Shorewall users - Dec 2013 - How to locally compile blrules with ipsets that exist only at runtime on the remote?

I''ve installed

	shorewall version
		4.5.21.4

Reading up

	@ http://www.shorewall.net/upgrade_issues.htm#idp3157976

		"
		...
		Versions >= 4.5.0
		...
		The BLACKLIST section of the rules file has been
		eliminated. If you have entries in that file section,
		you must move them to the blrules file."
		...
		"

	@ http://shorewall.net/blacklisting_support.htm#idp2730648

		"
		...
		Rule-based Blacklisting

		Beginning with Shorewall 4.4.25, the preferred method of
		blacklisting and whitelisting is to use the blrules file
		(shorewall-blrules (5)). There you have access to the
		DROP, ACCEPT, REJECT and WHITELIST actions, standard and
		custom macros as well as standard and custom actions.
		See shorewall-rules (5) for details.
		...
		"

	@ http://shorewall.net/manpages/shorewall-rules.html

		"
		...
		SOURCE -
	
{zone|zone-list[+]|{all|any}[+][-]}[:interface][:{address-or-range[,address-or-range]...[exclusion]|exclusion|+ipset|^countrycode-list}
		...
		If your kernel and iptables have ipset match support
		then you may give the name of an ipset prefaced by "+".
		...
		"

I configure one IPSET-containing blrule,

	cat blrules
		#ACTION  SOURCE             DEST
		DROP     +TEST_IPSET        all

The IPSET is a run-time defined IPSET.  I.e., it exists, pre-defined on
the remote, not locally on the admin

	@ remote
		ipset -L | grep -i TEST_IPSET
			Name: TEST_IPSET

	@ local admin
		ipset -L | grep -i TEST_IPSET


When I try to compile it for remote installation

	shorewall load test.gateway.int
		Compiling...
		Processing /home/jenl/shorewall/params ...
		Processing /home/jenl/shorewall/shorewall.conf...
		Shorewall has detected the following capabilities:
		...
		Compiling /home/jenl/shorewall/zones...
		Compiling /home/jenl/shorewall/interfaces...
		   Interface "net eth0
		   dhcp,tcpflags,logmartians,nosmurfs" Validated
		Determining Hosts in Zones...
		   fw (firewall)
		   net (ipv4)
		      eth0:0.0.0.0/0
		Locating Action Files...
		Compiling /home/jenl/shorewall/policy...
		   Policy for net to fw is DROP using chain net2all
		   Policy for fw to net is REJECT using chain all2all
		   Policy for net to fw is REJECT using chain all2all
		Running /home/jenl/shorewall/initdone...
		Adding Anti-smurf Rules
		Adding rules for DHCP
		Compiling TCP Flags filtering...
		Compiling Kernel Route Filtering...
		Compiling Martian Logging...
		Compiling MAC Filtration -- Phase 1...
		Compiling /home/jenl/shorewall/blrules...
		   ERROR: Unknown source zone (+TEST_IPSET)
		   /home/jenl/shorewall/blrules (line 2)

How do I get this to compile correctly to be ''run-time'' aware,
without
having to create each remote''s IPSETs locally on the admin instance?

Is there a toggle/flag that can identify an IPSET as compile-time
(locally defined) vs run-time (defined at remote)?

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don''t have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk

On 12/17/2013 9:56 AM, jen142@promessage.com wrote:
> I''ve installed
> 
> 	shorewall version
> 		4.5.21.4
> 
> Reading up
> 
> I configure one IPSET-containing blrule,
> 
> 	cat blrules
> 		#ACTION  SOURCE             DEST
> 		DROP     +TEST_IPSET        all
You must use correct syntax. If you are only blacklisting hosts in the
net zone, then the rule would be:

		#ACTION  SOURCE             DEST
 		DROP     net:+TEST_IPSET    all
> 
> The IPSET is a run-time defined IPSET.  I.e., it exists, pre-defined on
> the remote, not locally on the admin
> 
> 	@ remote
> 		ipset -L | grep -i TEST_IPSET
> 			Name: TEST_IPSET
> 
> 	@ local admin
> 		ipset -L | grep -i TEST_IPSET
> 
> 
> When I try to compile it for remote installation
> 
> 	shorewall load test.gateway.int
> 		Compiling...
> 		Compiling /home/jenl/shorewall/blrules...
> 		   ERROR: Unknown source zone (+TEST_IPSET)
> 		   /home/jenl/shorewall/blrules (line 2)
> 
> How do I get this to compile correctly to be ''run-time''
aware, without
> having to create each remote''s IPSETs locally on the admin
instance?
> 
> Is there a toggle/flag that can identify an IPSET as compile-time
> (locally defined) vs run-time (defined at remote)?
No.

-Tom


-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don''t have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk