[Shorewall-users] Dynamic nets require Ipset Match in your kernel and iptables

Fri, 06 Oct 2023 20:51:52 -0700 

Hi,

I've been going around in circles for several days without finding a
solution, although I have read the docs in every direction and done
multiple searches.

I am unable to use dynamic zones with shorewall.
I'm using Gentoo, and my kernel is compiled manually.

I can't figure out if my kernel is missing something, or if it's
somewhere else.

The error is simple:
# shorewall check /etc/shorewall.test/
Checking using Shorewall 5.2.8...
Processing /etc/shorewall.test/params ...
Processing /etc/shorewall.test/shorewall.conf...
Loading Modules...
Compiling /etc/shorewall.test/zones...
Compiling /etc/shorewall.test/interfaces...
    Interface "net eth0" Validated
Compiling /etc/shorewall.test/hosts...
    ERROR: Dynamic nets require Ipset Match in your kernel and iptables
/etc/shorewall.test/hosts (line 11)

# cat /etc/shorewall.test/hosts
sshok eth0:dynamic

# grep -E "IP_SET|NETFILTER_XT_SET" /usr/src/linux/.config 
CONFIG_NETFILTER_XT_SET=y
CONFIG_IP_SET=y
CONFIG_IP_SET_MAX=256
# CONFIG_IP_SET_BITMAP_IP is not set
# CONFIG_IP_SET_BITMAP_IPMAC is not set
# CONFIG_IP_SET_BITMAP_PORT is not set
# CONFIG_IP_SET_HASH_IP is not set
# CONFIG_IP_SET_HASH_IPMARK is not set
# CONFIG_IP_SET_HASH_IPPORT is not set
# CONFIG_IP_SET_HASH_IPPORTIP is not set
# CONFIG_IP_SET_HASH_IPPORTNET is not set
# CONFIG_IP_SET_HASH_IPMAC is not set
# CONFIG_IP_SET_HASH_MAC is not set
# CONFIG_IP_SET_HASH_NETPORTNET is not set
# CONFIG_IP_SET_HASH_NET is not set
# CONFIG_IP_SET_HASH_NETNET is not set
# CONFIG_IP_SET_HASH_NETPORT is not set
# CONFIG_IP_SET_HASH_NETIFACE is not set
# CONFIG_IP_SET_LIST_SET is not set

Should I have net-firewall/ipset-7.17-r1 installed or not?
Should I have net-firewall/xtables-addons-3.24 installed or not? And if
so, with which modules? Currently, I have it with geoip and iface.
Can I be certain that my problem is with my kernel compilation options
or can I be certain otherwise? 

Thank you in advance to anyone who will try to provide me with valuable
help.

-- 
Christophe


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to