Menu
▾
▴
Re: [Shorewall-users] shorewall 4.4.10 failing to start; won't recognize ipset "capability"
|
From: John B. <bre...@gm...> - 2010-06-17 05:23:27
|
On Wed, 16 Jun 2010 21:55:05 -0700
Tom Eastep <te...@sh...> wrote:
> First of all, you can most likely work around this problem by
> executing this command:
>
> shorewall show -f capabilities > /etc/shorewall/capabilities
My apoligies if I shouldn't have replied to the whole list with this.
Yes, indeed, that eliminates the problem, and it is now working just
fine. (Deleted the file for the debugging session listed below.)
> - Since 4.2.11, we've added an IPSET option in shorewall.conf; please
> try setting that to the path to your ipset binary and see if that
> corrects the problem.
I have explicit paths for all the executables, and I already
double-checked that.
> - If that doesn't work then you will need to do a little debugging:
>
> shorewall check -d
>
> The Perl debugger will prompt you; at the prompt, enter:
>
> b Shorewall::Config::IPSet_Match
>
> then
>
> c
>
> When the debugger prompts again, enter 'n' at each prompt
> until the IPSET_Match subroutine is exited; then enter 'c'.
-----------------------------------------------------------------------
twister shorewall # shorewall check -d
Checking...
Loading DB routines from perl5db.pl version 1.28
Editor support available.
Enter h or `h h' for help, or `man perldebug' for more help.
Shorewall::Config::CODE(0x125dfff8)(/usr/share/shorewall/Shorewall/Config.pm:697):
697: for ( qw/root system command files destination/ ) {
DB<1> b Shorewall::Config::IPSet_Match
DB<2> c
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Shorewall::Config::IPSet_Match(/usr/share/shorewall/Shorewall/Config.pm:2351):
2351: my $ipset = $config{IPSET} || 'ipset';
DB<2> n
Shorewall::Config::IPSet_Match(/usr/share/shorewall/Shorewall/Config.pm:2352):
2352: my $result = 0;
DB<2> n
Shorewall::Config::IPSet_Match(/usr/share/shorewall/Shorewall/Config.pm:2354):
2354: $ipset = which $ipset unless $ipset =~ '//';
DB<2> n
Shorewall::Config::IPSet_Match(/usr/share/shorewall/Shorewall/Config.pm:2356):
2356: if ( $ipset && -x $ipset ) {
DB<2> n
Shorewall::Config::IPSet_Match(/usr/share/shorewall/Shorewall/Config.pm:2369):
2369: $result;
DB<2> n
Shorewall::Config::determine_capabilities(/usr/share/shorewall/Shorewall/Config.pm:2576):
2576: $capabilities{USEPKTTYPE} =
detect_capability( 'USEPKTTYPE' ); DB<2> c
Checking /etc/shorewall/zones...
Checking /etc/shorewall/interfaces...
Determining Hosts in Zones...
Preprocessing Action Files...
Pre-processing /usr/share/shorewall/action.Drop...
Pre-processing /usr/share/shorewall/action.Reject...
Checking /etc/shorewall/policy...
Processing /etc/shorewall/initdone...
Checking /etc/shorewall/blacklist...
ERROR: ipset names in Shorewall configuration files require Ipset
Match in your kernel and iptables : /etc/shorewall/blacklist (line 24)
at /usr/share/shorewall/Shorewall/Config.pm line 786
Shorewall::Config::fatal_error('ipset names in Shorewall configuration
files require Ipset Ma...') called
at /usr/share/shorewall/Shorewall/Config.pm line 2605
Shorewall::Config::require_capability('IPSET_MATCH', 'ipset names in
Shorewall configuration files', '') called
at /usr/share/shorewall/Shorewall/Chains.pm line 2496
Shorewall::Chains::match_source_net('+rfc1918', 0) called
at /usr/share/shorewall/Shorewall/Chains.pm line 3411
Shorewall::Chains::expand_rule('HASH(0x12daf25c)', 0, '',
'+rfc1918!10.217.128.1', '', '', '-j blacklog', '', 'DROP', ...) called
at /usr/share/shorewall/Shorewall/Rules.pm line 266
Shorewall::Rules::setup_blacklist() called
at /usr/share/shorewall/Shorewall/Rules.pm line 461
Shorewall::Rules::add_common_rules() called
at /usr/share/shorewall/Shorewall/Compiler.pm line 651
Shorewall::Compiler::compiler('script', '', 'directory', '',
'verbosity', 1, 'timestamp', 0, 'debug', ...) called
at /usr/share/shorewall/compiler.pl line 111 Debugged program
terminated. Use q to quit or R to restart, use o inhibit_exit to avoid
stopping after program termination, h q, h R or h o to get additional
info. DB<2>
---------------------------------------------------------------------------------
In case you are curious, the reason for the rfc1918 ipset is because my
ISP actually uses rfc1918 addresses for its dhcp servers. This allows
me to easily restrict the traffic with exceptions. The other ipsets
are much larger.
Thanks for your help.
|