Niedermeier Günter
2007-Aug-08 22:14 UTC
Problem with multiport assignement in shorewall rules
Hi,
is it a problem of mine, or a shorewall problem? I don''t know yet.
This error occurs only when running shorewall-shell.
Shorewall-perl is running fine.
I get this error while starting up shorewall 4.0.1
(incl. patches) when using the following rule entry
> ACCEPT:notice INT WAN:139.25.165.186 udp - 161,162 <
(starting in debug mode)
-----------------------------------------------------------------------
+ /usr/sbin/iptables -A INT2WAN -p udp --sports 161,162 -m multiport -d
139.25.165.186 -j LOG --log-level notice --log-prefix
''Shorewall:INT2WAN:ACCEPT:rul ''
iptables v1.3.5: Unknown arg `--sports''
Try `iptables -h'' or ''iptables --help'' for more
information.
-----------------------------------------------------------------------
When I change the order from
-p udp --sports 161,162 -m multiport
to
-p udp -m multiport --sports 161,162
then it works.
have a nice day
--Wanninger
I''ve made a short diff for what I''ve changed to shorewall4.0.1
(incl. patch-shell-4.0.1-1.diff)
PATCH:
------------------------------------------------------------------------
diff -Naur org/shorewall-shell/compiler new/shorewall-shell/compiler
--- org/shorewall-shell/compiler 2007-07-30 16:46:16.000000000 +0200
+++ new/shorewall-shell/compiler 2007-08-08 15:47:44.000000000 +0200
@@ -1671,11 +1671,11 @@
if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then
for adr in $(separate_list $addr); do
- run_iptables -A $logchain $state $(fix_bang $proto
$sports $multiport $dports) $user -m conntrack --ctorigdst $adr -j $chain
+ run_iptables -A $logchain $state $(fix_bang $proto
$multiport $sports $dports) $user -m conntrack --ctorigdst $adr -j $chain
done
addr else
- run_iptables -A $logchain $state $(fix_bang $cli $proto
$sports $multiport $dports) $user -j $chain
+ run_iptables -A $logchain $state $(fix_bang $cli $proto
$multiport $sports $dports) $user -j $chain
fi
cli@@ -1884,7 +1884,7 @@
for adr in $(separate_list $addr); do
if [ -n "$loglevel" -a -z
"$natrule" ]; then
log_rule_limit $loglevel $chain
$logchain $logtarget "$ratelimit" "$logtag" -A -m conntrack
--ctorigdst
$adr \
- $user $mrk $(fix_bang $proto
$sports $multiport $cli $(dest_ip_range $srv) $dports) $state
+ $user $mrk $(fix_bang $proto
$multiport $sports $cli $(dest_ip_range $srv) $dports) $state
fi
run_iptables2 -A $chain $state
$proto $ratelimit $multiport $cli $sports \
@@ -1899,7 +1899,7 @@
if [ -n "$loglevel" -a -z
"$natrule" ]; then
log_rule_limit $loglevel $chain
$logchain $logtarget "$ratelimit" "$logtag" -A $user $mrk \
- $state $(fix_bang $proto $sports
$multiport $cli $(dest_ip_range $srv) $dports)
+ $state $(fix_bang $proto $multiport
$sports $cli $(dest_ip_range $srv) $dports)
fi
if [ -n "$nonat" ]; then
@@ -1922,7 +1922,7 @@
if [ -n "$loglevel" -a -z "$natrule" ];
then
log_rule_limit $loglevel $chain $logchain
$logtarget "$ratelimit" "$logtag" -A $user $mrk \
- $state $(fix_bang $proto $sports $multiport $cli
$dports)
+ $state $(fix_bang $proto $multiport $sports $cli
$dports)
fi
[ -n "$nonat" ] && \
diff -Naur org/shorewall-shell/lib.actions new/shorewall-shell/lib.actions
--- org/shorewall-shell/lib.actions 2007-07-30 16:46:16.000000000 +0200
+++ new/shorewall-shell/lib.actions 2007-08-08 15:50:12.000000000 +0200
@@ -80,7 +80,7 @@
{
build_exclusion_chain chain1 filter "$excludesource"
"$excludedest"
- run_iptables -A $chain $(fix_bang $cli $proto $sports $multiport
$dports) $user -j $chain1
+ run_iptables -A $chain $(fix_bang $cli $proto $multiport $sports
$dports) $user -j $chain1
cli proto@@ -219,7 +219,7 @@
for srv in $(firewall_ip_range $serv1); do
if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $chain1 $action $logtarget
"$ratelimit" "$logtag" -A $user \
- $(fix_bang $proto $sports $multiport $cli
$(dest_ip_range $srv) $dest_interface $dports)
+ $(fix_bang $proto $multiport $sports $cli
$(dest_ip_range $srv) $dest_interface $dports)
fi
run_iptables2 -A $chain1 $proto $multiport $cli $sports \
@@ -229,7 +229,7 @@
else
if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $chain1 $action $logtarget
"$ratelimit" "$logtag" -A $user \
- $(fix_bang $proto $sports $multiport $cli
$dest_interface $dports)
+ $(fix_bang $proto $multiport $sports $cli
$dest_interface $dports)
fi
run_iptables2 -A $chain1 $proto $multiport $cli $dest_interface
$sports \
------------------------------------------------------------------------
--
This message was scanned by ESVA and is believed to be clean.
diff -Naur org/shorewall-shell/compiler new/shorewall-shell/compiler
--- org/shorewall-shell/compiler 2007-07-30 16:46:16.000000000 +0200
+++ new/shorewall-shell/compiler 2007-08-08 15:47:44.000000000 +0200
@@ -1671,11 +1671,11 @@
if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then
for adr in $(separate_list $addr); do
- run_iptables -A $logchain $state $(fix_bang $proto $sports $multiport
$dports) $user -m conntrack --ctorigdst $adr -j $chain
+ run_iptables -A $logchain $state $(fix_bang $proto $multiport $sports
$dports) $user -m conntrack --ctorigdst $adr -j $chain
done
addr else
- run_iptables -A $logchain $state $(fix_bang $cli $proto $sports
$multiport $dports) $user -j $chain
+ run_iptables -A $logchain $state $(fix_bang $cli $proto $multiport
$sports $dports) $user -j $chain
fi
cli@@ -1884,7 +1884,7 @@
for adr in $(separate_list $addr); do
if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule_limit $loglevel $chain $logchain $logtarget
"$ratelimit"
"$logtag" -A -m conntrack --ctorigdst $adr \
- $user $mrk $(fix_bang $proto $sports $multiport $cli
$(dest_ip_range $srv) $dports) $state
+ $user $mrk $(fix_bang $proto $multiport $sports $cli
$(dest_ip_range $srv) $dports) $state
fi
run_iptables2 -A $chain $state $proto $ratelimit $multiport
$cli $sports \
@@ -1899,7 +1899,7 @@
if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule_limit $loglevel $chain $logchain $logtarget
"$ratelimit"
"$logtag" -A $user $mrk \
- $state $(fix_bang $proto $sports $multiport $cli
$(dest_ip_range $srv) $dports)
+ $state $(fix_bang $proto $multiport $sports $cli
$(dest_ip_range $srv) $dports)
fi
if [ -n "$nonat" ]; then
@@ -1922,7 +1922,7 @@
if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule_limit $loglevel $chain $logchain $logtarget
"$ratelimit" "$logtag" -A $user $mrk \
- $state $(fix_bang $proto $sports $multiport $cli $dports)
+ $state $(fix_bang $proto $multiport $sports $cli $dports)
fi
[ -n "$nonat" ] && \
diff -Naur org/shorewall-shell/lib.actions new/shorewall-shell/lib.actions
--- org/shorewall-shell/lib.actions 2007-07-30 16:46:16.000000000 +0200
+++ new/shorewall-shell/lib.actions 2007-08-08 15:50:12.000000000 +0200
@@ -80,7 +80,7 @@
{
build_exclusion_chain chain1 filter "$excludesource"
"$excludedest"
- run_iptables -A $chain $(fix_bang $cli $proto $sports $multiport
$dports) $user -j $chain1
+ run_iptables -A $chain $(fix_bang $cli $proto $multiport $sports
$dports) $user -j $chain1
cli proto@@ -219,7 +219,7 @@
for srv in $(firewall_ip_range $serv1); do
if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $chain1 $action $logtarget
"$ratelimit"
"$logtag" -A $user \
- $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv)
$dest_interface $dports)
+ $(fix_bang $proto $multiport $sports $cli $(dest_ip_range $srv)
$dest_interface $dports)
fi
run_iptables2 -A $chain1 $proto $multiport $cli $sports \
@@ -229,7 +229,7 @@
else
if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $chain1 $action $logtarget
"$ratelimit"
"$logtag" -A $user \
- $(fix_bang $proto $sports $multiport $cli $dest_interface $dports)
+ $(fix_bang $proto $multiport $sports $cli $dest_interface $dports)
fi
run_iptables2 -A $chain1 $proto $multiport $cli $dest_interface $sports \
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
Tom Eastep
2007-Aug-09 00:38 UTC
Re: Problem with multiport assignement in shorewall rules
Niedermeier Günter wrote:> > I''ve made a short diff for what I''ve changed to shorewall4.0.1 > (incl. patch-shell-4.0.1-1.diff) >Thanks -- applied. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Niedermeier Günter
2007-Aug-09 06:08 UTC
Re: Problem with multiport assignement in shorewall rules
Tom Eastep schrieb:> Niedermeier Günter wrote: > >> I''ve made a short diff for what I''ve changed to shorewall4.0.1 >> (incl. patch-shell-4.0.1-1.diff) >> > > Thanks -- applied. > > -Tom...can you verify it with older versions e.g. 3.4.5 or 3.2.10? The same order exist in these versions too. >...$proto $sports $multiport...< --Günter ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/