Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 325865

Summary: net-firewall/shorewall-3.4.8 generates errors with net-firewall/ipset-4.1
Product: Gentoo Linux Reporter: Andy Dalton <andy.dalton>
Component: Current packagesAssignee: Vieri <rentorbuy>
Status: RESOLVED INVALID    
Severity: normal CC: netmon
Priority: High    
Version: unspecified   
Hardware: AMD64   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Andy Dalton 2010-06-27 19:33:45 UTC
I'm using ipsets to maintain my list of blacklisted IP addresses, and I tie that in with shorewall.  However, now when I start the firewall, I get:

# /etc/init.d/shorewall restart
 * Restarting firewall ...
ipset v4.1: Unknown arg `-U'
Try `ipset -H' or 'ipset --help' for more information.
ipset v4.1: Unknown arg `-U'
Try `ipset -H' or 'ipset --help' for more information.                                           [ ok ]

In the file /usr/share/shorewall/compiler, I see on lines 5403 and 5404:

     ipset -U :all: :all:
     ipset -U :all: :default:

However, looking at the ipset man page, I don't see a -U option.  Perhaps it was removed/redefined?

This error message, however, doesn't seem to effect the behavior of the firewall -- things seem to continue to get blocked correctly

Reproducible: Always

Steps to Reproduce:
1. Create some ipsets:
ipset -N blacklist iphash
ipset -A blacklist <someIP>

2. Save them to /etc/shorewall/ipsets:
ipset -S > /etc/shorewall/ipset

3. Set SAVE_IPSETS=Yes in /etc/shorewall/shorewall.conf

4. Restart shorewall:
/etc/init.d/shorewall restart
Actual Results:  
 * Restarting firewall ...
ipset v4.1: Unknown arg `-U'
Try `ipset -H' or 'ipset --help' for more information.
ipset v4.1: Unknown arg `-U'
Try `ipset -H' or 'ipset --help' for more information.                                           [ ok ]

Expected Results:  
 * Restarting firewall ...                             [ ok ]
Comment 1 Andy Dalton 2010-06-28 01:04:59 UTC
I tested net-firewall/shorewall-4.4.10 and the problem is not present in that version.

Also, here's my emerge --info, if it's useful:

$ emerge --info
Portage 2.1.8.3 (default/linux/amd64/10.0, gcc-4.4.3, glibc-2.11.2-r0, 2.6.33-gentoo-r2 x86_64)
=================================================================
System uname: Linux-2.6.33-gentoo-r2-x86_64-Intel-R-_Xeon-R-_CPU_5160_@_3.00GHz-with-gentoo-1.12.13
Timestamp of tree: Sun, 27 Jun 2010 20:15:01 +0000
app-shells/bash:     4.0_p37
dev-java/java-config: 2.1.11
dev-lang/python:     2.6.5-r2, 3.1.2-r3
dev-util/cmake:      2.6.4-r3
sys-apps/baselayout: 1.12.13
sys-apps/sandbox:    1.6-r2
sys-devel/autoconf:  2.13, 2.65
sys-devel/automake:  1.9.6-r3, 1.10.3, 1.11.1
sys-devel/binutils:  2.20.1-r1
sys-devel/gcc:       4.4.3-r2
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.6b
virtual/os-headers:  2.6.30-r1
ABI="amd64"
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="*"
ACCEPT_PROPERTIES="*"
ALSA_CARDS=""
ALSA_PCM_PLUGINS=""
ANT_HOME="/usr/share/ant"
APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias auth_digest"
APACHE2_MPMS=" worker"
ARCH="amd64"
ASFLAGS_x86="--32"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CDEFINE_amd64="__x86_64__"
CDEFINE_x86="__i386__"
CFLAGS="-march=native -O2 -pipe -fomit-frame-pointer"
CFLAGS_x86="-m32"
CHOST="x86_64-pc-linux-gnu"
CHOST_amd64="x86_64-pc-linux-gnu"
CHOST_x86="i686-pc-linux-gnu"
CLEAN_DELAY="5"
COLLISION_IGNORE="/lib/modules"
CONFIG_PROTECT="/etc /usr/share/X11/xkb /usr/share/config /var/bind /var/lib/hsqldb"
CONFIG_PROTECT_MASK="/etc/bash_completion.d /etc/ca-certificates.conf /etc/default /etc/dev.d /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/init.d /etc/modules.d /etc/pam.d /etc/pango /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/profile.d /etc/revdep-rebuild /etc/sandbox.d /etc/ssl /etc/ssmtp /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c /etc/udev /etc/vim"
CVS_RSH="ssh"
CXXFLAGS="-march=native -O2 -pipe -fomit-frame-pointer"
DEFAULT_ABI="amd64"
DISPLAY="localhost:10.0"
DISTDIR="/usr/portage/distfiles"
EDITOR="/usr/bin/vim"
ELIBC="glibc"
EMERGE_DEFAULT_OPTS="--verbose --noconfmem"
EMERGE_WARNING_DELAY="10"
EPREFIX=""
EROOT="/"
FEATURES="assume-digests distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch usersandbox"
FETCHCOMMAND="/usr/bin/wget -t 5 -T 60 --passive-ftp -O "${DISTDIR}/${FILE}" "${URI}""
GCC_SPECS=""
GDK_USE_XFT="1"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
GUILE_LOAD_PATH="/usr/share/guile/1.8"
HG="/usr/bin/hg"
HISTIGNORE="[bf]g:exit:history"
INFODIR="/usr/GNUstep/System/Library/Documentation/info:/usr/GNUstep/Local/Library/Documentation/info"
INFOPATH="/usr/share/info:/usr/share/binutils-data/x86_64-pc-linux-gnu/2.20.1/info:/usr/share/gcc-data/x86_64-pc-linux-gnu/4.4.3/info:/usr/share/info/emacs-23:/usr/GNUstep/System/Library/Documentation/info:/usr/GNUstep/Local/Library/Documentation/info"
INPUT_DEVICES="keyboard mouse evdev"
JAVAC="/etc/java-config-2/current-system-vm/bin/javac"
JAVACC_HOME="/usr/share/javacc/"
JAVA_HOME="/etc/java-config-2/current-system-vm"
JDK_HOME="/etc/java-config-2/current-system-vm"
KERNEL="linux"
LANG="en_US.UTF-8"
LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text"
LDFLAGS="-Wl,-O1"
LDFLAGS_x86="-m elf_i386"
LESS="-R -M --shift 5"
LESSOPEN="|lesspipe.sh %s"
LIBDIR_amd64="lib64"
LIBDIR_amd64_fbsd="lib64"
LIBDIR_ppc="lib32"
LIBDIR_ppc64="lib64"
LIBDIR_sparc32="lib32"
LIBDIR_sparc64="lib64"
LIBDIR_x86="lib32"
LIBDIR_x86_fbsd="lib32"
LINGUAS="en en_US"
LS_COLORS="no=00:fi=00:di=01;36:ln=01;36:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:su=37;41:sg=30;43:tw=30;42:ow=34;42:st=37;44:ex=01;32:"
MAKEOPTS="-j5"
MANPATH="/etc/java-config-2/current-system-vm/man:/usr/local/share/man:/usr/share/man:/usr/share/binutils-data/x86_64-pc-linux-gnu/2.20.1/man:/usr/share/gcc-data/x86_64-pc-linux-gnu/4.4.3/man:/etc/java-config/system-vm/man/:/usr/lib64/php5/man/:/usr/GNUstep/System/Library/Documentation/man:/usr/GNUstep/Local/Library/Documentation/man"
MULTILIB_ABIS="amd64 x86"
MULTILIB_STRICT_DENY="64-bit.*shared object"
MULTILIB_STRICT_DIRS="/lib32 /lib /usr/lib32 /usr/lib /usr/kde/*/lib32 /usr/kde/*/lib /usr/qt/*/lib32 /usr/qt/*/lib /usr/X11R6/lib32 /usr/X11R6/lib"
MULTILIB_STRICT_EXEMPT="(perl5|gcc|gcc-lib|binutils|eclipse-3|debug|portage)"
NETBEANS="apisupport cnd groovy gsf harness ide identity j2ee java mobility nb php profiler soa visualweb webcommon websvccommon xml"
NOCONFMEM="1"
NOUSE="-ipv6"
OPENGL_PROFILE="xorg-x11"
PAGER="/usr/bin/less"
PATH="/usr/local/bin:/usr/bin:/bin:/opt/bin:/usr/x86_64-pc-linux-gnu/gcc-bin/4.4.3:/usr/lib64/subversion/bin:/usr/GNUstep/System/Tools:/usr/GNUstep/Local/Tools"
PKGDIR="/usr/portage/packages"
PORTAGE_ARCHLIST="ppc x86-openbsd ppc-openbsd ppc64 x86-winnt x86-fbsd ppc-aix alpha arm x86-freebsd s390 amd64 arm-linux x86-macos x64-openbsd ia64-hpux hppa x86-netbsd amd64-linux ia64-linux x86 sparc-solaris x64-freebsd sparc64-solaris x86-linux x64-macos sparc m68k-mint ia64 mips ppc-macos x86-interix hppa-hpux amd64-fbsd x64-solaris mips-irix m68k sh x86-solaris sparc-fbsd"
PORTAGE_BINHOST_CHUNKSIZE="3000"
PORTAGE_BIN_PATH="/usr/lib64/portage/bin"
PORTAGE_COMPRESS_EXCLUDE_SUFFIXES="css gif htm[l]? jp[e]?g js pdf png"
PORTAGE_CONFIGROOT="/"
PORTAGE_DEBUG="0"
PORTAGE_DEPCACHEDIR="/var/cache/edb/dep"
PORTAGE_ELOG_CLASSES="log warn error"
PORTAGE_ELOG_MAILFROM="portage@localhost"
PORTAGE_ELOG_MAILSUBJECT="[portage] ebuild log for ${PACKAGE} on ${HOST}"
PORTAGE_ELOG_MAILURI="root"
PORTAGE_ELOG_SYSTEM="save mail"
PORTAGE_FETCH_CHECKSUM_TRY_MIRRORS="5"
PORTAGE_FETCH_RESUME_MIN_SIZE="350K"
PORTAGE_GID="250"
PORTAGE_INST_GID="0"
PORTAGE_INST_UID="0"
PORTAGE_PYM_PATH="/usr/lib64/portage/pym"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_RSYNC_RETRIES="3"
PORTAGE_SYNC_STALE="30"
PORTAGE_TMPDIR="/var/tmp"
PORTAGE_VERBOSE="1"
PORTAGE_WORKDIR_MODE="0700"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman"
PPUSE="git kpathsea logrotate network-cron nss qt3support ssse3"
PRINTER="s426"
PROFILE_ONLY_VARIABLES="ARCH ELIBC KERNEL USERLAND"
PYTHONDONTWRITEBYTECODE="1"
RESUMECOMMAND="/usr/bin/wget -c -t 5 -T 60 --passive-ftp -O "${DISTDIR}/${FILE}" "${URI}""
ROOT="/"
ROOTPATH="/opt/bin:/usr/x86_64-pc-linux-gnu/gcc-bin/4.4.3:/usr/lib64/subversion/bin:/usr/GNUstep/System/Tools:/usr/GNUstep/Local/Tools"
RPMDIR="/usr/portage/rpm"
RUBYOPT="-rauto_gem"
RUBY_TARGETS="ruby18"
R_HOME="/usr/lib64/R"
SBCL_HOME="/usr/lib64/sbcl"
SBCL_SOURCE_ROOT="/usr/lib64/sbcl/src"
SHELL="/bin/bash"
SHLVL="1"
STAGE1_USE="multilib nptl nptlonly unicode"
SYMLINK_LIB="yes"
SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage"
TERM="xterm"
USE="X acl acpi amd64 apache2 bash-completion berkdb bzip2 cairo caps cgi cli cracklib crypt cscope ctype cups curl cvs cxx dbus dri emacs enscript exif fam fftw fortran gd gdbm gif gimp ginac git gmp gnuplot gnutls gpm graphviz gtk guile hal iconv imagemagick innodb java java6 javascript jbig jpeg jpeg2k kpathsea lapack latex logrotate mbox mhash mime mmap mmx modules mudflap multilib mysql mysqli ncurses network-cron nls nptl nptlonly nsplugin nss objc objc++ openmp pam pcre pdf perl php plotutils png posix ppds pppd python qt3support readline reflection ruby samba session smp sockets spell spl sse sse2 ssl ssse3 subversion svg sysfs syslog sysvipc szip taglib tcl tcpd threads tk tokenizer truetype unicode vim-syntax wxwindows xattr xemacs xinetd xml xorg xulrunner zlib" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias auth_digest" APACHE2_MPMS=" worker" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en en_US" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="radeon" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 
USERLAND="GNU"
USE_EXPAND="ALSA_CARDS ALSA_PCM_PLUGINS APACHE2_MODULES APACHE2_MPMS CAMERAS CROSSCOMPILE_OPTS DVB_CARDS ELIBC FCDSL_CARDS FOO2ZJS_DEVICES FRITZCAPI_CARDS INPUT_DEVICES KERNEL LCD_DEVICES LINGUAS LIRC_DEVICES MISDN_CARDS NETBEANS_MODULES NGINX_MODULES_HTTP NGINX_MODULES_MAIL QEMU_SOFTMMU_TARGETS QEMU_USER_TARGETS RUBY_TARGETS SANE_BACKENDS USERLAND VIDEO_CARDS XTABLES_ADDONS"
USE_EXPAND_HIDDEN="CROSSCOMPILE_OPTS ELIBC KERNEL USERLAND"
USE_ORDER="env:pkg:conf:defaults:pkginternal:env.d"
VIDEO_CARDS="radeon"
XDG_CONFIG_DIRS="/etc/xdg"
XDG_DATA_DIRS="/usr/local/share:/usr/share"
XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
XZ_OPT="--memory=max"
_="/usr/bin/emerge"
bash4="4.0.37(2)-release"
Comment 2 Vieri 2010-06-30 10:08:50 UTC
As far as I know, Shorewall 3.x is obsolete and unsupported by the software creator.
Since this is an upstream "bug", it should be reported upstream but, as I said, it probably won't be fixed.
The 3.x ebuilds could be changed to require <ipset-4.1 but upgrading away from 3.x is preferable.
3.x ebuilds should probably be wiped out from the portage tree anyway.

just my opinion.
Comment 3 Andy Dalton 2011-01-24 19:43:54 UTC
Sorry -- this is my bug, not a problem with what you've done.  I had unmasked 4.4.10; it was not previously stable in the tree.  When you removed 4.4.10, that left only other unmasked 4.X versions, and the stable 3.x version.  I should have had more coffee this morning before firing off a bug report.

Sorry for the noise.