Interesting. Now, having installed xtables-addon-common and
xtables-addon-dkms (and failed with the red herring of ...-source); and
having installed the ipset utility:
# shorewall show capabilities |grep ipset
ipset V5 (IPSET_V5): Available
# shorewall check
Checking using Shorewall 5.0.12...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Checking /etc/shorewall/zones...
Checking /etc/shorewall/interfaces...
Checking /etc/shorewall/hosts...
Determining Hosts in Zones...
Locating Action Files...
Checking /etc/shorewall/policy...
Adding rules for DHCP
Checking TCP Flags filtering...
Checking Kernel Route Filtering...
Checking Martian Logging...
Checking /etc/shorewall/providers...
Checking /etc/shorewall/route_rules...
Checking /etc/shorewall/routes...
Checking /etc/shorewall/mangle...
ERROR: ipset names in Shorewall configuration files require Ipset Match
in your kernel and iptables /etc/shorewall/mangle (line 58)
??
On Wed, Mar 29, 2017 at 11:45 AM, Matt Darfeuille <[email protected]> wrote:
> On 3/29/2017 12:07 PM, Norman Henderson wrote:
> > Thanks Matt. I had looked at both articles; the netfilter.org one would
> > seem to require me to build a kernel - and doesn't give a lot of detail.
> > The shorewall one doesn't say "how" to set up xtables-addons.
> >
> > There is no package xtables-addons in Ubuntu Xenial however I did install
> > the packages:
> > xtables-addons-common xtables-addons-dkms xtables-addons-source
> >
>
> from:
> https://launchpad.net/ubuntu/xenial/+package/xtables-addons-dkms
>
> "The dkms package will automatically compile the driver for your current
> kernel version."
>
> Before installing the 'ipset' utility
>
> $ shorewall show capabilities | grep ipset
> ipset V5 (IPSET_V5): Not available
>
> and after installing the 'ipset' utility
>
> $ shorewall show capabilities | grep ipset
> ipset V5 (IPSET_V5): Available
>
> At least on Debian, Shorewall has now the ipset capability!
>
> > On Wed, Mar 29, 2017 at 10:41 AM, Matt Darfeuille <[email protected]>
> wrote:
> >
> >> On 3/29/2017 8:30 AM, Norman Henderson wrote:
> >>> Hi, I am running 5.0.12 on Ubuntu 16.04.2 LTS with kernel 4.4.0-66 and
> >>> would like to use an ipset to control routing to a list of netblocks
> >>> (actually an entire country). I came up with the idea to set a Mark
> >> (based
> >>> on the ipset) in shorewall/mangle, and then route based on the Mark in
> >>> route_rules. What I get is:
> >>> ERROR: ipset names in Shorewall configuration files require Ipset Match
> >> in
> >>> your kernel and iptables.
> >>>
> >>> What isn't obvious after some searching, is how to enable IPset Match
> >>> support. In the kernel config file, there is a line:
> >>> CONFIG_NET_EMATCH_IPSET=m
> >>> So, I should be able to just load that should I not?
> >>> I attempted: modprobe em_ipset
> >>> which succeeded, but I still get the shorewall error.
> >>>
> >>> Help please and thank you!
> >>>
> >>
> >> Take a look at:
> >> http://shorewall.org/ipsets.html
> >>
> >> http://ipset.netfilter.org/
> >>
> >> -Matt
> >> --
> >> Matt Darfeuille
> >>
> >> ------------------------------------------------------------
> >> ------------------
> >> Check out the vibrant tech community on one of the world's most
> >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> >> _______________________________________________
> >> Shorewall-users mailing list
> >> [email protected]
> >> https://lists.sourceforge.net/lists/listinfo/shorewall-users
> >>
> >
> >
> >
> > ------------------------------------------------------------
> ------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> >
> >
> >
> > _______________________________________________
> > Shorewall-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/shorewall-users
> >
>
> -Matt
> --
> Matt Darfeuille
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Shorewall-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
