IPSET matching unavailable for one linux installation, but not another... and only IPv4 is affected

I have two Ubuntu 16.04 servers, one on a little intel atom itx box on my local network and one hosted as a VPS. Both were installed fresh within the last week. Both are generally the same configuration except more efforts have gone into hardening the publicly accessible VPS. Neither have had the kernel recompiled. both have generally the same set of packages installed. And yet... one of them, the VPS, rather insists that it's netfilters can't match against ipsets. wolferz@unipuma ~ $ sudo shorewall check Checking using Shorewall 5.1.6.1... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Loading Modules... Checking /etc/shorewall/zones... Checking /etc/shorewall/interfaces... Determining Hosts in Zones... Locating Action Files... Checking /etc/shorewall/policy... Adding Anti-smurf Rules Checking TCP Flags filtering... Checking Kernel Route Filtering... Checking Martian Logging... Checking MAC Filtration -- Phase 1... Checking /etc/shorewall/blrules... ERROR: ipset names in Shorewall configuration files require Ipset Match in your kernel and iptables /etc/shorewall/blrules (line 39) The configuration I intend to use depends heavily on ipsets for dynamic blacklisting and whitelisting of large sets of IPs. Because netfilter doesn't lend itself well to being altered often or having massive lists of rules (one for each ip... often thousands). Without ipset matching, there is no moving forward here. Despite the fact that I'm using Shorewall to manage netfilter and ipsets this does not appear to be a Shorewall problem. Unless it's detection is askew somehow... but I'm not sure how to confirm it's output. Here's what Shorewall detects as the kernel's netfilter capability on the VPS. wolferz@unipuma ~ $ sudo shorewall version 5.1.6.1 wolferz@unipuma ~ $ sudo shorewall show -f capabilities | grep IPSET IPSET_MATCH= unipuma_sorted_modules.list ... scp it to the other host ... wolferz@khaos ~ $ sudo ls -R -D /lib/modules/4.4.0-93-generic/kernel/ | grep -P '\.ko$' | sort > khaos_sorted_modules.list wolferz@khaos ~ $ diff --brief --report-identical-files khaos_sorted_modules.list unipuma_sorted_modules.list Files khaos_sorted_modules.list and unipuma_sorted_modules.list are identical Then I checked the actual config for the kernel I'm using: wolferz@unipuma ~ $ sudo cat /boot/config-4.4.0-93-generic | grep -P '(?:NETFILTER|IPSET)' | sort > unipuma_kernel_config.list wolferz@khaos ~ $ sudo cat /boot/config-4.4.0-93-generic | grep -P '(?:NETFILTER|IPSET)' | sort > khaos_kernel_config.list wolferz@khaos ~ $ diff --brief --report-identical-files khaos_kernel_config.list unipuma_kernel_config.list Files khaos_kernel_config.list and unipuma_kernel_config.list are identical Well ok then. Color me confused. Same kernel. Same modules. Same Config. Different capabilities. Wut? And... just to cut this line of thinking off at the pass... it's not the vhost either. I have a third server running CentOS6 with this same version of shorewall (and older versions of netfilter/iptables/ipset) which does not have this problem. It's hosted on the same physical machine using the same virtualization (KVM) as the Ubuntu 16.04 vps above. ...Help?