Shorewall devel - Jan 2012 - safe-restart without confirmation removes valid iptables rules ?

Hi.

After ''shorewall safe-restart'' without confirmation shorewall
runs .safe
script, which feeds iptables with .safe-iptables rules.
Unfortunately, there is a case, when it does not restore valid rules
(active before safe-restart), i.e. those with -g (--goto) instead of -j
(--jump).
 These are being removed from iptables-save output (while creating
.safe-restart), I suppose that by the awk fragment (lib.cli):

#
# The ''awk'' hack that compensates for bugs in iptables-save
(or rather
in the extension modules).
#

iptablesbug()
{
    if qt mywhich awk ; then
        awk ''BEGIN           { sline=""; };\
             /^-j/           { print sline $0; next };\
             /-m policy.*-j/ { print $0; next };\
             /-m policy/     { sline=$0; next };\
             /--mask ff/     { sub( /--mask ff/, "--mask 0xff" ) };\
                             { print ; sline="" }''
    else
        echo "   WARNING: You don''t have ''awk''
on this system so the
output of the save command may be unusable" >&2
        cat
    fi
}

My iptables-save output has a rule

-A eth2_fwd -s X.X.X.X/24 -m policy --dir in --pol ipsec -g AAA_frwd

I''m not sure: is this (as the comment in lib.cli says) bug in
iptables''
module, or maybe in shorewall?

TIA,

Richard.


------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don''t need a
complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual 
desktops for less than the cost of PCs and save 60% on VDI infrastructure 
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox

On Mon, 2012-01-09 at 05:33 +0100, Ryszard Łach wrote:
> Hi.
> 
> After ''shorewall safe-restart'' without confirmation
shorewall runs .safe
> script, which feeds iptables with .safe-iptables rules.
> Unfortunately, there is a case, when it does not restore valid rules
> (active before safe-restart), i.e. those with -g (--goto) instead of -j
> (--jump).
>  These are being removed from iptables-save output (while creating
> .safe-restart), I suppose that by the awk fragment (lib.cli):
> 
> #
> # The ''awk'' hack that compensates for bugs in
iptables-save (or rather
> in the extension modules).
> #
> 
> iptablesbug()
> {
>     if qt mywhich awk ; then
>         awk ''BEGIN           { sline=""; };\
>              /^-j/           { print sline $0; next };\
>              /-m policy.*-j/ { print $0; next };\
>              /-m policy/     { sline=$0; next };\
>              /--mask ff/     { sub( /--mask ff/, "--mask 0xff" )
};\
>                              { print ; sline="" }''
>     else
>         echo "   WARNING: You don''t have
''awk'' on this system so the
> output of the save command may be unusable" >&2
>         cat
>     fi
> }
> 
> My iptables-save output has a rule
> 
> -A eth2_fwd -s X.X.X.X/24 -m policy --dir in --pol ipsec -g AAA_frwd
> 
> I''m not sure: is this (as the comment in lib.cli says) bug in
iptables''
> module, or maybe in shorewall?
It was a bug in an older version of iptables.  The attached patch
to /usr/share/shorewall/lib.cli should correct the problem.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________





------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don''t need a
complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual 
desktops for less than the cost of PCs and save 60% on VDI infrastructure 
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox