipsets when needed, because for example I use dynamic zones which > >>>> are implemented with ipsets (and in fact it calls > >>>> add_ipset($ipset); > > ). > >>>> Inspired by that I tried to simply do something like this: > >>>> > >>>> --- Tc.pm.orig 2016-10-23 07:41:55.000000000 +0200 +++ Tc.pm > >>>> 2016-10-23 08:55:24.529013933 +0200 @@ -1517,8 +1517,9 @@ if ( > >>>> $source ne '-' ) { $rule .= ' and' if $have_rule; > >>>> > >>>> - if ( $source =~ /^\+/ ) { + if ( $source =~ > >>>> /^\+(\S+)/ ) { $rule .= join( '', "\\\n ", handle_ematch( > >>>> $source, 'src' ) ); + add_ipset($1); } else { my > >>>> @parts = decompose_net_u32( $source ); > >>>> > >>>> but it gave me this weird error. Apparently I have to know > >>>> something more about ipset handling in Shorewall. Could this be > >>>> addressed? > >>> > >>> Please see if the attached patch addresses your issue. > >> > >> Yes it did. Thank you again. > >> > > > > Ehm, I apologize, but I did not do the test the right way. I had the > > ipset defined elsewhere, and this made it get created right. If the > > ipset is used only in tcfilter, the patch seems not be enough. > > I still get the attached error. But if I simply add the following line > > over the line you added with your patch, the issue is solved. > > The line to add over add_ipset is: require_capability( 'IPSET_MATCH', > > 'Dynamic nets', ''); > > > > Sorry for the mess. Luigi > > > > I just created the simple configuration in the attached tarball. > > Then, without any additional patch: > > root@debianvm:/home/teastep/shorewall/regressionLibrary/5.0.13# > shorewall reload TC > Compiling using Shorewall 5.0.13.3... > Processing > /home/teastep/shorewall/regressionLibrary/5.0.13/TC/shorewall.conf... > Loading Modules... > Compiling /home/teastep/shorewall/regressionLibrary/5.0.13/TC/zones... > ... > Shorewall configuration compiled to /var/lib/shorewall/.reload Reloading > Shorewall.... > Initializing... > WARNING: ipset tcset does not exist; creating it as an hash:net set > Processing /home/teastep/shorewall/regressionLibrary/5.0.13/TC/tcclear ... > Setting up Route Filtering... > ... > IPv4 Forwarding Enabled > done. > root@debianvm:/home/teastep/shorewall/regressionLibrary/5.0.13# > > I also tested with the 'start' command.
Tried now with 5.0.13.4. No more errors. Honestly, I missed 5.0.13.3. It's possible it was fixed there. Thank you again. Luigi ------------------------------------------------------------------------------ The Command Line: Reinvented for Modern Developers Did the resurgence of CLI tooling catch you by surprise? Reconnect with the command line and become more productive. Learn the new .NET and ASP.NET CLI. Get your free copy! http://sdm.link/telerik _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
