Hello, In learning about handling large lists of IPs in ShoreWall, I discovered its ipsets support. As according to the ShoreWall docs, "Using ipsets requires that you patch your kernel and iptables and that you build and install the ipset utility from http://ipset.netfilter.org/." After a bit of Googling, I think I''ve correctly installed the utility> ipset --versionipset v2.4.3 Protocol version 2. and the kernel module,> lsmod | grep -i ip_setip_set_iphash 13456 0 ip_set 26156 2 ip_set_iphash> modinfo ip_setfilename: /lib/modules/2.6.25.18-0.2-default/updates/ip_set.ko description: module implementing core IP set support author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> license: GPL srcversion: 258C1BA85EA4FF1F35720B0 depends: vermagic: 2.6.25.18-0.2-default SMP mod_unload 586 parm: max_sets:maximal number of sets (int) parm: hash_size:hash size for bindings (int) Is this all sufficiently "installed" for ShoreWall? I''m not sure how to test if iptables is properly patched. This makes me wonder if it is,> shorewall show capabilities | grep -i ipsetIpset Match: Not available --JC ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
JC Janos wrote:> Hello, > > In learning about handling large lists of IPs in ShoreWall, I > discovered its ipsets support. > > As according to the ShoreWall docs, > > "Using ipsets requires that you patch your kernel and iptables and > that you build and install the ipset utility from > http://ipset.netfilter.org/." > > After a bit of Googling, I think I''ve correctly installed the utility > >> ipset --version > ipset v2.4.3 Protocol version 2. > > and the kernel module, > >> lsmod | grep -i ip_set > ip_set_iphash 13456 0 > ip_set 26156 2 ip_set_iphash > >> modinfo ip_set > filename: /lib/modules/2.6.25.18-0.2-default/updates/ip_set.ko > description: module implementing core IP set support > author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> > license: GPL > srcversion: 258C1BA85EA4FF1F35720B0 > depends: > vermagic: 2.6.25.18-0.2-default SMP mod_unload 586 > parm: max_sets:maximal number of sets (int) > parm: hash_size:hash size for bindings (int) > > Is this all sufficiently "installed" for ShoreWall? > > I''m not sure how to test if iptables is properly patched. > > This makes me wonder if it is, > >> shorewall show capabilities | grep -i ipset > Ipset Match: Not availableThen something isn''t right. You can read the code in /usr/share/shorewall/lib.base, function determine_capabilities() to see the commands that Shorewall executes to determine if ipset support is available. -Tom -- Tom Eastep \ The ultimate result of shielding men from the effects of Shoreline, \ folly is to fill the world with fools. Washington, USA \ -- Herbert Spencer ------------------------------------------------------------------------ http://www.shorewall.net ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Tom Eastep wrote:> JC Janos wrote: >> Hello, >> >> In learning about handling large lists of IPs in ShoreWall, I >> discovered its ipsets support. >> >> As according to the ShoreWall docs, >> >> "Using ipsets requires that you patch your kernel and iptables and >> that you build and install the ipset utility from >> http://ipset.netfilter.org/." >> >> After a bit of Googling, I think I''ve correctly installed the utility >> >>> ipset --version >> ipset v2.4.3 Protocol version 2. >> >> and the kernel module, >> >>> lsmod | grep -i ip_set >> ip_set_iphash 13456 0 >> ip_set 26156 2 ip_set_iphash >> >>> modinfo ip_set >> filename: /lib/modules/2.6.25.18-0.2-default/updates/ip_set.ko >> description: module implementing core IP set support >> author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> >> license: GPL >> srcversion: 258C1BA85EA4FF1F35720B0 >> depends: >> vermagic: 2.6.25.18-0.2-default SMP mod_unload 586 >> parm: max_sets:maximal number of sets (int) >> parm: hash_size:hash size for bindings (int) >> >> Is this all sufficiently "installed" for ShoreWall? >> >> I''m not sure how to test if iptables is properly patched. >> >> This makes me wonder if it is, >> >>> shorewall show capabilities | grep -i ipset >> Ipset Match: Not available > > Then something isn''t right. You can read the code in > /usr/share/shorewall/lib.base, function determine_capabilities() to see > the commands that Shorewall executes to determine if ipset support is > available.Or you can ''shorewall trace show capabilities 2> /tmp/trace'' and look at the /tmp/trace file. -tom -- Tom Eastep \ The ultimate result of shielding men from the effects of Shoreline, \ folly is to fill the world with fools. Washington, USA \ -- Herbert Spencer ------------------------------------------------------------------------ http://www.shorewall.net ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Tom Eastep wrote:> JC Janos wrote: >> Hello, >> >> In learning about handling large lists of IPs in ShoreWall, I >> discovered its ipsets support. >> >> As according to the ShoreWall docs, >> >> "Using ipsets requires that you patch your kernel and iptables and >> that you build and install the ipset utility from >> http://ipset.netfilter.org/." >> >> After a bit of Googling, I think I''ve correctly installed the utility >> >>> ipset --version >> ipset v2.4.3 Protocol version 2. >> >> and the kernel module, >> >>> lsmod | grep -i ip_set >> ip_set_iphash 13456 0 >> ip_set 26156 2 ip_set_iphash >> >>> modinfo ip_set >> filename: /lib/modules/2.6.25.18-0.2-default/updates/ip_set.ko >> description: module implementing core IP set support >> author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> >> license: GPL >> srcversion: 258C1BA85EA4FF1F35720B0 >> depends: >> vermagic: 2.6.25.18-0.2-default SMP mod_unload 586 >> parm: max_sets:maximal number of sets (int) >> parm: hash_size:hash size for bindings (int) >> >> Is this all sufficiently "installed" for ShoreWall? >> >> I''m not sure how to test if iptables is properly patched. >> >> This makes me wonder if it is, >> >>> shorewall show capabilities | grep -i ipset >> Ipset Match: Not available > > Then something isn''t right. You can read the code in > /usr/share/shorewall/lib.base, function determine_capabilities() to see > the commands that Shorewall executes to determine if ipset support is > available.Also note that if you patch iptables yourself and ''make install'', the new iptables is installed in /usr/local/sbin/. So be sure to ''which iptables'' to be sure that your iptables, and not your distribution''s version, is being run. Note that you can use the IPTABLES setting in /etc/shorewall/shorewall.conf to specify your version. -Tom -- Tom Eastep \ The ultimate result of shielding men from the effects of Shoreline, \ folly is to fill the world with fools. Washington, USA \ -- Herbert Spencer ------------------------------------------------------------------------ http://www.shorewall.net ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Tom,
Looking at /usr/share/shorewall/lib.base I couldn''t understand much of
what might be wrong, so I just added a few echo statements to see
what''s going on, e.g.
...
if qt mywhich ipset; then
qt ipset -X $chain # Just in case something went wrong the last time
if qt ipset -N $chain iphash ; then
echo "TEST1"
if qt $IPTABLES -A $chain -m set --set $chain src -j ACCEPT; then
echo "TEST2"
qt $IPTABLES -D $chain -m set --set $chain src -j ACCEPT
IPSET_MATCH=Yes
fi
echo "TEST3"
qt ipset -X $chain
fi
fi
echo "TEST4"
exit
...
Then,
> shorewall show capabilities
TEST1
TEST3
TEST4
So "TEST2" is never reached which I think points to a problem in
if qt $IPTABLES -A $chain -m set --set $chain src -j ACCEPT; then
And then IPSET_MATCH=Yes never gets defined and results in
shorewall show capabilities | grep -i ipset
Ipset Match: Not available
If I''m right, why that happens I have no idea yet.
--JC
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
Tom,> Or you can ''shorewall trace show capabilities 2> /tmp/trace'' and look at the /tmp/trace file.>From /tmp/trace, I think this is the relevant area,+ MANGLE_FORWARD=Yes + qt /usr/sbin/iptables -t raw -L -n + /usr/sbin/iptables -t raw -L -n + RAW_TABLE=Yes + qt mywhich ipset + mywhich ipset + qt ipset -X fooX3566 + ipset -X fooX3566 + qt ipset -N fooX3566 iphash + ipset -N fooX3566 iphash + qt /usr/sbin/iptables -A fooX3566 -m set --set fooX3566 src -j ACCEPT + /usr/sbin/iptables -A fooX3566 -m set --set fooX3566 src -j ACCEPT + qt ipset -X fooX3566 + ipset -X fooX3566 + qt /usr/sbin/iptables -A fooX3566 -m pkttype --pkt-type broadcast -j ACCEPT + /usr/sbin/iptables -A fooX3566 -m pkttype --pkt-type broadcast -j ACCEPT + USEPKTTYPE=Yes> Also note that if you patch iptables yourself and ''make install'', the new iptables is > installed in /usr/local/sbin/. So be sure to ''which iptables'' to be sure that your iptables > , and not your distribution''s version, is being run. Note that you can use the IPTABLES setting > in /etc/shorewall/shorewall.conf to specify your version.which iptables /usr/sbin/iptables ls -al /usr/local/sbin/iptables /bin/ls: cannot access /usr/local/sbin/iptables: No such file or directory Well that sure sounds like there''s a step I missed, patching iptables. Reading both the pages at http://ipset.netfilter.org/install.html & http://www.netfilter.org/projects/ipset/index.html, I don''t see anything to *do* about that. So I guess I have to ''patch'' iptables to use it with ipset & ShoreWall? If that''s right, are there any how-to Docs that you know of? --JC ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
JC Janos wrote:> > If that''s right, are there any how-to Docs that you know of?> No. -Tom -- Tom Eastep \ The ultimate result of shielding men from the effects of Shoreline, \ folly is to fill the world with fools. Washington, USA \ -- Herbert Spencer ------------------------------------------------------------------------ http://www.shorewall.net ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/