From: John B. <bre...@gm...> - 2010-06-17 05:23:27
|
On Wed, 16 Jun 2010 21:55:05 -0700 Tom Eastep <te...@sh...> wrote: > First of all, you can most likely work around this problem by > executing this command: > > shorewall show -f capabilities > /etc/shorewall/capabilities My apoligies if I shouldn't have replied to the whole list with this. Yes, indeed, that eliminates the problem, and it is now working just fine. (Deleted the file for the debugging session listed below.) > - Since 4.2.11, we've added an IPSET option in shorewall.conf; please > try setting that to the path to your ipset binary and see if that > corrects the problem. I have explicit paths for all the executables, and I already double-checked that. > - If that doesn't work then you will need to do a little debugging: > > shorewall check -d > > The Perl debugger will prompt you; at the prompt, enter: > > b Shorewall::Config::IPSet_Match > > then > > c > > When the debugger prompts again, enter 'n' at each prompt > until the IPSET_Match subroutine is exited; then enter 'c'. ----------------------------------------------------------------------- twister shorewall # shorewall check -d Checking... Loading DB routines from perl5db.pl version 1.28 Editor support available. Enter h or `h h' for help, or `man perldebug' for more help. Shorewall::Config::CODE(0x125dfff8)(/usr/share/shorewall/Shorewall/Config.pm:697): 697: for ( qw/root system command files destination/ ) { DB<1> b Shorewall::Config::IPSet_Match DB<2> c Processing /etc/shorewall/shorewall.conf... Loading Modules... Shorewall::Config::IPSet_Match(/usr/share/shorewall/Shorewall/Config.pm:2351): 2351: my $ipset = $config{IPSET} || 'ipset'; DB<2> n Shorewall::Config::IPSet_Match(/usr/share/shorewall/Shorewall/Config.pm:2352): 2352: my $result = 0; DB<2> n Shorewall::Config::IPSet_Match(/usr/share/shorewall/Shorewall/Config.pm:2354): 2354: $ipset = which $ipset unless $ipset =~ '//'; DB<2> n Shorewall::Config::IPSet_Match(/usr/share/shorewall/Shorewall/Config.pm:2356): 2356: if ( $ipset && -x $ipset ) { DB<2> n Shorewall::Config::IPSet_Match(/usr/share/shorewall/Shorewall/Config.pm:2369): 2369: $result; DB<2> n Shorewall::Config::determine_capabilities(/usr/share/shorewall/Shorewall/Config.pm:2576): 2576: $capabilities{USEPKTTYPE} = detect_capability( 'USEPKTTYPE' ); DB<2> c Checking /etc/shorewall/zones... Checking /etc/shorewall/interfaces... Determining Hosts in Zones... Preprocessing Action Files... Pre-processing /usr/share/shorewall/action.Drop... Pre-processing /usr/share/shorewall/action.Reject... Checking /etc/shorewall/policy... Processing /etc/shorewall/initdone... Checking /etc/shorewall/blacklist... ERROR: ipset names in Shorewall configuration files require Ipset Match in your kernel and iptables : /etc/shorewall/blacklist (line 24) at /usr/share/shorewall/Shorewall/Config.pm line 786 Shorewall::Config::fatal_error('ipset names in Shorewall configuration files require Ipset Ma...') called at /usr/share/shorewall/Shorewall/Config.pm line 2605 Shorewall::Config::require_capability('IPSET_MATCH', 'ipset names in Shorewall configuration files', '') called at /usr/share/shorewall/Shorewall/Chains.pm line 2496 Shorewall::Chains::match_source_net('+rfc1918', 0) called at /usr/share/shorewall/Shorewall/Chains.pm line 3411 Shorewall::Chains::expand_rule('HASH(0x12daf25c)', 0, '', '+rfc1918!10.217.128.1', '', '', '-j blacklog', '', 'DROP', ...) called at /usr/share/shorewall/Shorewall/Rules.pm line 266 Shorewall::Rules::setup_blacklist() called at /usr/share/shorewall/Shorewall/Rules.pm line 461 Shorewall::Rules::add_common_rules() called at /usr/share/shorewall/Shorewall/Compiler.pm line 651 Shorewall::Compiler::compiler('script', '', 'directory', '', 'verbosity', 1, 'timestamp', 0, 'debug', ...) called at /usr/share/shorewall/compiler.pl line 111 Debugged program terminated. Use q to quit or R to restart, use o inhibit_exit to avoid stopping after program termination, h q, h R or h o to get additional info. DB<2> --------------------------------------------------------------------------------- In case you are curious, the reason for the rfc1918 ipset is because my ISP actually uses rfc1918 addresses for its dhcp servers. This allows me to easily restrict the traffic with exceptions. The other ipsets are much larger. Thanks for your help. |