Shorewall users - Jun 2010 - shorewall 4.4.10 failing to start; won't recognize ipset "capability"

I have been using shorewall for years with ipsets.  I have encountered a
problem after upgrading from 4.2.11 to 4.4.10. When I run
''shorewall-check'' or ''shorewall start'', it
halts with the error:
----------------------------------------------------------------------
ERROR: ipset names in Shorewall configuration files require Ipset Match
in your kernel and iptables : /etc/shorewall/rules (line 16)
----------------------------------------------------------------------

(For the purposes of demonstrating this I have removed all references
to ipsets in my rules and blacklist files except the one mentioned
above.)


Other information:

1. I upgraded shorewall in isolation, making no other changes to my
system.  Note that the system was running shorewall-perl 4.2.11 with
ipsets just fine.

2. Shorewall 4.4.10 reports that the ipset "capability" is present:
---------------------------------------------------------------------
# shorewall show capabilities | grep Ipset
   Ipset Match: Available

# shorewall show -f capabilities | grep IPSET
IPSET_MATCH=Yes
---------------------------------------------------------------------

3.  The modules are loaded:
---------------------------------------------------------------------
twister shorewall # lsmod
Module                  Size  Used by
ip_set_setlist          2444  1 
ipt_set                  843  0 
ipt_SET                 1012  0 
ip_set_nethash          7396  4 
ip_set_iptreemap        7504  0 
ip_set_iptree           4068  0 
ip_set_ipporthash       6780  0 
ip_set_portmap          2358  0 
ip_set_macipmap         2198  0 
ip_set_ipmap            2226  0 
ip_set_iphash           5756  1 
ip_set                  9944  20
ip_set_setlist,ipt_set,ipt_SET,ip_set_nethash,ip_set_iptreemap,ip_set_iptree,ip_set_ipporthash,ip_set_portmap,ip_set_macipmap,ip_set_ipmap,ip_set_iphash
----------------------------------------------------------------------

4.  With "SAVE_IPSETS=Yes", Shorewall 4.4.10 even saves and restores
my
ipsets (while simultaneously claiming the capability to be absent and
refusing to start if an ipset is present in the rules or blacklist):
----------------------------------------------------------------------
# ls -l /var/lib/shorewall
total 444
-rw-r----- 1 root root      0 Oct 27  2008 chains
-rwx------ 1 root root  78551 Jun 16 23:48 firewall
-rw------- 1 root root 123212 Jun 16 23:46 ipsets.save
-rw------- 1 root root      0 Jun 16 23:48 nat
-rw------- 1 root root    450 Jun 16 23:48 policies
-rw------- 1 root root      0 Jun 16 23:48 proxyarp
-rw-r----- 1 root root     29 Jun 16 23:48 restarted
-rwx--x--x 1 root root  78551 Jun 16 23:41 restore
-rw-r----- 1 root root 123212 Jun 16 23:41 restore-ipsets
-rw-r----- 1 root root  18561 Jun 16 23:41 restore-iptables
-rw-r----- 1 root root     39 Jun 16 23:48 state
-rw-r----- 1 root root     84 Jun 16 23:48 zones
---------------------------------------------------------------------

5.  Software versions:

shorewall 4.4.10
iptables 1.4.8
ipset 4.2
perl 5.8.8


I would be appreciative of any insight into what is going on here.

Thank you,

John

------------------------------------------------------------------------------
ThinkGeek and WIRED''s GeekDad team up for the Ultimate 
GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo

On 6/16/10 9:14 PM, John Brendler wrote:
> 
> I would be appreciative of any insight into what is going on here.
> 
First of all, you can most likely work around this problem by executing
this command:

	shorewall show -f capabilities > /etc/shorewall/capabilities

After that, ''shorewall start'' should work.

As to what is going wrong here, nothing you included in your post gives
me a clue.

- I personally use ipsets under Shorewall 4.4.10 and it works fine.

- Since 4.2.11, we''ve added an IPSET option in shorewall.conf; please
try setting that to the path to your ipset binary and see if that
corrects the problem.

- If that doesn''t work then you will need to do a little debugging:

	shorewall check -d

	The Perl debugger will prompt you; at the prompt, enter:

		b Shorewall::Config::IPSet_Match

	then

		c

	When the debugger prompts again, enter ''n'' at each prompt
until
	the IPSET_Match subroutine is exited; then enter ''c''.

	Capture the debugging session via copy/paste and send it to me.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
ThinkGeek and WIRED''s GeekDad team up for the Ultimate 
GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo

On Wed, 16 Jun 2010 21:55:05 -0700
Tom Eastep <teastep@shorewall.net> wrote:
> First of all, you can most likely work around this problem by
> executing this command:
> 
> 	shorewall show -f capabilities > /etc/shorewall/capabilities
My apoligies if I shouldn''t have replied to the whole list with this.

Yes, indeed, that eliminates the problem, and it is now working just
fine. (Deleted the file for the debugging session listed below.)

> - Since 4.2.11, we''ve added an IPSET option in shorewall.conf;
please
> try setting that to the path to your ipset binary and see if that
> corrects the problem.
I have explicit paths for all the executables, and I already
double-checked that.

> - If that doesn''t work then you will need to do a little
debugging:
> 
> 	shorewall check -d
> 
> 	The Perl debugger will prompt you; at the prompt, enter:
> 
> 		b Shorewall::Config::IPSet_Match
> 
> 	then
> 
> 		c
> 
> 	When the debugger prompts again, enter ''n'' at each
prompt
> until the IPSET_Match subroutine is exited; then enter
''c''.
-----------------------------------------------------------------------
twister shorewall # shorewall check -d
Checking...

Loading DB routines from perl5db.pl version 1.28
Editor support available.

Enter h or `h h'' for help, or `man perldebug'' for more help.

Shorewall::Config::CODE(0x125dfff8)(/usr/share/shorewall/Shorewall/Config.pm:697):
697:	    for ( qw/root system command files destination/ ) {
  DB<1> b Shorewall::Config::IPSet_Match
  DB<2> c
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Shorewall::Config::IPSet_Match(/usr/share/shorewall/Shorewall/Config.pm:2351):
2351:	    my $ipset  = $config{IPSET} || ''ipset'';
  DB<2> n
Shorewall::Config::IPSet_Match(/usr/share/shorewall/Shorewall/Config.pm:2352):
2352:	    my $result = 0;
  DB<2> n
Shorewall::Config::IPSet_Match(/usr/share/shorewall/Shorewall/Config.pm:2354):
2354:	    $ipset = which $ipset unless $ipset =~ ''//'';
  DB<2> n
Shorewall::Config::IPSet_Match(/usr/share/shorewall/Shorewall/Config.pm:2356):
2356:	    if ( $ipset && -x $ipset ) {
  DB<2> n
Shorewall::Config::IPSet_Match(/usr/share/shorewall/Shorewall/Config.pm:2369):
2369:	    $result;
  DB<2> n
Shorewall::Config::determine_capabilities(/usr/share/shorewall/Shorewall/Config.pm:2576):
2576:		$capabilities{USEPKTTYPE}      detect_capability(
''USEPKTTYPE'' ); DB<2> c
Checking /etc/shorewall/zones...
Checking /etc/shorewall/interfaces...
Determining Hosts in Zones...
Preprocessing Action Files...
   Pre-processing /usr/share/shorewall/action.Drop...
   Pre-processing /usr/share/shorewall/action.Reject...
Checking /etc/shorewall/policy...
Processing /etc/shorewall/initdone...
Checking /etc/shorewall/blacklist...
   ERROR: ipset names in Shorewall configuration files require Ipset
Match in your kernel and iptables : /etc/shorewall/blacklist (line 24)
at /usr/share/shorewall/Shorewall/Config.pm line 786
Shorewall::Config::fatal_error(''ipset names in Shorewall configuration
files require Ipset Ma...'') called
at /usr/share/shorewall/Shorewall/Config.pm line 2605
Shorewall::Config::require_capability(''IPSET_MATCH'',
''ipset names in
Shorewall configuration files'', '''') called
at /usr/share/shorewall/Shorewall/Chains.pm line 2496
Shorewall::Chains::match_source_net(''+rfc1918'', 0) called
at /usr/share/shorewall/Shorewall/Chains.pm line 3411
Shorewall::Chains::expand_rule(''HASH(0x12daf25c)'', 0,
'''',
''+rfc1918!10.217.128.1'', '''',
'''', ''-j blacklog'', '''',
''DROP'', ...) called
at /usr/share/shorewall/Shorewall/Rules.pm line 266
Shorewall::Rules::setup_blacklist() called
at /usr/share/shorewall/Shorewall/Rules.pm line 461
Shorewall::Rules::add_common_rules() called
at /usr/share/shorewall/Shorewall/Compiler.pm line 651
Shorewall::Compiler::compiler(''script'', '''',
''directory'', '''',
''verbosity'', 1, ''timestamp'', 0,
''debug'', ...) called
at /usr/share/shorewall/compiler.pl line 111 Debugged program
terminated.  Use q to quit or R to restart, use o inhibit_exit to avoid
stopping after program termination, h q, h R or h o to get additional
info. DB<2> 
---------------------------------------------------------------------------------

In case you are curious, the reason for the rfc1918 ipset is because my
ISP actually uses rfc1918 addresses for its dhcp servers.  This allows
me to easily restrict the traffic with exceptions.  The other ipsets
are much larger.

Thanks for your help.

------------------------------------------------------------------------------
ThinkGeek and WIRED''s GeekDad team up for the Ultimate 
GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo

Here is another list of that debug session, having first removed all
references to my rfc1918 ipset (just in case that was a possible source
of confusion).  As you can see, the same results occur; it just hits a
different ipset.

Please let me know what other information I can provide.

-------------------------------------------------------------------------
# shorewall check -d
Checking...

Loading DB routines from perl5db.pl version 1.28
Editor support available.

Enter h or `h h'' for help, or `man perldebug'' for more help.

Shorewall::Config::CODE(0x14d55cb8)(/usr/share/shorewall/Shorewall/Config.pm:697):
697:	    for ( qw/root system command files destination/ ) {
  DB<1> b Shorewall::Config::IPSet_Match
  DB<2> c
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Shorewall::Config::IPSet_Match(/usr/share/shorewall/Shorewall/Config.pm:2351):
2351:	    my $ipset  = $config{IPSET} || ''ipset'';
  DB<2> n
Shorewall::Config::IPSet_Match(/usr/share/shorewall/Shorewall/Config.pm:2352):
2352:	    my $result = 0;
  DB<2> n
Shorewall::Config::IPSet_Match(/usr/share/shorewall/Shorewall/Config.pm:2354):
2354:	    $ipset = which $ipset unless $ipset =~ ''//'';
  DB<2> n
Shorewall::Config::IPSet_Match(/usr/share/shorewall/Shorewall/Config.pm:2356):
2356:	    if ( $ipset && -x $ipset ) {
  DB<2> n
Shorewall::Config::IPSet_Match(/usr/share/shorewall/Shorewall/Config.pm:2369):
2369:	    $result;
  DB<2> n
Shorewall::Config::determine_capabilities(/usr/share/shorewall/Shorewall/Config.pm:2576):
2576:		$capabilities{USEPKTTYPE}      detect_capability(
''USEPKTTYPE'' ); DB<2> c
Checking /etc/shorewall/zones...
Checking /etc/shorewall/interfaces...
Determining Hosts in Zones...
Preprocessing Action Files...
   Pre-processing /usr/share/shorewall/action.Drop...
   Pre-processing /usr/share/shorewall/action.Reject...
Checking /etc/shorewall/policy...
Processing /etc/shorewall/initdone...
Checking /etc/shorewall/blacklist...
   ERROR: ipset names in Shorewall configuration files require Ipset
Match in your kernel and iptables : /etc/shorewall/blacklist (line 28)
at /usr/share/shorewall/Shorewall/Config.pm line 786
Shorewall::Config::fatal_error(''ipset names in Shorewall configuration
files require Ipset Ma...'') called
at /usr/share/shorewall/Shorewall/Config.pm line 2605
Shorewall::Config::require_capability(''IPSET_MATCH'',
''ipset names in
Shorewall configuration files'', '''') called
at /usr/share/shorewall/Shorewall/Chains.pm line 2496
Shorewall::Chains::match_source_net(''+dshield'', 0) called
at /usr/share/shorewall/Shorewall/Chains.pm line 3439
Shorewall::Chains::expand_rule(''HASH(0x15524f4c)'', 0,
'''', ''+dshield'',
'''', '''', ''-j blacklog'',
'''', ''DROP'', ...) called
at /usr/share/shorewall/Shorewall/Rules.pm line 266
Shorewall::Rules::setup_blacklist() called
at /usr/share/shorewall/Shorewall/Rules.pm line 461
Shorewall::Rules::add_common_rules() called
at /usr/share/shorewall/Shorewall/Compiler.pm line 651
Shorewall::Compiler::compiler(''script'', '''',
''directory'', '''',
''verbosity'', 1, ''timestamp'', 0,
''debug'', ...) called
at /usr/share/shorewall/compiler.pl line 111 Debugged program
terminated.  Use q to quit or R to restart, use o inhibit_exit to avoid
stopping after program termination, h q, h R or h o to get additional
info. DB<2> 
--------------------------------------------------------------------------

------------------------------------------------------------------------------
ThinkGeek and WIRED''s GeekDad team up for the Ultimate 
GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo

On 6/16/10 10:23 PM, John Brendler wrote:
> 
> I have explicit paths for all the executables, and I already
> double-checked that.
> 
>
Shorewall::Config::IPSet_Match(/usr/share/shorewall/Shorewall/Config.pm:2351):
> 2351:	    my $ipset  = $config{IPSET} || ''ipset'';
>   DB<2> n
>
Shorewall::Config::IPSet_Match(/usr/share/shorewall/Shorewall/Config.pm:2352):
> 2352:	    my $result = 0;
>   DB<2> n
>
Shorewall::Config::IPSet_Match(/usr/share/shorewall/Shorewall/Config.pm:2354):
> 2354:	    $ipset = which $ipset unless $ipset =~ ''//'';
>   DB<2> n
>
Shorewall::Config::IPSet_Match(/usr/share/shorewall/Shorewall/Config.pm:2356):
> 2356:	    if ( $ipset && -x $ipset ) {
>   DB<2> n
>
Shorewall::Config::IPSet_Match(/usr/share/shorewall/Shorewall/Config.pm:2369):
> 2369:	    $result;
The attached patch corrects the problem:

patch /usr/share/shorewall/Shorewall/Config.pm < ipset_match.diff

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
ThinkGeek and WIRED''s GeekDad team up for the Ultimate 
GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo