Shorewall users - Aug 2007 - Problem with iprange in shorewall 4.0.2

Hi,

I have the following problem while activating this rule entry using
shorewall-shell:

ACCEPT:notice:rul WAN:139.x.x.226 INT:139.x.x.153-139.x.x.156 udp 1024:65535
1024:65535

"-m iprange" in front of "--dst-range" is missing in the
activation command.

The logging entry (above) is set correct.

Below is the debug output.

Thanks

Regards

Günter


+ case $level in
+ /usr/sbin/iptables -A WAN2INT -p udp --sport 1024:65535 -s 139.x.x.226 -m
iprange --dst-range 139.x.x.153-139.x.x.156 --dport 1024:65535 -j LOG
--log-level notice --log-prefix ''Shorewall:WAN2INT:ACCEPT:rul
''
+ ''['' 0 -ne 0 '']''
+ run_iptables -A WAN2INT -p udp -s 139.x.x.226 --sport 1024:65535 --dst-range
139.x.x.153-139.x.x.156 --dport 1024:65535 -j ACCEPT
+ ''['' -n '''' '']''
+ /usr/sbin/iptables -A WAN2INT -p udp -s 139.x.x.226 --sport 1024:65535
--dst-range 139.x.x.153-139.x.x.156 --dport 1024:65535 -j ACCEPT
iptables v1.3.5: Unknown arg `--dst-range''
Try `iptables -h'' or ''iptables --help'' for more
information.
+ ''['' 2 -ne 0 '']''
+ error_message ''ERROR: Command "/usr/sbin/iptables -A''
WAN2INT -p udp -s 139.x.x.226 --sport 1024:65535 --dst-range
139.x.x.153-139.x.x.156 --dport 1024:65535 -j ''ACCEPT"
Failed''
+ echo ''   ERROR: Command "/usr/sbin/iptables -A'' WAN2INT
-p udp -s 139.x.x.226 --sport 1024:65535 --dst-range 139.x.x.153-139.x.x.156
--dport 1024:65535 -j ''ACCEPT" Failed''
    ERROR: Command "/usr/sbin/iptables -A WAN2INT -p udp -s 139.x.x.226
--sport 1024:65535 --dst-range 139.x.x.153-139.x.x.156 --dport 1024:65535 -j
ACCEPT" Failed
+ stop_firewall
+ case $COMMAND in
+ set +x

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Niedermeier Günter wrote:
> Hi,
> 
> I have the following problem while activating this rule entry using
shorewall-shell:
> 
> ACCEPT:notice:rul WAN:139.x.x.226 INT:139.x.x.153-139.x.x.156 udp
1024:65535 1024:65535
> 
> "-m iprange" in front of "--dst-range" is missing in
the activation command.
> 
> The logging entry (above) is set correct.
> 
> Below is the debug output.
I cannot reproduce this problem -- you''ll need to forward a complete
trace.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Hi Tom,

the tracefile is too big, to append it in the mailinglist.

So I send it directly to you.

Shorewall was called with "shorewall trace restart -C shell"
Using "shorewall trace restart -C perl" works fine

I also have my config dir attached.

Thanks for your help

--Günter



Tom Eastep schrieb:
> Niedermeier Günter wrote:
>> Hi,
>>
>> I have the following problem while activating this rule entry using
shorewall-shell:
>>
>> ACCEPT:notice:rul WAN:139.x.x.226 INT:139.x.x.153-139.x.x.156 udp
1024:65535 1024:65535
>>
>> "-m iprange" in front of "--dst-range" is missing
in the activation command.
>>
>> The logging entry (above) is set correct.
>>
>> Below is the debug output.
> 
> I cannot reproduce this problem -- you''ll need to forward a
complete trace.
> 
> -Tom
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Niedermeier Günter wrote:
> Hi Tom,
> 
> the tracefile is too big, to append it in the mailinglist.
> 
> So I send it directly to you.
> 
> Shorewall was called with "shorewall trace restart -C shell"
> Using "shorewall trace restart -C perl" works fine
> 
> I also have my config dir attached.
> 
I had just succeeded in reproducing the problem when your post arrived.
Attached please find a patch for /usr/share/shorewall-shell/compiler.

It works for me in my test cases but please verify it in your case.

Thanks,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Wonderful!

The patch works.

Thank you very much for this extremely fast solution.

--Günter

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/