Thank you Ian. Matt, I've done some more tests and this really looks like a
shorewall bug.
The ipset utility as well as all of the iptables extensions are installed:
# lsmod |grep x_tables
x_tables 36864 62
xt_physdev,xt_pkttype,ip6table_filter,xt_statistic,xt_DSCP,xt_dccp,xt_dscp,xt_iprange,xt_mark,xt_sctp,xt_time,xt_CT,xt_helper,ip6table_mangle,xt_length,xt_comment,xt_policy,xt_CHECKSUM,xt_recent,ip_tables,xt_socket,xt_tcpmss,xt_tcpudp,ipt_MASQUERADE,xt_LOGMARK,ipt_ah,xt_condition,xt_AUDIT,xt_NFQUEUE,xt_NFLOG,xt_TRACE,xt_iface,xt_ipp2p,xt_limit,xt_owner,xt_realm,xt_state,xt_ACCOUNT,ipt_rpfilter,xt_connlimit,xt_conntrack,xt_IPMARK,xt_LOG,xt_mac,xt_nat,xt_set,ipt_CLUSTERIP,xt_hashlimit,xt_multiport,iptable_filter,ip6table_raw,xt_CLASSIFY,xt_TARPIT,xt_TCPMSS,xt_TPROXY,xt_connmark,ipt_REJECT,iptable_mangle,ipt_ECN,ip6_tables,xt_addrtype,iptable_raw
(note xt_set is present)
# ipset -v
ipset v6.29, protocol version: 6
I can do:
#ipset create test hash:net
followed by a series of #ipset add test ... commands
and then:
# iptables -v -t mangle -A PREROUTING -p tcp -s 10.1.0.0/23 -m multiport
--dports http,https -m set --match-set test dst -j MARK --set-mark 0xc7
...which responds:
MARK tcp opt -- in * out * 10.1.0.0/23 -> 0.0.0.0/0 multiport dports
80,443 match-set test dst MARK set 0xc7
A trace shows that the packets are indeed being marked. My
shorewall/route_rule entry based on mark 199 (0xc7) works as intended.
However, when I add to shorewall/mangle, the line:
MARK(199):P 10.1.0.0/23 +test
Then shorewall check (restart) responds:
...
Checking (Compiling) /etc/shorewall/mangle...
ERROR: ipset names in Shorewall configuration files require Ipset Match
in your kernel and iptables /etc/shorewall/mangle (line 58)
The above behavior is unchanged in the current stable release 5.1.3.2.
On Thu, Mar 30, 2017 at 2:44 AM, Ian Koenig <[email protected]> wrote:
> Can you run the command "ipset" or not? If you can then shorewall can
> use it.
>
> If not on ubuntu 16.04 to install ipset just run "apt-get install ipset"
>
> You don't have to recompile it to bring it into use.
>
>
>
>
> On Wed, 29 Mar 2017 at 06:40 Matt Darfeuille <[email protected]> wrote:
>
>> On 3/29/2017 1:04 PM, Norman Henderson wrote:
>> > Interesting. Now, having installed xtables-addon-common and
>> > xtables-addon-dkms (and failed with the red herring of ...-source); and
>> > having installed the ipset utility:
>> > # shorewall show capabilities |grep ipset
>> > ipset V5 (IPSET_V5): Available
>>
>> See bottom of this e-mail.
>>
>> > # shorewall check
>> > Checking using Shorewall 5.0.12...
>> > Processing /etc/shorewall/params ...
>> > Processing /etc/shorewall/shorewall.conf...
>> > Loading Modules...
>> > Checking /etc/shorewall/zones...
>> > Checking /etc/shorewall/interfaces...
>> > Checking /etc/shorewall/hosts...
>> > Determining Hosts in Zones...
>> > Locating Action Files...
>> > Checking /etc/shorewall/policy...
>> > Adding rules for DHCP
>> > Checking TCP Flags filtering...
>> > Checking Kernel Route Filtering...
>> > Checking Martian Logging...
>> > Checking /etc/shorewall/providers...
>> > Checking /etc/shorewall/route_rules...
>> > Checking /etc/shorewall/routes...
>> > Checking /etc/shorewall/mangle...
>> > ERROR: ipset names in Shorewall configuration files require Ipset
>> Match
>> > in your kernel and iptables /etc/shorewall/mangle (line 58)
>> >
>> > ??
>> >
>> > On Wed, Mar 29, 2017 at 11:45 AM, Matt Darfeuille <[email protected]>
>> wrote:
>> >
>> >> On 3/29/2017 12:07 PM, Norman Henderson wrote:
>> >>> Thanks Matt. I had looked at both articles; the netfilter.org one
>> would
>> >>> seem to require me to build a kernel - and doesn't give a lot of
>> detail.
>> >>> The shorewall one doesn't say "how" to set up xtables-addons.
>> >>>
>> >>> There is no package xtables-addons in Ubuntu Xenial however I did
>> install
>> >>> the packages:
>> >>> xtables-addons-common xtables-addons-dkms xtables-addons-source
>> >>>
>> >>
>> >> from:
>> >> https://launchpad.net/ubuntu/xenial/+package/xtables-addons-dkms
>> >>
>> >> "The dkms package will automatically compile the driver for your
>> current
>> >> kernel version."
>> >>
>> >> Before installing the 'ipset' utility
>> >>
>> >> $ shorewall show capabilities | grep ipset
>> >> ipset V5 (IPSET_V5): Not available
>> >>
>> >> and after installing the 'ipset' utility
>> >>
>> >> $ shorewall show capabilities | grep ipset
>> >> ipset V5 (IPSET_V5): Available
>> >>
>> >> At least on Debian, Shorewall has now the ipset capability!
>> >>
>> >>> On Wed, Mar 29, 2017 at 10:41 AM, Matt Darfeuille <[email protected]>
>> >> wrote:
>> >>>
>> >>>> On 3/29/2017 8:30 AM, Norman Henderson wrote:
>> >>>>> Hi, I am running 5.0.12 on Ubuntu 16.04.2 LTS with kernel 4.4.0-66
>> and
>> >>>>> would like to use an ipset to control routing to a list of netblocks
>> >>>>> (actually an entire country). I came up with the idea to set a Mark
>> >>>> (based
>> >>>>> on the ipset) in shorewall/mangle, and then route based on the Mark
>> in
>> >>>>> route_rules. What I get is:
>> >>>>> ERROR: ipset names in Shorewall configuration files require Ipset
>> Match
>> >>>> in
>> >>>>> your kernel and iptables.
>> >>>>>
>> >>>>> What isn't obvious after some searching, is how to enable IPset
>> Match
>> >>>>> support. In the kernel config file, there is a line:
>> >>>>> CONFIG_NET_EMATCH_IPSET=m
>> >>>>> So, I should be able to just load that should I not?
>> >>>>> I attempted: modprobe em_ipset
>> >>>>> which succeeded, but I still get the shorewall error.
>> >>>>>
>> >>>>> Help please and thank you!
>> >>>>>
>> >>>>
>> >>>> Take a look at:
>> >>>> http://shorewall.org/ipsets.html
>> >>>>
>> >>>> http://ipset.netfilter.org/
>> >>>>
>> >
>>
>> The xtables-addon-common isn't require with the dpks package (everything
>> will be done automatically (including required packages)).
>>
>> It doesn't look like it's Shorewall related.
>>
>> try/rules
>> ACCEPT net:+try $FW tcp 22
>>
>> $ shorewall -v0 check try
>> Checking using Shorewall 5.1.4-Beta1...
>> WARNING: Ipset try does not exist /root/try/rules (line 18)
>> Shorewall configuration verified
>>
>> -Matt
>> --
>> Matt Darfeuille
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Shorewall-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Shorewall-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
