I use ipsets in my blacklist and in some rules. This has been working for years. With the upgrade to 4.4.10, a shorewall check (or shorewall start) errors out, stating that the kernel and iptables must have ipset capability (because it found an ipset at <first location encountered>). I have confirmed that ipset capability is present (shorewall reports it as present, and lsmod shows the modules are loaded). I have found no information pertaining to this on the shorewall mailing lists. Reproducible: Always Steps to Reproduce: For simplicity in demonstrating the problem: a) I have commented out all entries in /etc/shorewall/blacklist which contain an ipset. b) I have commented out all entries in /etc/shorewall/rules which contain an ipset, *except one* (on line 16 of the file). Actual Results: ----------------------------------------------------------------------------- # shorewall check Checking... Processing /etc/shorewall/shorewall.conf... Loading Modules... Checking /etc/shorewall/zones... Checking /etc/shorewall/interfaces... Determining Hosts in Zones... Preprocessing Action Files... Pre-processing /usr/share/shorewall/action.Drop... Pre-processing /usr/share/shorewall/action.Reject... Checking /etc/shorewall/policy... Processing /etc/shorewall/initdone... Checking /etc/shorewall/blacklist... Adding Anti-smurf Rules Adding rules for DHCP Checking TCP Flags filtering... Checking ARP Filtering... Checking /etc/shorewall/tcdevices... Checking /etc/shorewall/tcclasses... Checking /etc/shorewall/tcrules... Checking /etc/shorewall/masq... Checking MAC Filtration -- Phase 1... Checking /etc/shorewall/rules... ERROR: ipset names in Shorewall configuration files require Ipset Match in your kernel and iptables : /etc/shorewall/rules (line 16) ------------------------------------------------------------------------------ The 'shorewall start' command produces similar output, starting normally but terminating abruptly with: ----------------------------------------------------------------------------- Compiling /etc/shorewall/rules... ERROR: ipset names in Shorewall configuration files require Ipset Match in your kernel and iptables : /etc/shorewall/rules (line 16) ----------------------------------------------------------------------------- Also, note that shorewall reports ipset capability is present: ------------------------------------------------------------------------------ # shorewall show -f capabilities | grep IPSET IPSET_MATCH=Yes # shorewall show capabilities | grep Ipset Ipset Match: Available ----------------------------------------------------------------------------- As you can see, ipset modules are loaded: ----------------------------------------------------------------------------- # lsmod Module Size Used by ipt_set 843 9 ipt_SET 1012 0 ip_set_iptreemap 7504 0 ip_set_iptree 4068 0 ip_set_ipporthash 6780 0 ip_set_portmap 2358 0 ip_set_macipmap 2198 0 ip_set_ipmap 2226 0 ip_set_setlist 2444 1 ip_set_nethash 7396 4 ip_set_iphash 5756 1 ip_set 9944 20 ipt_set,ipt_SET,ip_set_iptreemap,ip_set_iptree,ip_set_ipporthash,ip_set_portmap,ip_set_macipmap,ip_set_ipmap,ip_set_setlist,ip_set_nethash,ip_set_iphash ----------------------------------------------------------------------------- So obviously ipset support is enabled in the kernel. As to ipset support in iptables, it is intrinsic to recent versions of iptables (1.4.8). Expected Results: Shorewall should start normally, recognizing that ipset support is present in the kernel and present in iptables, as it did in 1.4.2.11, from which I upgraded. # emerge --info Portage 2.1.8.3 (hardened/linux/x86, gcc-4.3.4, glibc-2.10.1-r1, 2.6.28-hardened-r9 i686) ================================================================= System uname: Linux-2.6.28-hardened-r9-i686-Pentium_III_-Coppermine-with-gentoo-1.12.13 Timestamp of tree: Wed, 16 Jun 2010 17:15:01 +0000 ccache version 2.4 [enabled] app-shells/bash: 4.0_p37 dev-lang/python: 2.6.4-r1, 3.1.2-r3 dev-util/ccache: 2.4-r7 sys-apps/baselayout: 1.12.13 sys-apps/sandbox: 1.6-r2 sys-devel/autoconf: 2.65 sys-devel/automake: 1.11.1 sys-devel/binutils: 2.20.1-r1 sys-devel/gcc: 4.3.4 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6b virtual/os-headers: 2.6.30-r1 ACCEPT_KEYWORDS="x86" ACCEPT_LICENSE="* -@EULA" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=pentium3 -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -march=pentium3 -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests ccache distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch" GENTOO_MIRRORS="http://gentoo.osuosl.org/ ftp://ftp.gtlib.gatech.edu/pub/gentoo http://open-systems.ufl.edu/mirrors/gentoo" LANG="en_US.UTF-8" LC_ALL="en_US.UTF-8" LDFLAGS="-Wl,-O1,--hash-style=gnu" LINGUAS="en_US en" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage" USE="acpi berkdb bzip2 caps cli cracklib crypt cxx dri gpm hardened iconv mmx modules mudflap ncurses nls nptl nptlonly openmp pam pcre perl pic python readline reflection samba session spl sse ssl sysfs unicode urandom userlocales x86 xorg zlib" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LINGUAS="en_US en" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="i810" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
I submitted this issue on the application's mailing list, and the author is trying to debug it. A temporary work-around is: shorewall show capabilities > /etc/shrorewall/capabilities
Created attachment 235797 [details, diff] tentative 4.4.10-fix-ipset.patch I submitted this on the shorewall-users list and walked through a debugging session with the shorewall author, Tom Eastep. He provided me with a patch the changes one character. The patch failed due to a path issue, but I have fixed that and attached the working version. I have build shorewall 4.4.10 with this patch (in a local overlay), and I have tested it, and it does resolve this problem.
Seems to be fixed from version 4.4.11+
