Filippo Carletti
2016-10-19 22:45:36 UTC
Hi,
I have updated a CentOS 6 system from shorewall 4.6.4 to 5.0.12 and
now shorewall does not start with the following error:
WARNING: ipset lvpn does not exist; creating it as an hash:net set
ipset v6.11: Unknown argument: `counters'
Try `ipset help' for more information.
lvpn is a dynamic zone.
It seems that CentOS doesn't support counters in ipset, but the
capability is not detected.
Here's what I did:
[***@gateway ~]# ipset -N lvpn hash:net family inet timeout 0 counters
ipset v6.11: Unknown argument: `counters'
Try `ipset help' for more information.
[***@gateway ~]# ipset -N lvpn hash:net family inet timeout 0
[***@gateway ~]# shorewall restart
...
done.
[***@gateway ~]# shorewall show capabilities | grep Ipset
Ipset Match (IPSET_MATCH): Available
For reference, here's the output on CentOS 7:
[***@nethsecurity7 ~]# shorewall show capabilities | grep Ipset
Ipset Match Counters (IPSET_MATCH_COUNTERS): Available
Ipset Match (IPSET_MATCH): Available
Ipset Match Nomatch (IPSET_MATCH_NOMATCH): Available
Other info:
[***@gateway ~]# modinfo ip_set_hash_net
filename:
/lib/modules/2.6.32-642.6.1.el6.x86_64/kernel/net/netfilter/ipset/ip_set_hash_net.ko
alias: ip_set_hash:net
description: hash:net type of IP sets
author: Jozsef Kadlecsik <***@blackhole.kfki.hu>
license: GPL
srcversion: A466855CF5D693A4E053AF4
depends: ip_set
vermagic: 2.6.32-642.6.1.el6.x86_64 SMP mod_unload modversions
counters were unconditionally added in 6c00f72f448b36e85b9b5d68acd7018e7f44ecff
if have_capability IPSET_V5, which is true.
Do you have any suggestion on a fix?
Thank you.
I have updated a CentOS 6 system from shorewall 4.6.4 to 5.0.12 and
now shorewall does not start with the following error:
WARNING: ipset lvpn does not exist; creating it as an hash:net set
ipset v6.11: Unknown argument: `counters'
Try `ipset help' for more information.
lvpn is a dynamic zone.
It seems that CentOS doesn't support counters in ipset, but the
capability is not detected.
Here's what I did:
[***@gateway ~]# ipset -N lvpn hash:net family inet timeout 0 counters
ipset v6.11: Unknown argument: `counters'
Try `ipset help' for more information.
[***@gateway ~]# ipset -N lvpn hash:net family inet timeout 0
[***@gateway ~]# shorewall restart
...
done.
[***@gateway ~]# shorewall show capabilities | grep Ipset
Ipset Match (IPSET_MATCH): Available
For reference, here's the output on CentOS 7:
[***@nethsecurity7 ~]# shorewall show capabilities | grep Ipset
Ipset Match Counters (IPSET_MATCH_COUNTERS): Available
Ipset Match (IPSET_MATCH): Available
Ipset Match Nomatch (IPSET_MATCH_NOMATCH): Available
Other info:
[***@gateway ~]# modinfo ip_set_hash_net
filename:
/lib/modules/2.6.32-642.6.1.el6.x86_64/kernel/net/netfilter/ipset/ip_set_hash_net.ko
alias: ip_set_hash:net
description: hash:net type of IP sets
author: Jozsef Kadlecsik <***@blackhole.kfki.hu>
license: GPL
srcversion: A466855CF5D693A4E053AF4
depends: ip_set
vermagic: 2.6.32-642.6.1.el6.x86_64 SMP mod_unload modversions
counters were unconditionally added in 6c00f72f448b36e85b9b5d68acd7018e7f44ecff
if have_capability IPSET_V5, which is true.
Do you have any suggestion on a fix?
Thank you.
--
Ciao,
Filippo
Ciao,
Filippo