Discussion:
[Shorewall-users] How-to enable Ipset support?
Norman Henderson
2017-03-29 06:30:23 UTC
Permalink
Hi, I am running 5.0.12 on Ubuntu 16.04.2 LTS with kernel 4.4.0-66 and
would like to use an ipset to control routing to a list of netblocks
(actually an entire country). I came up with the idea to set a Mark (based
on the ipset) in shorewall/mangle, and then route based on the Mark in
route_rules. What I get is:
ERROR: ipset names in Shorewall configuration files require Ipset Match in
your kernel and iptables.

What isn't obvious after some searching, is how to enable IPset Match
support. In the kernel config file, there is a line:
CONFIG_NET_EMATCH_IPSET=m
So, I should be able to just load that should I not?
I attempted: modprobe em_ipset
which succeeded, but I still get the shorewall error.

Help please and thank you!
Matt Darfeuille
2017-03-29 09:41:05 UTC
Permalink
Post by Norman Henderson
Hi, I am running 5.0.12 on Ubuntu 16.04.2 LTS with kernel 4.4.0-66 and
would like to use an ipset to control routing to a list of netblocks
(actually an entire country). I came up with the idea to set a Mark (based
on the ipset) in shorewall/mangle, and then route based on the Mark in
ERROR: ipset names in Shorewall configuration files require Ipset Match in
your kernel and iptables.
What isn't obvious after some searching, is how to enable IPset Match
CONFIG_NET_EMATCH_IPSET=m
So, I should be able to just load that should I not?
I attempted: modprobe em_ipset
which succeeded, but I still get the shorewall error.
Help please and thank you!
Take a look at:
http://shorewall.org/ipsets.html

http://ipset.netfilter.org/

-Matt
--
Matt Darfeuille
Norman Henderson
2017-03-29 10:07:22 UTC
Permalink
Thanks Matt. I had looked at both articles; the netfilter.org one would
seem to require me to build a kernel - and doesn't give a lot of detail.
The shorewall one doesn't say "how" to set up xtables-addons.

There is no package xtables-addons in Ubuntu Xenial however I did install
the packages:
xtables-addons-common xtables-addons-dkms xtables-addons-source

Then I found another site suggesting I needed to run:
module-assistant auto-install xtables-addons-source
But when I did that, I got "Build of the package xtables-addon-source
failed" and on viewing the log file, it ends with information that is way
outside my knowledge area to resolve:

│ make[3]: Leaving directory
'/usr/src/linux-headers-4.4.0-66-generic'
│ make[2]: Leaving directory '/usr/src/modules/xtables-addons'
│ dh_auto_test -a
│ make -j1 test
│ make[2]: Entering directory '/usr/src/modules/xtables-addons'
│ CDPATH="${ZSH_VERSION+.}:" && cd . && /bin/bash
│ /build/xtables-addons-ccJEnl/xtables-addons-2.10/build-aux/missing
│ autoconf
│ /bin/bash:
│
/build/xtables-addons-ccJEnl/xtables-addons-2.10/build-aux/missing: No
│ such file or directory
│ Makefile:413: recipe for target 'configure' failed
│ make[2]: *** [configure] Error 127
│ make[2]: Leaving directory '/usr/src/modules/xtables-addons'
│ dh_auto_test: make -j1 test returned exit code 2
│ debian/rules:48: recipe for target 'binary-modules' failed
│ make[1]: *** [binary-modules] Error 2
│ make[1]: Leaving directory '/usr/src/modules/xtables-addons'
│ /usr/share/modass/include/common-rules.make:56: recipe for target
│ 'kdist_build' failed
│ make: *** [kdist_build] Error 2

I have a feeling I am totally barking up the wrong tree, suggestions?
Post by Norman Henderson
Post by Norman Henderson
Hi, I am running 5.0.12 on Ubuntu 16.04.2 LTS with kernel 4.4.0-66 and
would like to use an ipset to control routing to a list of netblocks
(actually an entire country). I came up with the idea to set a Mark
(based
Post by Norman Henderson
on the ipset) in shorewall/mangle, and then route based on the Mark in
ERROR: ipset names in Shorewall configuration files require Ipset Match
in
Post by Norman Henderson
your kernel and iptables.
What isn't obvious after some searching, is how to enable IPset Match
CONFIG_NET_EMATCH_IPSET=m
So, I should be able to just load that should I not?
I attempted: modprobe em_ipset
which succeeded, but I still get the shorewall error.
Help please and thank you!
http://shorewall.org/ipsets.html
http://ipset.netfilter.org/
-Matt
--
Matt Darfeuille
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Matt Darfeuille
2017-03-29 10:45:47 UTC
Permalink
Post by Norman Henderson
Thanks Matt. I had looked at both articles; the netfilter.org one would
seem to require me to build a kernel - and doesn't give a lot of detail.
The shorewall one doesn't say "how" to set up xtables-addons.
There is no package xtables-addons in Ubuntu Xenial however I did install
xtables-addons-common xtables-addons-dkms xtables-addons-source
from:
https://launchpad.net/ubuntu/xenial/+package/xtables-addons-dkms

"The dkms package will automatically compile the driver for your current
kernel version."

Before installing the 'ipset' utility

$ shorewall show capabilities | grep ipset
ipset V5 (IPSET_V5): Not available

and after installing the 'ipset' utility

$ shorewall show capabilities | grep ipset
ipset V5 (IPSET_V5): Available

At least on Debian, Shorewall has now the ipset capability!
Post by Norman Henderson
Post by Norman Henderson
Post by Norman Henderson
Hi, I am running 5.0.12 on Ubuntu 16.04.2 LTS with kernel 4.4.0-66 and
would like to use an ipset to control routing to a list of netblocks
(actually an entire country). I came up with the idea to set a Mark
(based
Post by Norman Henderson
on the ipset) in shorewall/mangle, and then route based on the Mark in
ERROR: ipset names in Shorewall configuration files require Ipset Match
in
Post by Norman Henderson
your kernel and iptables.
What isn't obvious after some searching, is how to enable IPset Match
CONFIG_NET_EMATCH_IPSET=m
So, I should be able to just load that should I not?
I attempted: modprobe em_ipset
which succeeded, but I still get the shorewall error.
Help please and thank you!
http://shorewall.org/ipsets.html
http://ipset.netfilter.org/
-Matt
--
Matt Darfeuille
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
-Matt
--
Matt Darfeuille
Norman Henderson
2017-03-29 11:04:12 UTC
Permalink
Interesting. Now, having installed xtables-addon-common and
xtables-addon-dkms (and failed with the red herring of ...-source); and
having installed the ipset utility:
# shorewall show capabilities |grep ipset
ipset V5 (IPSET_V5): Available
# shorewall check
Checking using Shorewall 5.0.12...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Checking /etc/shorewall/zones...
Checking /etc/shorewall/interfaces...
Checking /etc/shorewall/hosts...
Determining Hosts in Zones...
Locating Action Files...
Checking /etc/shorewall/policy...
Adding rules for DHCP
Checking TCP Flags filtering...
Checking Kernel Route Filtering...
Checking Martian Logging...
Checking /etc/shorewall/providers...
Checking /etc/shorewall/route_rules...
Checking /etc/shorewall/routes...
Checking /etc/shorewall/mangle...
ERROR: ipset names in Shorewall configuration files require Ipset Match
in your kernel and iptables /etc/shorewall/mangle (line 58)

??
Post by Matt Darfeuille
Post by Norman Henderson
Thanks Matt. I had looked at both articles; the netfilter.org one would
seem to require me to build a kernel - and doesn't give a lot of detail.
The shorewall one doesn't say "how" to set up xtables-addons.
There is no package xtables-addons in Ubuntu Xenial however I did install
xtables-addons-common xtables-addons-dkms xtables-addons-source
https://launchpad.net/ubuntu/xenial/+package/xtables-addons-dkms
"The dkms package will automatically compile the driver for your current
kernel version."
Before installing the 'ipset' utility
$ shorewall show capabilities | grep ipset
ipset V5 (IPSET_V5): Not available
and after installing the 'ipset' utility
$ shorewall show capabilities | grep ipset
ipset V5 (IPSET_V5): Available
At least on Debian, Shorewall has now the ipset capability!
Post by Norman Henderson
Post by Norman Henderson
Post by Norman Henderson
Hi, I am running 5.0.12 on Ubuntu 16.04.2 LTS with kernel 4.4.0-66 and
would like to use an ipset to control routing to a list of netblocks
(actually an entire country). I came up with the idea to set a Mark
(based
Post by Norman Henderson
on the ipset) in shorewall/mangle, and then route based on the Mark in
ERROR: ipset names in Shorewall configuration files require Ipset Match
in
Post by Norman Henderson
your kernel and iptables.
What isn't obvious after some searching, is how to enable IPset Match
CONFIG_NET_EMATCH_IPSET=m
So, I should be able to just load that should I not?
I attempted: modprobe em_ipset
which succeeded, but I still get the shorewall error.
Help please and thank you!
http://shorewall.org/ipsets.html
http://ipset.netfilter.org/
-Matt
--
Matt Darfeuille
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------
------------------
Post by Norman Henderson
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
-Matt
--
Matt Darfeuille
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Matt Darfeuille
2017-03-29 11:40:50 UTC
Permalink
Post by Norman Henderson
Interesting. Now, having installed xtables-addon-common and
xtables-addon-dkms (and failed with the red herring of ...-source); and
# shorewall show capabilities |grep ipset
ipset V5 (IPSET_V5): Available
See bottom of this e-mail.
Post by Norman Henderson
# shorewall check
Checking using Shorewall 5.0.12...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Checking /etc/shorewall/zones...
Checking /etc/shorewall/interfaces...
Checking /etc/shorewall/hosts...
Determining Hosts in Zones...
Locating Action Files...
Checking /etc/shorewall/policy...
Adding rules for DHCP
Checking TCP Flags filtering...
Checking Kernel Route Filtering...
Checking Martian Logging...
Checking /etc/shorewall/providers...
Checking /etc/shorewall/route_rules...
Checking /etc/shorewall/routes...
Checking /etc/shorewall/mangle...
ERROR: ipset names in Shorewall configuration files require Ipset Match
in your kernel and iptables /etc/shorewall/mangle (line 58)
??
Post by Matt Darfeuille
Post by Norman Henderson
Thanks Matt. I had looked at both articles; the netfilter.org one would
seem to require me to build a kernel - and doesn't give a lot of detail.
The shorewall one doesn't say "how" to set up xtables-addons.
There is no package xtables-addons in Ubuntu Xenial however I did install
xtables-addons-common xtables-addons-dkms xtables-addons-source
https://launchpad.net/ubuntu/xenial/+package/xtables-addons-dkms
"The dkms package will automatically compile the driver for your current
kernel version."
Before installing the 'ipset' utility
$ shorewall show capabilities | grep ipset
ipset V5 (IPSET_V5): Not available
and after installing the 'ipset' utility
$ shorewall show capabilities | grep ipset
ipset V5 (IPSET_V5): Available
At least on Debian, Shorewall has now the ipset capability!
Post by Norman Henderson
Post by Norman Henderson
Post by Norman Henderson
Hi, I am running 5.0.12 on Ubuntu 16.04.2 LTS with kernel 4.4.0-66 and
would like to use an ipset to control routing to a list of netblocks
(actually an entire country). I came up with the idea to set a Mark
(based
Post by Norman Henderson
on the ipset) in shorewall/mangle, and then route based on the Mark in
ERROR: ipset names in Shorewall configuration files require Ipset Match
in
Post by Norman Henderson
your kernel and iptables.
What isn't obvious after some searching, is how to enable IPset Match
CONFIG_NET_EMATCH_IPSET=m
So, I should be able to just load that should I not?
I attempted: modprobe em_ipset
which succeeded, but I still get the shorewall error.
Help please and thank you!
http://shorewall.org/ipsets.html
http://ipset.netfilter.org/
The xtables-addon-common isn't require with the dpks package (everything
will be done automatically (including required packages)).

It doesn't look like it's Shorewall related.

try/rules
ACCEPT net:+try $FW tcp 22

$ shorewall -v0 check try
Checking using Shorewall 5.1.4-Beta1...
WARNING: Ipset try does not exist /root/try/rules (line 18)
Shorewall configuration verified

-Matt
--
Matt Darfeuille
Ian Koenig
2017-03-30 01:44:52 UTC
Permalink
Can you run the command "ipset" or not? If you can then shorewall can use
it.

If not on ubuntu 16.04 to install ipset just run "apt-get install ipset"

You don't have to recompile it to bring it into use.
Post by Matt Darfeuille
Post by Norman Henderson
Interesting. Now, having installed xtables-addon-common and
xtables-addon-dkms (and failed with the red herring of ...-source); and
# shorewall show capabilities |grep ipset
ipset V5 (IPSET_V5): Available
See bottom of this e-mail.
Post by Norman Henderson
# shorewall check
Checking using Shorewall 5.0.12...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Checking /etc/shorewall/zones...
Checking /etc/shorewall/interfaces...
Checking /etc/shorewall/hosts...
Determining Hosts in Zones...
Locating Action Files...
Checking /etc/shorewall/policy...
Adding rules for DHCP
Checking TCP Flags filtering...
Checking Kernel Route Filtering...
Checking Martian Logging...
Checking /etc/shorewall/providers...
Checking /etc/shorewall/route_rules...
Checking /etc/shorewall/routes...
Checking /etc/shorewall/mangle...
ERROR: ipset names in Shorewall configuration files require Ipset
Match
Post by Norman Henderson
in your kernel and iptables /etc/shorewall/mangle (line 58)
??
Post by Matt Darfeuille
Post by Norman Henderson
Thanks Matt. I had looked at both articles; the netfilter.org one
would
Post by Norman Henderson
Post by Matt Darfeuille
Post by Norman Henderson
seem to require me to build a kernel - and doesn't give a lot of
detail.
Post by Norman Henderson
Post by Matt Darfeuille
Post by Norman Henderson
The shorewall one doesn't say "how" to set up xtables-addons.
There is no package xtables-addons in Ubuntu Xenial however I did
install
Post by Norman Henderson
Post by Matt Darfeuille
Post by Norman Henderson
xtables-addons-common xtables-addons-dkms xtables-addons-source
https://launchpad.net/ubuntu/xenial/+package/xtables-addons-dkms
"The dkms package will automatically compile the driver for your current
kernel version."
Before installing the 'ipset' utility
$ shorewall show capabilities | grep ipset
ipset V5 (IPSET_V5): Not available
and after installing the 'ipset' utility
$ shorewall show capabilities | grep ipset
ipset V5 (IPSET_V5): Available
At least on Debian, Shorewall has now the ipset capability!
Post by Norman Henderson
Post by Norman Henderson
Post by Norman Henderson
Hi, I am running 5.0.12 on Ubuntu 16.04.2 LTS with kernel 4.4.0-66
and
Post by Norman Henderson
Post by Matt Darfeuille
Post by Norman Henderson
Post by Norman Henderson
Post by Norman Henderson
would like to use an ipset to control routing to a list of netblocks
(actually an entire country). I came up with the idea to set a Mark
(based
Post by Norman Henderson
on the ipset) in shorewall/mangle, and then route based on the Mark
in
Post by Norman Henderson
Post by Matt Darfeuille
Post by Norman Henderson
Post by Norman Henderson
Post by Norman Henderson
ERROR: ipset names in Shorewall configuration files require Ipset
Match
Post by Norman Henderson
Post by Matt Darfeuille
Post by Norman Henderson
Post by Norman Henderson
in
Post by Norman Henderson
your kernel and iptables.
What isn't obvious after some searching, is how to enable IPset Match
CONFIG_NET_EMATCH_IPSET=m
So, I should be able to just load that should I not?
I attempted: modprobe em_ipset
which succeeded, but I still get the shorewall error.
Help please and thank you!
http://shorewall.org/ipsets.html
http://ipset.netfilter.org/
The xtables-addon-common isn't require with the dpks package (everything
will be done automatically (including required packages)).
It doesn't look like it's Shorewall related.
try/rules
ACCEPT net:+try $FW tcp 22
$ shorewall -v0 check try
Checking using Shorewall 5.1.4-Beta1...
WARNING: Ipset try does not exist /root/try/rules (line 18)
Shorewall configuration verified
-Matt
--
Matt Darfeuille
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Norman Henderson
2017-03-30 06:34:01 UTC
Permalink
Thank you Ian. Matt, I've done some more tests and this really looks like a
shorewall bug.

The ipset utility as well as all of the iptables extensions are installed:
# lsmod |grep x_tables
x_tables 36864 62
xt_physdev,xt_pkttype,ip6table_filter,xt_statistic,xt_DSCP,xt_dccp,xt_dscp,xt_iprange,xt_mark,xt_sctp,xt_time,xt_CT,xt_helper,ip6table_mangle,xt_length,xt_comment,xt_policy,xt_CHECKSUM,xt_recent,ip_tables,xt_socket,xt_tcpmss,xt_tcpudp,ipt_MASQUERADE,xt_LOGMARK,ipt_ah,xt_condition,xt_AUDIT,xt_NFQUEUE,xt_NFLOG,xt_TRACE,xt_iface,xt_ipp2p,xt_limit,xt_owner,xt_realm,xt_state,xt_ACCOUNT,ipt_rpfilter,xt_connlimit,xt_conntrack,xt_IPMARK,xt_LOG,xt_mac,xt_nat,xt_set,ipt_CLUSTERIP,xt_hashlimit,xt_multiport,iptable_filter,ip6table_raw,xt_CLASSIFY,xt_TARPIT,xt_TCPMSS,xt_TPROXY,xt_connmark,ipt_REJECT,iptable_mangle,ipt_ECN,ip6_tables,xt_addrtype,iptable_raw

(note xt_set is present)

# ipset -v
ipset v6.29, protocol version: 6

I can do:
#ipset create test hash:net
followed by a series of #ipset add test ... commands

and then:
# iptables -v -t mangle -A PREROUTING -p tcp -s 10.1.0.0/23 -m multiport
--dports http,https -m set --match-set test dst -j MARK --set-mark 0xc7

...which responds:
MARK tcp opt -- in * out * 10.1.0.0/23 -> 0.0.0.0/0 multiport dports
80,443 match-set test dst MARK set 0xc7

A trace shows that the packets are indeed being marked. My
shorewall/route_rule entry based on mark 199 (0xc7) works as intended.

However, when I add to shorewall/mangle, the line:
MARK(199):P 10.1.0.0/23 +test

Then shorewall check (restart) responds:
...
Checking (Compiling) /etc/shorewall/mangle...
ERROR: ipset names in Shorewall configuration files require Ipset Match
in your kernel and iptables /etc/shorewall/mangle (line 58)

The above behavior is unchanged in the current stable release 5.1.3.2.
Post by Ian Koenig
Can you run the command "ipset" or not? If you can then shorewall can
use it.
If not on ubuntu 16.04 to install ipset just run "apt-get install ipset"
You don't have to recompile it to bring it into use.
Post by Matt Darfeuille
Post by Norman Henderson
Interesting. Now, having installed xtables-addon-common and
xtables-addon-dkms (and failed with the red herring of ...-source); and
# shorewall show capabilities |grep ipset
ipset V5 (IPSET_V5): Available
See bottom of this e-mail.
Post by Norman Henderson
# shorewall check
Checking using Shorewall 5.0.12...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Checking /etc/shorewall/zones...
Checking /etc/shorewall/interfaces...
Checking /etc/shorewall/hosts...
Determining Hosts in Zones...
Locating Action Files...
Checking /etc/shorewall/policy...
Adding rules for DHCP
Checking TCP Flags filtering...
Checking Kernel Route Filtering...
Checking Martian Logging...
Checking /etc/shorewall/providers...
Checking /etc/shorewall/route_rules...
Checking /etc/shorewall/routes...
Checking /etc/shorewall/mangle...
ERROR: ipset names in Shorewall configuration files require Ipset
Match
Post by Norman Henderson
in your kernel and iptables /etc/shorewall/mangle (line 58)
??
Post by Matt Darfeuille
Post by Norman Henderson
Thanks Matt. I had looked at both articles; the netfilter.org one
would
Post by Norman Henderson
Post by Matt Darfeuille
Post by Norman Henderson
seem to require me to build a kernel - and doesn't give a lot of
detail.
Post by Norman Henderson
Post by Matt Darfeuille
Post by Norman Henderson
The shorewall one doesn't say "how" to set up xtables-addons.
There is no package xtables-addons in Ubuntu Xenial however I did
install
Post by Norman Henderson
Post by Matt Darfeuille
Post by Norman Henderson
xtables-addons-common xtables-addons-dkms xtables-addons-source
https://launchpad.net/ubuntu/xenial/+package/xtables-addons-dkms
"The dkms package will automatically compile the driver for your
current
Post by Norman Henderson
Post by Matt Darfeuille
kernel version."
Before installing the 'ipset' utility
$ shorewall show capabilities | grep ipset
ipset V5 (IPSET_V5): Not available
and after installing the 'ipset' utility
$ shorewall show capabilities | grep ipset
ipset V5 (IPSET_V5): Available
At least on Debian, Shorewall has now the ipset capability!
Post by Norman Henderson
Post by Norman Henderson
Post by Norman Henderson
Hi, I am running 5.0.12 on Ubuntu 16.04.2 LTS with kernel 4.4.0-66
and
Post by Norman Henderson
Post by Matt Darfeuille
Post by Norman Henderson
Post by Norman Henderson
Post by Norman Henderson
would like to use an ipset to control routing to a list of netblocks
(actually an entire country). I came up with the idea to set a Mark
(based
Post by Norman Henderson
on the ipset) in shorewall/mangle, and then route based on the Mark
in
Post by Norman Henderson
Post by Matt Darfeuille
Post by Norman Henderson
Post by Norman Henderson
Post by Norman Henderson
ERROR: ipset names in Shorewall configuration files require Ipset
Match
Post by Norman Henderson
Post by Matt Darfeuille
Post by Norman Henderson
Post by Norman Henderson
in
Post by Norman Henderson
your kernel and iptables.
What isn't obvious after some searching, is how to enable IPset
Match
Post by Norman Henderson
Post by Matt Darfeuille
Post by Norman Henderson
Post by Norman Henderson
Post by Norman Henderson
CONFIG_NET_EMATCH_IPSET=m
So, I should be able to just load that should I not?
I attempted: modprobe em_ipset
which succeeded, but I still get the shorewall error.
Help please and thank you!
http://shorewall.org/ipsets.html
http://ipset.netfilter.org/
The xtables-addon-common isn't require with the dpks package (everything
will be done automatically (including required packages)).
It doesn't look like it's Shorewall related.
try/rules
ACCEPT net:+try $FW tcp 22
$ shorewall -v0 check try
Checking using Shorewall 5.1.4-Beta1...
WARNING: Ipset try does not exist /root/try/rules (line 18)
Shorewall configuration verified
-Matt
--
Matt Darfeuille
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Matt Darfeuille
2017-03-30 16:34:55 UTC
Permalink
Post by Norman Henderson
Thank you Ian. Matt, I've done some more tests and this really looks like a
shorewall bug.
# lsmod |grep x_tables
x_tables 36864 62
xt_physdev,xt_pkttype,ip6table_filter,xt_statistic,xt_DSCP,xt_dccp,xt_dscp,xt_iprange,xt_mark,xt_sctp,xt_time,xt_CT,xt_helper,ip6table_mangle,xt_length,xt_comment,xt_policy,xt_CHECKSUM,xt_recent,ip_tables,xt_socket,xt_tcpmss,xt_tcpudp,ipt_MASQUERADE,xt_LOGMARK,ipt_ah,xt_condition,xt_AUDIT,xt_NFQUEUE,xt_NFLOG,xt_TRACE,xt_iface,xt_ipp2p,xt_limit,xt_owner,xt_realm,xt_state,xt_ACCOUNT,ipt_rpfilter,xt_connlimit,xt_conntrack,xt_IPMARK,xt_LOG,xt_mac,xt_nat,xt_set,ipt_CLUSTERIP,xt_hashlimit,xt_multiport,iptable_filter,ip6table_raw,xt_CLASSIFY,xt_TARPIT,xt_TCPMSS,xt_TPROXY,xt_connmark,ipt_REJECT,iptable_mangle,ipt_ECN,ip6_tables,xt_addrtype,iptable_raw
(note xt_set is present)
# ipset -v
ipset v6.29, protocol version: 6
#ipset create test hash:net
followed by a series of #ipset add test ... commands
# iptables -v -t mangle -A PREROUTING -p tcp -s 10.1.0.0/23 -m multiport
--dports http,https -m set --match-set test dst -j MARK --set-mark 0xc7
MARK tcp opt -- in * out * 10.1.0.0/23 -> 0.0.0.0/0 multiport dports
80,443 match-set test dst MARK set 0xc7
A trace shows that the packets are indeed being marked. My
shorewall/route_rule entry based on mark 199 (0xc7) works as intended.
MARK(199):P 10.1.0.0/23 +test
...
Checking (Compiling) /etc/shorewall/mangle...
ERROR: ipset names in Shorewall configuration files require Ipset Match
in your kernel and iptables /etc/shorewall/mangle (line 58)
The above behavior is unchanged in the current stable release 5.1.3.2.
I don't get that error with your config:

$ ipset list
Name: test
Type: hash:net
Revision: 5
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16792
References: 1
Members:
10.45.1.0/24

$ grep test try/mangle
MARK(199):P 10.1.0.0/23 +test

$ shorewall restart try
Compiling using Shorewall 5.1.3.2...
Compiling try/mangle...
Shorewall configuration compiled to /var/lib/shorewall/.restart
Stopping Shorewall....
done.
Starting Shorewall....
done.

-Matt
--
Matt Darfeuille
PGNet Dev
2017-03-30 16:49:56 UTC
Permalink
Post by Norman Henderson
Thank you Ian. Matt, I've done some more tests and this really looks like a
shorewall bug.
Did you update your capabilities?

What's the output of

shorewall-lite show capabilities | grep -i ipset

Here, e.g.,

Ipset Match Counters (IPSET_MATCH_COUNTERS): Available
Ipset Match (IPSET_MATCH): Available
Ipset Match Nomatch (IPSET_MATCH_NOMATCH): Available
ipset V5 (IPSET_V5): Available
Norman Henderson
2017-03-30 18:04:57 UTC
Permalink
Thanks, both of you. The possibly significant difference in ipset list is
that I have Revision: 6 versus 5. (ipset -v gives v6.29, protocol version:
6)

The output from shorewall show capabilities |grep -i ipset is the same as
the other poster cited:
Ipset Match Counters (IPSET_MATCH_COUNTERS): Available
Ipset Match (IPSET_MATCH): Available
Ipset Match Nomatch (IPSET_MATCH_NOMATCH): Available
ipset V5 (IPSET_V5): Available

Is there something going on here related to the ipset revision number? If
so, how to fix it? ipset has been at v.6.x for years...
Post by Norman Henderson
Post by Norman Henderson
Thank you Ian. Matt, I've done some more tests and this really looks
like a
Post by Norman Henderson
shorewall bug.
Did you update your capabilities?
What's the output of
shorewall-lite show capabilities | grep -i ipset
Here, e.g.,
Ipset Match Counters (IPSET_MATCH_COUNTERS): Available
Ipset Match (IPSET_MATCH): Available
Ipset Match Nomatch (IPSET_MATCH_NOMATCH): Available
ipset V5 (IPSET_V5): Available
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
PGNet Dev
2017-03-30 18:14:10 UTC
Permalink
Post by Norman Henderson
Thanks, both of you. The possibly significant difference in ipset list
is that I have Revision: 6 versus 5. (ipset -v gives v6.29, protocol
version: 6)
here, it's

ipset -v
ipset v6.32, protocol version: 6

as well
Post by Norman Henderson
The output from shorewall show capabilities |grep -i ipset is the same
Ipset Match Counters (IPSET_MATCH_COUNTERS): Available
Ipset Match (IPSET_MATCH): Available
Ipset Match Nomatch (IPSET_MATCH_NOMATCH): Available
ipset V5 (IPSET_V5): Available
Is there something going on here related to the ipset revision number?
If so, how to fix it? ipset has been at v.6.x for years...
And what's in your `capabilities` file for the FW you're compiling?

Here,

grep -i ipset ./capabilities
IPSET_MATCH_COUNTERS=Yes
IPSET_MATCH_NOMATCH=Yes
IPSET_MATCH=Yes
IPSET_V5=Yes
OLD_IPSET_MATCH=
Matt Darfeuille
2017-03-30 18:43:30 UTC
Permalink
Post by PGNet Dev
Post by Norman Henderson
Thanks, both of you. The possibly significant difference in ipset list
is that I have Revision: 6 versus 5. (ipset -v gives v6.29, protocol
version: 6)
here, it's
ipset -v
ipset v6.32, protocol version: 6
as well
For me it's

$ ipset version
ipset v6.23, protocol version: 6

-Matt
--
Matt Darfeuille
n***@gmail.com
2017-03-31 09:47:53 UTC
Permalink
That was it! I had never looked into the capabilities file and didn't realize it is a static version of what is reported by show capabilities. I wonder if that is such a good idea...

Anyway it's solved and thank you!

Sent from my iPhone
Post by Matt Darfeuille
Post by PGNet Dev
Post by Norman Henderson
Thanks, both of you. The possibly significant difference in ipset list
is that I have Revision: 6 versus 5. (ipset -v gives v6.29, protocol
version: 6)
here, it's
ipset -v
ipset v6.32, protocol version: 6
as well
For me it's
$ ipset version
ipset v6.23, protocol version: 6
-Matt
--
Matt Darfeuille
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Matt Darfeuille
2017-03-31 10:33:13 UTC
Permalink
Post by n***@gmail.com
That was it! I had never looked into the capabilities file and didn't realize it is a static version of what is reported by show capabilities. I wonder if that is such a good idea...
Anyway it's solved and thank you!
http://shorewall.org/configuration_file_basics.htm#capabilities

-Matt
--
Matt Darfeuille
PGNet Dev
2017-03-31 13:09:59 UTC
Permalink
Post by n***@gmail.com
I wonder if that is such a good idea...
Actually quite handy when centrally managing/compiling multiple
firewalls for differently configured remotes. Each remote's data dir
gets its own capabilities file ...
Matt Darfeuille
2017-03-31 13:47:10 UTC
Permalink
Post by PGNet Dev
Post by n***@gmail.com
I wonder if that is such a good idea...
Actually quite handy when centrally managing/compiling multiple
firewalls for differently configured remotes. Each remote's data dir
gets its own capabilities file ...
I agree, it's very useful.

http://shorewall.org/Shorewall-Lite.html

-Matt
--
Matt Darfeuille
PGNet Dev
2017-03-30 19:14:50 UTC
Permalink
Post by PGNet Dev
And what's in your `capabilities` file for the FW you're compiling?
Just in case, consider also regenerating your capabilities file, to match your actual/current capabilities, specifically including ipset after having installed/upgraded it

cref:

http://shorewall.org/CompiledPrograms.html#Shorecap
Loading...