All, I''ve just patched my kernel with netfilter''s Ipset. I''ve created set using the following commands: ipset -N Blacklist iphash ipset -N Blacklistnets nethash and then used ipset -A to add addresses and nets to both. I set "SAVE_IPSETS=Yes" in shorewall.conf, cleared my blacklist file and added +Blacklist and +Blacklist nets to the first column of that file, and issued a "Shorewall Save." /var/lib/shorewall/restore-ipsets was created. The problem I have is that when I issue "Shorewall restart" I get the following error: ERROR: Your kernel and/or iptables does not include ipset match: +Blacklistnets I''m running SuSE 10, with a vanilla kernal from kernels.org. I''ve attached the result of "shorewall trace start 2>trace Any ideas what I''m missing? -- David Burrow Mobile: (801)755-3375 Office: (801)587-2930 ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
On Sat, Jul 29, 2006 at 3:18pm David Burrow <dnburrow@gmail.com> wrote:> I''ve attached the result of "shorewall trace start 2>trace > Any ideas what I''m missing?I don''t know what you did to the trace file. I untarred the attachment using "tar -zxf" after which I had a file named ''trace'' which ''file'' claimed was gzipped. I renamed it trace.gz and typed "gunzip trace.gz". That left me with an undecipherable file named ''trace'' which ''file'' couldn''t identify other than as "data". At any rate: a) What does "shorewall show capabilities" say about "Ipset match"? b) You must also patch iptables for ipset support. If "iptables -m set -h" fails because libipt_set.so cannot be loaded then that is the problem. -Tom -- Tom Eastep \\ Nothing is foolproof to a sufficiently talented fool Shoreline, \\ http://shorewall.net Washington USA \\ teastep@avvanta.com ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tom, et al.> I don''t know what you did to the trace file. I untarred the > attachment using "tar -zxf" after which I had a file named > ''trace'' which ''file'' claimed was gzipped. I renamed it trace.gz > and typed "gunzip trace.gz". That left me with an > undecipherable file named ''trace'' which ''file'' couldn''t > identify other than as "data".My apologies. I don''t know what happened either, when I tar -zxvf the file I get "trace." When I "vim trace" I can read it. Thanks for the following response:> At any rate: > > a) What does "shorewall show capabilities" say about "Ipset match"? > b) You must also patch iptables for ipset support. > If "iptables -m set -h" fails because libipt_set.so cannot be > loaded then that is the problem.I did patch iptables, but was getting the error listed in (b) above. After some examination, it seems SuSE installed iptables to a different bin directory than iptables defaults to, so I was running an old, unpatched version. After copying the patched version over the top of the old, it all seems to be working just fine. Sorry for taking up your time, and I appreciate the help! David ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV