Ryszard Łach
2012-Jan-09 04:33 UTC
safe-restart without confirmation removes valid iptables rules ?
Hi. After ''shorewall safe-restart'' without confirmation shorewall runs .safe script, which feeds iptables with .safe-iptables rules. Unfortunately, there is a case, when it does not restore valid rules (active before safe-restart), i.e. those with -g (--goto) instead of -j (--jump). These are being removed from iptables-save output (while creating .safe-restart), I suppose that by the awk fragment (lib.cli): # # The ''awk'' hack that compensates for bugs in iptables-save (or rather in the extension modules). # iptablesbug() { if qt mywhich awk ; then awk ''BEGIN { sline=""; };\ /^-j/ { print sline $0; next };\ /-m policy.*-j/ { print $0; next };\ /-m policy/ { sline=$0; next };\ /--mask ff/ { sub( /--mask ff/, "--mask 0xff" ) };\ { print ; sline="" }'' else echo " WARNING: You don''t have ''awk'' on this system so the output of the save command may be unusable" >&2 cat fi } My iptables-save output has a rule -A eth2_fwd -s X.X.X.X/24 -m policy --dir in --pol ipsec -g AAA_frwd I''m not sure: is this (as the comment in lib.cli says) bug in iptables'' module, or maybe in shorewall? TIA, Richard. ------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don''t need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
Tom Eastep
2012-Jan-09 14:46 UTC
Re: safe-restart without confirmation removes valid iptables rules ?
On Mon, 2012-01-09 at 05:33 +0100, Ryszard Łach wrote:> Hi. > > After ''shorewall safe-restart'' without confirmation shorewall runs .safe > script, which feeds iptables with .safe-iptables rules. > Unfortunately, there is a case, when it does not restore valid rules > (active before safe-restart), i.e. those with -g (--goto) instead of -j > (--jump). > These are being removed from iptables-save output (while creating > .safe-restart), I suppose that by the awk fragment (lib.cli): > > # > # The ''awk'' hack that compensates for bugs in iptables-save (or rather > in the extension modules). > # > > iptablesbug() > { > if qt mywhich awk ; then > awk ''BEGIN { sline=""; };\ > /^-j/ { print sline $0; next };\ > /-m policy.*-j/ { print $0; next };\ > /-m policy/ { sline=$0; next };\ > /--mask ff/ { sub( /--mask ff/, "--mask 0xff" ) };\ > { print ; sline="" }'' > else > echo " WARNING: You don''t have ''awk'' on this system so the > output of the save command may be unusable" >&2 > cat > fi > } > > My iptables-save output has a rule > > -A eth2_fwd -s X.X.X.X/24 -m policy --dir in --pol ipsec -g AAA_frwd > > I''m not sure: is this (as the comment in lib.cli says) bug in iptables'' > module, or maybe in shorewall?It was a bug in an older version of iptables. The attached patch to /usr/share/shorewall/lib.cli should correct the problem. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don''t need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox