On 3/29/2017 1:04 PM, Norman Henderson wrote: > Interesting. Now, having installed xtables-addon-common and > xtables-addon-dkms (and failed with the red herring of ...-source); and > having installed the ipset utility: > # shorewall show capabilities |grep ipset > ipset V5 (IPSET_V5): Available
See bottom of this e-mail. > # shorewall check > Checking using Shorewall 5.0.12... > Processing /etc/shorewall/params ... > Processing /etc/shorewall/shorewall.conf... > Loading Modules... > Checking /etc/shorewall/zones... > Checking /etc/shorewall/interfaces... > Checking /etc/shorewall/hosts... > Determining Hosts in Zones... > Locating Action Files... > Checking /etc/shorewall/policy... > Adding rules for DHCP > Checking TCP Flags filtering... > Checking Kernel Route Filtering... > Checking Martian Logging... > Checking /etc/shorewall/providers... > Checking /etc/shorewall/route_rules... > Checking /etc/shorewall/routes... > Checking /etc/shorewall/mangle... > ERROR: ipset names in Shorewall configuration files require Ipset Match > in your kernel and iptables /etc/shorewall/mangle (line 58) > > ?? > > On Wed, Mar 29, 2017 at 11:45 AM, Matt Darfeuille <[email protected]> wrote: > >> On 3/29/2017 12:07 PM, Norman Henderson wrote: >>> Thanks Matt. I had looked at both articles; the netfilter.org one would >>> seem to require me to build a kernel - and doesn't give a lot of detail. >>> The shorewall one doesn't say "how" to set up xtables-addons. >>> >>> There is no package xtables-addons in Ubuntu Xenial however I did install >>> the packages: >>> xtables-addons-common xtables-addons-dkms xtables-addons-source >>> >> >> from: >> https://launchpad.net/ubuntu/xenial/+package/xtables-addons-dkms >> >> "The dkms package will automatically compile the driver for your current >> kernel version." >> >> Before installing the 'ipset' utility >> >> $ shorewall show capabilities | grep ipset >> ipset V5 (IPSET_V5): Not available >> >> and after installing the 'ipset' utility >> >> $ shorewall show capabilities | grep ipset >> ipset V5 (IPSET_V5): Available >> >> At least on Debian, Shorewall has now the ipset capability! >> >>> On Wed, Mar 29, 2017 at 10:41 AM, Matt Darfeuille <[email protected]> >> wrote: >>> >>>> On 3/29/2017 8:30 AM, Norman Henderson wrote: >>>>> Hi, I am running 5.0.12 on Ubuntu 16.04.2 LTS with kernel 4.4.0-66 and >>>>> would like to use an ipset to control routing to a list of netblocks >>>>> (actually an entire country). I came up with the idea to set a Mark >>>> (based >>>>> on the ipset) in shorewall/mangle, and then route based on the Mark in >>>>> route_rules. What I get is: >>>>> ERROR: ipset names in Shorewall configuration files require Ipset Match >>>> in >>>>> your kernel and iptables. >>>>> >>>>> What isn't obvious after some searching, is how to enable IPset Match >>>>> support. In the kernel config file, there is a line: >>>>> CONFIG_NET_EMATCH_IPSET=m >>>>> So, I should be able to just load that should I not? >>>>> I attempted: modprobe em_ipset >>>>> which succeeded, but I still get the shorewall error. >>>>> >>>>> Help please and thank you! >>>>> >>>> >>>> Take a look at: >>>> http://shorewall.org/ipsets.html >>>> >>>> http://ipset.netfilter.org/ >>>> > The xtables-addon-common isn't require with the dpks package (everything will be done automatically (including required packages)). It doesn't look like it's Shorewall related. try/rules ACCEPT net:+try $FW tcp 22 $ shorewall -v0 check try Checking using Shorewall 5.1.4-Beta1... WARNING: Ipset try does not exist /root/try/rules (line 18) Shorewall configuration verified -Matt -- Matt Darfeuille ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
