Shorewall devel - Jun 2005 - iptables bug results in confusion

The current thread on the User''s List entitled "Multi-ISP in
2.4.0" includes
the following tcrules file:

############################################################################
##
#MARK           SOURCE          DEST            PROTO   PORT(S) CLIENT  USER
TEST
#                                                               PORT(S)
201:P           eth2            ppp1            -
200:P           eth3            ppp0            -
201:P           eth4            ppp1            -

Given that the packet''s are being marked in the PREROUTING chain, a 
destination device should not be allowed in the rule; nevertheless, iptables 
is not generating an error (the rule is being added to the
''tcpre'' which is
jumped to from the PREROUTING chain -- this sort of violation is supposed to 
generate an error but isn''t). The result in this poster''s case
is three
nonsensical rules which I would guess will never match any packets 
("shorewall show mangle" needed to be sure).

It would be a good idea to modify ''add_tc_rule()'' to check for
this condition
and generate an error. 

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.shorewall.net/pipermail/shorewall-devel/attachments/20050606/d00beeb1/attachment.bin

The current thread on the User''s List entitled "Multi-ISP in
2.4.0"
includes
the following tcrules file:

###########################################################################
#
##
#MARK           SOURCE          DEST            PROTO   PORT(S) CLIENT
USER
TEST
#                                                               PORT(S)
201:P           eth2            ppp1            -
200:P           eth3            ppp0            -
201:P           eth4            ppp1            -

Given that the packet''s are being marked in the PREROUTING chain, a
destination device should not be allowed in the rule; nevertheless,
iptables
is not generating an error (the rule is being added to the
''tcpre'' which is
jumped to from the PREROUTING chain -- this sort of violation is supposed
to
generate an error but isn''t). The result in this poster''s case
is three
nonsensical rules which I would guess will never match any packets
("shorewall show mangle" needed to be sure).

It would be a good idea to modify ''add_tc_rule()'' to check for
this
condition
and generate an error.

-Tom
--

Thanks Tom, so I''m not losing it, I was doing a bit of head scraching
there.

Jerry