Thomas D.
2014-Jul-18 22:50 UTC
"ERROR: ipset names in Shorewall configuration files require Ipset Match in your kernel and iptables" with 3.14.13 kernel
Hi, strange problem: All I did was upgrading a box from linux-3.10.49 to linux-3.14.13 kernel. But with 3.14.13, shorewall6 doesn't start:> # shorewall6 safe-restart > Compiling... > Processing /etc/shorewall6/params ... > Processing /etc/shorewall6/shorewall6.conf... > Loading Modules... > Compiling /etc/shorewall6/zones... > Compiling /etc/shorewall6/interfaces... > Determining Hosts in Zones... > Locating Action Files... > Compiling /etc/shorewall6/policy... > Compiling TCP Flags filtering... > Compiling MAC Filtration -- Phase 1... > Compiling /etc/shorewall6/blrules... > ERROR: ipset names in Shorewall configuration files require Ipset Match in your kernel and iptables /etc/shorewall6/blrules (line 12)That's funny because shorewall (the ipv4 version) on the same system works! And the blrules file is 100% identical: BLACKLIST net:+blacklist $FW> # ipset list blacklist > Name: blacklist > Type: list:set > Revision: 2 > Header: size 8 > Size in memory: 112 > References: 1 > Members: > blacklist4 > blacklist6If I reboot into 3.10.49 shorewall6 works again. shorewall6 show -f capabilities between 3.10.49 and 3.14.13 doesn't show a different:> --- /root/capas-3.10.49.txt 2014-07-19 00:26:36.176612168 +0200 > +++ /root/capas-3.14.13.txt 2014-07-19 00:34:30.775595947 +0200 > @@ -1,5 +1,5 @@ > # > -# Shorewall6 4.5.21.10 detected the following iptables/netfilter capabilities - Sat Jul 19 00:26:36 CEST 2014 > +# Shorewall6 4.5.21.10 detected the following iptables/netfilter capabilities - Sat Jul 19 00:34:30 CEST 2014 > # > ACCOUNT_TARGET> ADDRTYPE> @@ -41,7 +41,7 @@ > IPTABLES_S=Yes > IRC0_HELPER> IRC_HELPER> -KERNELVERSION=31049 > +KERNELVERSION=31413 > KLUDGEFREE=Yes > LENGTH_MATCH=Yes > LOGMARK_TARGET> # grep -i ipset ~/capas-3.14.13.txt > IPSET_MATCH=Yes > IPSET_V5=Yes > OLD_IPSET_MATCHVersions: - Shorewall6 4.5.21.10 - ipset v6.21.1 - iptables v1.4.21 3.14.13 kernel cfg: http://bpaste.net/show/476344/ As said, it is the same config like I am using with 3.10.49... only with "make oldconfig"... I really don't understand what's going on because I have other boxes where I did the same without any problems. Any hints/ideas? -Thomas ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds