On 3/30/2017 8:34 AM, Norman Henderson wrote: > Thank you Ian. Matt, I've done some more tests and this really looks like a > shorewall bug. > > The ipset utility as well as all of the iptables extensions are installed: > # lsmod |grep x_tables > x_tables 36864 62 > xt_physdev,xt_pkttype,ip6table_filter,xt_statistic,xt_DSCP,xt_dccp,xt_dscp,xt_iprange,xt_mark,xt_sctp,xt_time,xt_CT,xt_helper,ip6table_mangle,xt_length,xt_comment,xt_policy,xt_CHECKSUM,xt_recent,ip_tables,xt_socket,xt_tcpmss,xt_tcpudp,ipt_MASQUERADE,xt_LOGMARK,ipt_ah,xt_condition,xt_AUDIT,xt_NFQUEUE,xt_NFLOG,xt_TRACE,xt_iface,xt_ipp2p,xt_limit,xt_owner,xt_realm,xt_state,xt_ACCOUNT,ipt_rpfilter,xt_connlimit,xt_conntrack,xt_IPMARK,xt_LOG,xt_mac,xt_nat,xt_set,ipt_CLUSTERIP,xt_hashlimit,xt_multiport,iptable_filter,ip6table_raw,xt_CLASSIFY,xt_TARPIT,xt_TCPMSS,xt_TPROXY,xt_connmark,ipt_REJECT,iptable_mangle,ipt_ECN,ip6_tables,xt_addrtype,iptable_raw > > (note xt_set is present) > > # ipset -v > ipset v6.29, protocol version: 6 > > I can do: > #ipset create test hash:net > followed by a series of #ipset add test ... commands > > and then: > # iptables -v -t mangle -A PREROUTING -p tcp -s 10.1.0.0/23 -m multiport > --dports http,https -m set --match-set test dst -j MARK --set-mark 0xc7 > > ...which responds: > MARK tcp opt -- in * out * 10.1.0.0/23 -> 0.0.0.0/0 multiport dports > 80,443 match-set test dst MARK set 0xc7 > > A trace shows that the packets are indeed being marked. My > shorewall/route_rule entry based on mark 199 (0xc7) works as intended. > > However, when I add to shorewall/mangle, the line: > MARK(199):P 10.1.0.0/23 +test > > Then shorewall check (restart) responds: > ... > Checking (Compiling) /etc/shorewall/mangle... > ERROR: ipset names in Shorewall configuration files require Ipset Match > in your kernel and iptables /etc/shorewall/mangle (line 58) > > The above behavior is unchanged in the current stable release 5.1.3.2. >
I don't get that error with your config: $ ipset list Name: test Type: hash:net Revision: 5 Header: family inet hashsize 1024 maxelem 65536 Size in memory: 16792 References: 1 Members: 10.45.1.0/24 $ grep test try/mangle MARK(199):P 10.1.0.0/23 +test $ shorewall restart try Compiling using Shorewall 5.1.3.2... Compiling try/mangle... Shorewall configuration compiled to /var/lib/shorewall/.restart Stopping Shorewall.... done. Starting Shorewall.... done. -Matt -- Matt Darfeuille ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
