Shorewall users - Oct 2006 - Error after update

On two firewalls I have errors after a Shorewall update; no changes
have been done on the configuration files.

Current situation on one of the two installations (the other one is similar):

- Fedora Core 4
- shorewall-3.2.4-1.fc4
- iptables-1.3.0-2

I have two machines in the loc zone with a static NAT:

#EXTERNAL       INTERFACE       INTERNAL        ALL             LOCAL
#                                               INTERFACES
xxx.xxx.xxx.254  eth0            192.168.10.5     No                      No
xxx.xxx.xxx.247  eth0            192.168.10.60   No                      No

and in the masq file:

#INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S) IPSEC
eth0                   eth1!192.158.10.5,192.158.10.60

(masquerading for all machines in loc except for the two with static NAT).

It used to work with no problems with Shorewall 3.0 and also with earlier
3.2 releases; now with 3.2.4 it fails during startup with this error:

Setting up Masquerading/SNAT...
iptables v1.3.0: Unknown arg `--sport''
Try `iptables -h'' or ''iptables --help'' for more
information.
   ERROR: Command "/sbin/iptables -t nat -A eth0_masq -s 192.168.12.0/24 -d
0.0.0.0/0 --sport 53 -j" Failed

If I remove the address exclusion list !192.158.10.5,192.158.10.60 and masq is
simply:

eth0                   eth1

it works.

Please tell me if this is a known limitation with this version of iptables; in
any case
I looked at the release notes and I did not find any notice about version
requirements.
I can also send the shorewall dump if it can be useful.

Thanks
Elio


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Elio Tondo wrote:
> 
> and in the masq file:
> 
> #INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S)
IPSEC
> eth0                   eth1!192.158.10.5,192.158.10.60
> 
> (masquerading for all machines in loc except for the two with static NAT).
> 
> It used to work with no problems with Shorewall 3.0 and also with earlier
> 3.2 releases
I need to know which earlier 3.2 release(s).

; now with 3.2.4 it fails during startup with this
error:
> 
> Setting up Masquerading/SNAT...
> iptables v1.3.0: Unknown arg `--sport''
> Try `iptables -h'' or ''iptables --help'' for more
information.
>    ERROR: Command "/sbin/iptables -t nat -A eth0_masq -s
192.168.12.0/24 -d
> 0.0.0.0/0 --sport 53 -j" Failed
> 
If you wish to report problems with startup, you must send a trace. Taking a
command out of context and saying "look, this didn''t work"
will get you sympathy
but no help.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Elio Tondo wrote:
> 
> I have two machines in the loc zone with a static NAT:
> 
> #EXTERNAL       INTERFACE       INTERNAL        ALL             LOCAL
> #                                               INTERFACES
> xxx.xxx.xxx.254  eth0            192.168.10.5     No                     
No
> xxx.xxx.xxx.247  eth0            192.168.10.60   No                      No
> 
> and in the masq file:
> 
> #INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S)
IPSEC
> eth0                   eth1!192.158.10.5,192.158.10.60
> 
> (masquerading for all machines in loc except for the two with static NAT).
Which is totally unnecessary -- static nat is applied before masquerade.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Tom Eastep wrote:
> Elio Tondo wrote:
> 
>> and in the masq file:
>>
>> #INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S)
IPSEC
>> eth0                   eth1!192.158.10.5,192.158.10.60
>>
>> (masquerading for all machines in loc except for the two with static
NAT).
>>
>> It used to work with no problems with Shorewall 3.0 and also with
earlier
>> 3.2 releases
> 
> I need to know which earlier 3.2 release(s).
I found a bug that may explain this problem. But it is a "day-1" 3.2
bug so I
don''t know if the attached patch to /usr/share/shorewall/compiler will
correct
your problem or not.

At any rate, what you were doing (exclusing the static nat addresses from
masquerade) is unnecessary.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Tom Eastep wrote:
> Tom Eastep wrote:
>> Elio Tondo wrote:
>>
>>> and in the masq file:
>>>
>>> #INTERFACE              SUBNET          ADDRESS         PROTO  
PORT(S) IPSEC
>>> eth0                   eth1!192.158.10.5,192.158.10.60
>>>
>>> (masquerading for all machines in loc except for the two with
static NAT).
>>>
>>> It used to work with no problems with Shorewall 3.0 and also with
earlier
>>> 3.2 releases
>> I need to know which earlier 3.2 release(s).
> 
> I found a bug that may explain this problem. But it is a "day-1"
3.2 bug so I
> don''t know if the attached patch to /usr/share/shorewall/compiler
will correct
> your problem or not.
> 
> At any rate, what you were doing (exclusing the static nat addresses from
> masquerade) is unnecessary.
Elio,

That should have been "*excluding* the static...".

Also, I just noticed that the patch in my previous message contained changes to
the release notes as well as to the compiler. Here''s a proper patch.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

From: "Tom Eastep" <teastep@shorewall.net>
> > It used to work with no problems with Shorewall 3.0 and also with
earlier
> > 3.2 releases
> 
> I need to know which earlier 3.2 release(s).
I am not sure to be able to track this down, because the two firewalls are
managed by other people (I only did the initial setup); I only know when
they reported the problems. The first firewall failed apparently after the
update to 3.2.3-1.fc4, the first days of September; the second one today,
after the update to 3.2.4-1.fc4. I don''t know the reason of this
difference.
> If you wish to report problems with startup, you must send a trace. Taking
> a command out of context and saying "look, this didn''t
work" will get you
> sympathy but no help.
I apologize; I didn''t read the Troubleshooting Guide before writing...
otherwise
I would have already sent the "shorewall debug start 2> /tmp/trace"
output.
> > (masquerading for all machines in loc except for the two with static
NAT).
> 
> Which is totally unnecessary -- static nat is applied before masquerade.
This is good news; probably I did not understand well the documentation.
Or maybe it was necessary in some (very old) version?
> I found a bug that may explain this problem. But it is a "day-1"
3.2 bug so I
> don''t know if the attached patch to /usr/share/shorewall/compiler
will correct
> your problem or not.
It does!
> At any rate, what you were doing (exclusing the static nat addresses from
> masquerade) is unnecessary.
Noted, thanks. Now I have a simpler config...
> That should have been "*excluding* the static...".
I did''nt even notice the typo ;)
> Also, I just noticed that the patch in my previous message contained
changes
> to the release notes as well as to the compiler. Here''s a proper
patch.
I already applied only the modifications to the code.

Tom, thanks a lot for your outstanding support. I would like to take this
occasion
to thank you for your excellent work, and to thank also the other developers and
volunteers of the community. Shorewall is a very valuable project.

Elio


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Elio Tondo wrote:
> From: "Tom Eastep" <teastep@shorewall.net>
> 
>>> It used to work with no problems with Shorewall 3.0 and also with
earlier
>>> 3.2 releases
>> I need to know which earlier 3.2 release(s).
> 
> I am not sure to be able to track this down, because the two firewalls are
> managed by other people (I only did the initial setup); I only know when
> they reported the problems. The first firewall failed apparently after the
> update to 3.2.3-1.fc4, the first days of September; the second one today,
> after the update to 3.2.4-1.fc4. I don''t know the reason of this
difference.
No problem -- so long as the patch corrected the problem, I''m not so
concerned.
> 
>> I found a bug that may explain this problem. But it is a
"day-1" 3.2 bug so I
>> don''t know if the attached patch to
/usr/share/shorewall/compiler will correct
>> your problem or not.
> 
> It does!
Great!
> Tom, thanks a lot for your outstanding support. I would like to take this
occasion
> to thank you for your excellent work, and to thank also the other
developers and
> volunteers of the community. Shorewall is a very valuable project.
Thanks, Elio

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV