Hi there, I was testing Shorewall 1.3.6 (updated with the "firewall" script from CVS) with iptables 1.2.7, and encountered the following problem when starting Shorewall: Starting Shorewall... [...] Configuring Proxy ARP Setting up NAT... Adding Common Rules iptables: Invalid argument Terminated I tracked the problem down to the following rule in the ''add_common_rules'' function of "firewall": run_iptables -A badpkt -p !tcp -j LOG $logoptions Here, run_iptables is actually invoked as: run_iptables -A badpkt -p !tcp -j LOG --log-prefix Shorewall:badpkt:DROP: --log-level info --log-ip-options It seems that the "Invalid argument" is being triggered by the inverted tcp. Has anybody also encontered this? --eric
On Mon, 19 Aug 2002, Eric E. Bowles wrote:> Hi there, > > I was testing Shorewall 1.3.6 (updated with the "firewall" script from > CVS) with iptables 1.2.7, and encountered the following problem when > starting Shorewall: > > Starting Shorewall... > [...] > Configuring Proxy ARP > Setting up NAT... > Adding Common Rules > iptables: Invalid argument > Terminated > > I tracked the problem down to the following rule in the ''add_common_rules'' > function of "firewall": > > run_iptables -A badpkt -p !tcp -j LOG $logoptions > > Here, run_iptables is actually invoked as: > > run_iptables -A badpkt -p !tcp -j LOG --log-prefix Shorewall:badpkt:DROP: --log-level info --log-ip-options > > It seems that the "Invalid argument" is being triggered by the inverted tcp. > > Has anybody also encontered this? >This problem has been reported in the Netfilter mailing list (although not in relation to Shorewall). Seems that iptables 1.2.7 made a number of incompatible syntax changes... I''ll try to get something out today.... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Mon, 19 Aug 2002, Tom Eastep wrote:> > This problem has been reported in the Netfilter mailing list (although not > in relation to Shorewall). Seems that iptables 1.2.7 made a number of > incompatible syntax changes... > > I''ll try to get something out today.... >http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom, Thanks for the changes to the "firewall" file to support iptables 1.2.7. However, I still get an error when specifying "dropunclean" for an interface. The error message is: # shorewall restart Processing /etc/shorewall/shorewall.conf ... [...] Adding Common Rules iptables: No chain/target/match by that name Terminated Looking at the source, one of the iptables commands uses the "logpkt" table instead of "badpkt" when dealing with dropunclean. I think this fixes the problem: --------------------------------------------------------------------------- --- firewall.old Thu Aug 22 16:39:29 2002 +++ firewall.new Thu Aug 22 16:29:28 2002 @@ -2787,7 +2787,7 @@ logoptions="$LOGPARAMS --log-prefix Shorewall:badpkt:DROP:" logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options" run_iptables -A badpkt -p tcp -j LOG $logoptions --log-tcp-options - run_iptables -A logpkt -p tcp -j DROP # Workaround for iptables 1.2.7 + run_iptables -A badpkt -p tcp -j DROP # Workaround for iptables 1.2.7 run_iptables -A badpkt -j LOG $logoptions fi --------------------------------------------------------------------------- --eric