Hi, I''m trying to check if my system supports ipsets and if shorewall detects it. # shorewall version 4.4.27.3 installed xtables-addons version 1.39 http://xtables-addons.sourceforge.net/ installed ipset version: 6.11 http://ipset.netfilter.org/ # shorewall show capabilities | grep -i ipset ipset V5: Not available Thanks, Vieri ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure
> # shorewall version > 4.4.27.3 > > installed xtables-addons version 1.39 > http://xtables-addons.sourceforge.net/ > > installed ipset version: 6.11 > http://ipset.netfilter.org/ > > # shorewall show capabilities | grep -i ipset > ipset V5: Not available >What does "ipset version" gives you? Also, when you try "ipset help" do you see "Supported set types:" at the very end? ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure
--- On Fri, 3/23/12, Mr Dash Four <mr.dash.four@googlemail.com> wrote:> From: Mr Dash Four <mr.dash.four@googlemail.com> > Subject: Re: [Shorewall-users] shorewall ipsets > To: "Shorewall Users" <shorewall-users@lists.sourceforge.net> > Date: Friday, March 23, 2012, 1:38 PM > > > # shorewall version > > 4.4.27.3 > > > > installed xtables-addons version 1.39 > > http://xtables-addons.sourceforge.net/ > > > > installed ipset version: 6.11 > > http://ipset.netfilter.org/ > > > > # shorewall show capabilities | grep -i ipset > > ipset V5: Not available > > > What does "ipset version" gives you? Also, when you try > "ipset help" do > you see "Supported set types:" at the very end?Supported set types: list:set hash:ip,port,net hash:ip,port,net hash:ip,port,net hash:ip,port,ip hash:ip,port hash:net,iface hash:net,iface hash:net,port hash:net,port hash:net,port hash:net hash:net hash:net hash:ip bitmap:port bitmap:ip,mac bitmap:ip (I think "hash:ip" is what shorewall uses by default) # ipset version ipset v6.11, protocol version: 6 Does this mean that Shorewall only supports ipset v.5 and that ipset v.6 isn''t backward-compatible? Thanks, Vieri ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure
> Supported set types: > list:set > hash:ip,port,net > hash:ip,port,net > hash:ip,port,net > hash:ip,port,ip > hash:ip,port > hash:net,iface > hash:net,iface > hash:net,port > hash:net,port > hash:net,port > hash:net > hash:net > hash:net > hash:ip > bitmap:port > bitmap:ip,mac > bitmap:ip > > (I think "hash:ip" is what shorewall uses by default) >As far as I know there is no such thing as "default ipset type" in shorewall, but I stand to be corrected if that is not the case.> # ipset version > ipset v6.11, protocol version: 6 >It looks as though ipset is functioning properly. The only thing I can think of is if your PATH is not set up properly or your "IPSET" option in shorewall.conf is wrong. Could you et me know what values do you have for IPSET and PATH in your shorewall.conf and verify that 1) the IPSET option, if not empty, points to a valid ipset executable; or 2) ipset executable can be found in the path specified in the PATH option? If all of the above is satisfied, then try to include the following statement in your shorewall "init" as a test (you can remove it afterwards): "ipset n test-net hash:net family inet timeout 0 hashsize 64". If shorewall starts successfully and does not report any errors, try this from the command line: "ipset l test-net" and see if you can get the above set listed. If so, then ipset is functioning properly within shorewall and there is something wrong with the generation of your capabilities file.> Does this mean that Shorewall only supports ipset v.5 and that ipset v.6 isn''t backward-compatible? >No, historically, ipset v4 (and older) have very different syntax/data structure, from ipset version 5 and above, hence why your capabilities file does have provision for both set versions. If IPSET_V5=Yes, then your version of ipset supports the new syntax (version 5 and above). If it is empty, then either 1) shorewall does not recognise ipset at all (IPSET_MATCH and IPSET_V5 are both empty); or 2) shorewall has determined that you have the "old" syntax (version 4 and older), in which case you should have IPSET_MATCH=Yes and IPSET_V5 should be empty. ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure
On 03/23/2012 02:44 AM, Vieri Di Paola wrote:> Hi, > > I''m trying to check if my system supports ipsets and if shorewall detects it. > > # shorewall version > 4.4.27.3 > > installed xtables-addons version 1.39 > http://xtables-addons.sourceforge.net/ > > installed ipset version: 6.11 > http://ipset.netfilter.org/ > > # shorewall show capabilities | grep -i ipset > ipset V5: Not availableWhat is the output of ipset --version -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure
--- On Fri, 3/23/12, Mr Dash Four <mr.dash.four@googlemail.com> wrote:> > # ipset version > > ipset v6.11, protocol version: 6 > > > It looks as though ipset is functioning properly. The only > thing I can > think of is if your PATH is not set up properly or your > "IPSET" option > in shorewall.conf is wrong.# grep -i ipset /etc/shorewall/shorewall.conf IPSETSAVE_IPSETS=No # grep -i path /etc/shorewall/shorewall.conf CONFIG_PATH="/etc/shorewall:/usr/share/shorewall" PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin" # which ipset /usr/sbin/ipset> statement in your shorewall "init" as a testwill try that asap. Thanks for the help. Vieri ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure
--- On Fri, 3/23/12, Tom Eastep <teastep@shorewall.net> wrote:> What is the output of > > ipset --version# ipset --version ipset v6.11, protocol version: 6 ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure
>> statement in your shorewall "init" as a test >> > > will try that asap. >If this works as expected try using the same ipset you defined in "init" (test-net) in "rules" statement, say "ACCEPT net:+test-net $FW" (provided you have "net" zone defined, if not use any of the zones you have defined in the "zones" file) and see if that works. If shorewall compiles without any errors, then check your net2fw chain (shorewall show net2fw) to make sure that test-net is included in that chain. If you can see that as well, then there is definitely something wrong with the capabilities generation on your machine. Try this: shorewall show -f capabilities | grep IPSET and post the result here. ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure
--- On Fri, 3/23/12, Mr Dash Four <mr.dash.four@googlemail.com> wrote:> > (I think "hash:ip" is what shorewall uses by default) > > > As far as I know there is no such thing as "default ipset > type" in > shorewall, but I stand to be corrected if that is not the > case.I''m not sure, really, just read somewhere the following that made me think that Shorewall only supports the <u>creation</u> of one ipset type: "Shorewall will create an ipset of type iphash. If you want to use a different type of ipset, such as macipmap, then you will want to manually create that ipset yourself before the next Shorewall start/restart." Anyway, not a problem per-se.> If all of the above is satisfied, then try to include the > following > statement in your shorewall "init" as a test (you can remove > it > afterwards): "ipset n test-net hash:net family inet timeout > 0 hashsize > 64". If shorewall starts successfully and does not report > any errors,I get the following error: ipset v6.11: Kernel error received: Invalid argument Something must be wrong with my kernel v.2.6.37 or it doesn''t support ipsets. Thanks, Vieri ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure
After recompiling the kernel (same version but applied the netfilter "netlink.patch"): # shorewall show -f capabilities | grep -i ipset IPSET_MATCHOLD_IPSET_MATCHIPSET_V5 I think I''m better off upgrading my kernel. ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure
> After recompiling the kernel (same version but applied the netfilter "netlink.patch"): > > # shorewall show -f capabilities | grep -i ipset > IPSET_MATCH> OLD_IPSET_MATCH> IPSET_V5> > I think I''m better off upgrading my kernel. >Yep, one other alternative to this is to compile/install a recent version of xtables-addons, which includes ipset. There is another - 3rd - alternative and is what I do - compile ipset (the executable in userspace) separately, but incorporate the ipset modules as a patch to your chosen kernel version - that way you don''t rely on xtables-addons or the version of the kernel you are using. That''s how I have been using ipset for more than 2 years now. Good luck! ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure
> I get the following error: > > ipset v6.11: Kernel error received: Invalid argument > > Something must be wrong with my kernel v.2.6.37 or it doesn''t support ipsets. >From what I remember, 2.6.37 does not have *any* ipset support at all - you have to either use xtables-addons or build ipset (the userspace executable) separately and patch the kernel and then recompile it (the latter is what I do as I build/test the kernel more often than I compile/install ipsets). ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure
On 26/03/2012 14:39, Mr Dash Four wrote:>> I get the following error: >> >> ipset v6.11: Kernel error received: Invalid argument >> >> Something must be wrong with my kernel v.2.6.37 or it doesn''t support ipsets. >> > From what I remember, 2.6.37 does not have *any* ipset support at all - > you have to either use xtables-addons or build ipset (the userspace > executable) separately and patch the kernel and then recompile it (the > latter is what I do as I build/test the kernel more often than I > compile/install ipsets). >Hi, I''m not sure that using xtables-addons is the best advice here? I believe that''s the really old code? I *think* that for reasonably recent kernels (>=2.6.34 ?) that you should just grab the ipset sources, patch your kernel as described and rebuild, plus build the userspace utility (note that you need kernel changes for kernels < 2.6.39) See the instructions: http://ipset.netfilter.org/install.html Also see the README in the download for more details With regards to creating ipsets, you may need to create these in /etc/shorewall/init (apologies for hard coded paths...). eg I have: if [ "$COMMAND" = start ]; then # Create ipset for captive portal on br0 ipset create cp bitmap:ip,mac range 192.168.1.1/24 fi In this case you have two variables needed for matching this particular ipset, so for example in any rules you will need to use "cp[2]" as your specification Just try all this stuff at the command line first to check it''s working. It''s not hard. "ipset list" ipset add cp 192.168.1.1,11:22:33:44:55:66" etc Good luck Ed W ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure
> Hi, I''m not sure that using xtables-addons is the best advice here? I > believe that''s the really old code? >No, it is not! The most recent xtables-addons (1.41, I think) has ipset 6.11, which is the latest version.> I *think* that for reasonably recent kernels (>=2.6.34 ?) that you > should just grab the ipset sources, patch your kernel as described and > rebuild, plus build the userspace utility (note that you need kernel > changes for kernels < 2.6.39) > > See the instructions: > http://ipset.netfilter.org/install.html >For someone who is unwilling to mess about with kernel patching and compiling, the best option is to use xtables-addons, that is what I always advice. Messing about with the kernel source isn''t for everyone.> With regards to creating ipsets, you may need to create these in > /etc/shorewall/init (apologies for hard coded paths...). eg I have: > > if [ "$COMMAND" = start ]; then > # Create ipset for captive portal on br0 > ipset create cp bitmap:ip,mac range 192.168.1.1/24 > fi >Nope! What happens if you have, say, a hundred ipsets to define, what then? I use a different script, taking full advantage of the restore option - that way my ipsets are defined separately and I execute ipset once to restore the whole lot and it happens in an instant, no need for multiple executions. ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure
OK, so it seems to be clear now. One simple way is to do the following: 1) upgrade to kernel >= 2.6.39 and compile it with ipset and xtables support 2) install ipset v.6 (no kernel patching and rebuilding required) for userspace tools 3) no need to install xtables-addons. Thanks, Vieri ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure