# [SOLVED] Shorewall/iptables/IPSet issue

## astor84

I have been waiting on mainline IPSet capability in the mainline kernel for some time and today installed 2.6.39-r3 on my router, making sure to add in "set match" and "ipset" configuration options. I rebooted and was able to create a large IPSet that I want to use for blacklisting via shorewall.

I then added an entry in /etc/shorewall/blacklist which references this ipset and when I restarted shorewall I get:

```
ERROR: ipset names in Shorewall configuration files require Ipset Match in your kernel and iptables
```

I tried manually running some of the iptables commands that shorewall appears to be running, but they failed (which is, I assume, what the problem is).

It seems as if iptables doesn't like the command. I get the following:

```

iptables -t nat -N testchain

iptables --verbose -t filter -A testchain -m set --match-set blacklist src -j DROP

ACCEPT  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   match-set blacklist src

iptables: No chain/target/match by that name.

```

I've been googling and banging my head against the desk for about an hour and a half now. I was hoping an iptables/shorewall guru could help me out here ... any idea what's going on?

Here are the installed package versions:

net-firewall/shorewall-4.4.21

net-firewall/ipset-6.7-r1

net-firewall/iptables-1.4.11.1-r2Last edited by astor84 on Sat Jul 23, 2011 10:54 pm; edited 1 time in total

----------

## Hu

I cannot comment on shorewall, but the iptables commands you showed are not consistent.  First, you create a new chain in the table nat.  Then, you try to append a rule to a chain of the same name in the table filter.  Each table has its own namespace, so there is no chain named testchain in the table filter.

----------

## astor84

 *Hu wrote:*   

> I cannot comment on shorewall, but the iptables commands you showed are not consistent.  First, you create a new chain in the table nat.  Then, you try to append a rule to a chain of the same name in the table filter.  Each table has its own namespace, so there is no chain named testchain in the table filter.

 

Okay, that gets me closer (from a debugging perspective), but it doesn't explain what shorewall's problem is.  :Sad: 

----------

## astor84

iptables-1.4.12 hit portage today and appears to have fixed my issue!

----------

