Brian J. Murrell
2007-May-10 00:39 UTC
iptables v1.3.3: multiport can only have one option
The following tcrule:
128:P 10.75.22.1 pbx.foo.com udp 4569 4569
produces the following error in Shorewall{,-lite} 3.4.2:
iptables v1.3.3: multiport can only have one option
Try `iptables -h'' or ''iptables --help'' for more
information.
ERROR: Command "/usr/sbin/iptables -t mangle -A tcpre -s 10.75.22.1 -d
pbx.foo.com -p udp -m multiport --dports 4569 --sport 4569 -j MARK --set-mark
128" Failed
Is this a bug in shorewall or a limitation of of the multiport match on
openwrt? This rule, interestingly enough doesn''t even need a multiport
match.
b.
--
My other computer is your Microsoft Windows server.
Brian J. Murrell
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
Brian J. Murrell wrote:> The following tcrule: > > 128:P 10.75.22.1 pbx.foo.com udp 4569 4569 > > produces the following error in Shorewall{,-lite} 3.4.2: > > iptables v1.3.3: multiport can only have one option > Try `iptables -h'' or ''iptables --help'' for more information. > ERROR: Command "/usr/sbin/iptables -t mangle -A tcpre -s 10.75.22.1 -d pbx.foo.com -p udp -m multiport --dports 4569 --sport 4569 -j MARK --set-mark 128" Failed > > Is this a bug in shorewall or a limitation of of the multiport match on > openwrt? This rule, interestingly enough doesn''t even need a multiport > matchBrian, You have exceeded your shorewall.net post quota for the day. Good night. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Brian J. Murrell
2007-May-10 00:42 UTC
Re: iptables v1.3.3: multiport can only have one option
On Wed, 2007-05-09 at 17:41 -0700, Tom Eastep wrote:> > You have exceeded your shorewall.net post quota for the day. Good night.LOL. Night night Tom. b. -- My other computer is your Microsoft Windows server. Brian J. Murrell ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Brian J. Murrell wrote: >> The following tcrule: >> >> 128:P 10.75.22.1 pbx.foo.com udp 4569 4569 >> >> produces the following error in Shorewall{,-lite} 3.4.2: >> >> iptables v1.3.3: multiport can only have one option >> Try `iptables -h'' or ''iptables --help'' for more information. >> ERROR: Command "/usr/sbin/iptables -t mangle -A tcpre -s 10.75.22.1 -d pbx.foo.com -p udp -m multiport --dports 4569 --sport 4569 -j MARK --set-mark 128" Failed >> >> Is this a bug in shorewall or a limitation of of the multiport match on >> openwrt? This rule, interestingly enough doesn''t even need a multiport >> matchIn the tcrules file, shorewall 3.4 uses multiport match if it is available. Unfortunately, in this case that is the wrong choice because multiport match is braindead when it comes to matching both source and destination ports. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Tom Eastep wrote: >> Brian J. Murrell wrote: >>> The following tcrule: >>> >>> 128:P 10.75.22.1 pbx.foo.com udp 4569 4569 >>> >>> produces the following error in Shorewall{,-lite} 3.4.2: >>> >>> iptables v1.3.3: multiport can only have one option >>> Try `iptables -h'' or ''iptables --help'' for more information. >>> ERROR: Command "/usr/sbin/iptables -t mangle -A tcpre -s 10.75.22.1 -d pbx.foo.com -p udp -m multiport --dports 4569 --sport 4569 -j MARK --set-mark 128" Failed >>> >>> Is this a bug in shorewall or a limitation of of the multiport match on >>> openwrt? This rule, interestingly enough doesn''t even need a multiport >>> match > > In the tcrules file, shorewall 3.4 uses multiport match if it is > available. Unfortunately, in this case that is the wrong choice because > multiport match is braindead when it comes to matching both source and > destination ports.Brian, Please try the lib.tcrules found at http://www1.shorewall.net/pub/shorewall/3.4/shorewall-3.4.3/errata/Shorewall/lib.tcrules. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Tom Eastep wrote: >> Tom Eastep wrote: >>> Brian J. Murrell wrote: >>>> The following tcrule: >>>> >>>> 128:P 10.75.22.1 pbx.foo.com udp 4569 4569 >>>> >>>> produces the following error in Shorewall{,-lite} 3.4.2: >>>> >>>> iptables v1.3.3: multiport can only have one option >>>> Try `iptables -h'' or ''iptables --help'' for more information. >>>> ERROR: Command "/usr/sbin/iptables -t mangle -A tcpre -s 10.75.22.1 -d pbx.foo.com -p udp -m multiport --dports 4569 --sport 4569 -j MARK --set-mark 128" Failed >>>> >>>> Is this a bug in shorewall or a limitation of of the multiport match on >>>> openwrt? This rule, interestingly enough doesn''t even need a multiport >>>> match >> In the tcrules file, shorewall 3.4 uses multiport match if it is >> available. Unfortunately, in this case that is the wrong choice because >> multiport match is braindead when it comes to matching both source and >> destination ports. > > Brian, > > Please try the lib.tcrules found at > http://www1.shorewall.net/pub/shorewall/3.4/shorewall-3.4.3/errata/Shorewall/lib.tcrules.I''ve tested that code this morning on a Shoreall 3.4.3 system and it seems to work okay. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Brian J. Murrell
2007-May-10 15:28 UTC
Re: iptables v1.3.3: multiport can only have one option
On Thu, 2007-05-10 at 07:54 -0700, Tom Eastep wrote:> I''ve tested that code this morning on a Shoreall 3.4.3 system and it seems > to work okay.Works on 3.4.2 also. Sorry for not getting to that until now. "Real job" is just killing me today. :-( b. -- My other computer is your Microsoft Windows server. Brian J. Murrell ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/