Shorewall users - Jul 2003 - Possible parsing bug?

The documentation seems to indicate that this type of syntax is correct
but, it''s generating an iptables error that a protocol (TCP or UDP) is
required. I ran a shorewall debug start and indeed shorewall is missing
the protocol on the iptables commandline. I think that perhaps it is
simply a parsing bug. Here is the rule:

REDIRECT  wap0!wap1  5820  tcp  www,https  -  !192.168.2.1

If I write it as a DNAT rule it gives the same error:

DNAT  wap0!wap1  fw:192.168.2.1:5820  tcp  www,https  -  !192.168.2.1

But some other DNAT rules with the excluded zone syntax seem to work..

Thanks,
John

On Mon, 2003-07-14 at 08:24, John Laur wrote:
> The documentation seems to indicate that this type of syntax is correct
> but, it''s generating an iptables error that a protocol (TCP or
UDP) is
> required. I ran a shorewall debug start and indeed shorewall is missing
> the protocol on the iptables commandline. I think that perhaps it is
> simply a parsing bug. Here is the rule:
> 
> REDIRECT  wap0!wap1  5820  tcp  www,https  -  !192.168.2.1
> 
> If I write it as a DNAT rule it gives the same error:
> 
> DNAT  wap0!wap1  fw:192.168.2.1:5820  tcp  www,https  -  !192.168.2.1
> 
> But some other DNAT rules with the excluded zone syntax seem to work..
> 
Which version of Shorewall are you running?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

> > The documentation seems to indicate that this type of syntax is
correct
> > but, it''s generating an iptables error that a protocol (TCP
or UDP)
is
> > required. I ran a shorewall debug start and indeed shorewall is
missing
> > the protocol on the iptables commandline. I think that perhaps it is
> > simply a parsing bug. Here is the rule:
> >
> > REDIRECT  wap0!wap1  5820  tcp  www,https  -  !192.168.2.1
> >
> > If I write it as a DNAT rule it gives the same error:
> >
> > DNAT  wap0!wap1  fw:192.168.2.1:5820  tcp  www,https  -
!192.168.2.1
> >
> > But some other DNAT rules with the excluded zone syntax seem to
work..
> >
> 
> Which version of Shorewall are you running?
Sorry, forgot to include this information. I have tried it on 1.4.5 and
the 1.4.6 Beta 2. I made a mistake in the rules earlier. I expanded the
shell variables I have them actually running with mentally, and gave the
wrong IP. The excluded ORIGINAL DESTINATION was actually a machine other
than the firewall.. it is the NoCatAuth server (I''m currently testing
with auth.nocat.net which is 216.218.203.211) So, the rules above should
have been:

REDIRECT  wap0!wap1  5820  tcp  www,https  -  !216.218.203.211
Or
DNAT  wap0!wap1  fw:192.168.2.1:5820  tcp  www,https  -
!216.218.203.211

I also wanted to check the following syntax to make sure it works as
documented also:
REDIRECT  wap0!wap1,wap2,wap3  5820  tcp  www,https  -  !216.218.203.211

Here is some relevant info from a shorewall debug start. Sorry I can''t
provide more since I''m outside of my home firewall here at work and
running this command would take it down :)

+ addnatrule nonat1 -d ''!216.218.203.211'' -j REDIRECT
--to-port 5280
+ ensurenatchain nonat1
+ havenatchain nonat1
+ eval test ''"$nonat1_nat_exists"'' = Yes
++ test Yes = Yes
+ run_iptables2 -t nat -A nonat1 -d ''!216.218.203.211'' -j
REDIRECT
--to-port 528
0
+ ''['' ''x-t nat -A nonat1 -d  -j REDIRECT --to-port
5280'' = ''x-t nat -A
nonat1 -d
 !216.218.203.211 -j REDIRECT --to-port 5280'' '']''
++ fix_bang -t nat -A nonat1 -d ''!216.218.203.211'' -j REDIRECT
--to-port
5280
++ local i
++ echo -t
++ echo nat
++ echo -A
++ echo nonat1
++ echo -d
++ echo ''! 216.218.203.211''
++ echo -j
++ echo REDIRECT
++ echo --to-port
++ echo 5280
+ run_iptables -t nat -A nonat1 -d ''!'' 216.218.203.211 -j
REDIRECT
--to-port 528
0
+ iptables -t nat -A nonat1 -d ''!'' 216.218.203.211 -j REDIRECT
--to-port
5280
iptables v1.2.8: Need TCP or UDP with port specification
Try `iptables -h'' or ''iptables --help'' for more
information.
+ ''['' -z '''' '']''
+ stop_firewall
+ set +x

John

On Mon, 2003-07-14 at 09:20, John Laur wrote:
> Sorry, forgot to include this information. I have tried it on 1.4.5 and
> the 1.4.6 Beta 2.
Updated firewall scripts for both 1.4.5 and 1.4.6Beta2 are available at:

	http://shorewall.net/pub/shorewall/errata
	ftp://shorewall.net/pub/shorewall/errata

I have tested the 1.4.6Beta2 version (running it here) -- the 1.4.5
version contains a similar fix so it should work (famous last words).

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Mon, 2003-07-14 at 09:35, Tom Eastep wrote:
> 
> I have tested the 1.4.6Beta2 version (running it here) -- the 1.4.5
> version contains a similar fix so it should work (famous last words).
Sure enough -- the 1.4.5 version had a bug. There''s a new version
available (and again, the permission problem with the 1.4.6Beta2 version
has been resolved).

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net