thr3ads.net - Shorewall users - Re: negate entry wrong [Aug 2007]

If this information is useful, please help other people find it:
Share via:
Tom Eastep
2007-Aug-14 15:39 UTC
Re: negate entry wrong

Stanislav wrote:> Hello all,
> 
> -----------------------------------------------------------------
> This rule entry:
> 
> ACTION SOURCE DEST               PRT DSTP SRCP    ORG
> DNAT   extra  fw:10.10.10.1:3128 tcp 80   -       !10.10.10.0/24
> 
> 
> Generates after ''shorewall save'' this restore entry:
> 
> -A extra2fw -d 10.10.10.1 -p tcp -m tcp --dport 3128 -m conntrack -- 
> ctorigdst !10.10.10.0/24 -j ACCEPT
> 
> 
> -----------------------------------------------------------------
> Executing it with ''sh restore'' (the same like booting):
> 
> sh restore.old
> Loading kernel modules...
> Restoring Proxy ARP...
> Restoring one-to-one NAT...
> Restoring ARP filtering...
> Restoring Route Filtering...
> Restoring Martian Logging...
> Restoring Accept Source Routing...
> Restoring IP Forwarding...
> Restoring Masquerading/SNAT...
> Restoring Netfilter Configuration...
> iptables-restore v1.2.11: host/network `!10.10.10.0'' not found
> Error occurred at line: 255
> Try `iptables-restore -h'' or ''iptables-restore
--help'' for more
> information.
> 
> 
> -----------------------------------------------------------------
> If i do ''shorewall restart'' manually it doesn''t
complain
> and ''iptables -L -n'' shows:
> 
> ACCEPT     tcp  --  0.0.0.0/0 10.10.10.1         tcp dpt:3128  
> ctorigdst !10.10.10.0/24
> 
> 
> -----------------------------------------------------------------
> 
> I have to admit that it is with shorewall-2.4.9, therefore a hint
> about the location to patch would be great. Many Thanks.
The problem is in iptables-save, not Shorewall (actually, it''s a bug in
libipt_conntrack.c).

Attached is a patch that I submitted to the netfilter team back in 2005 --
it was against iptables 1.3.3; if it doesn''t apply cleanly to 1.2.11,
it
should give you an idea of how to fix the problem.

Although I must say that it is probably time to upgrade your iptables (and
Shorewall).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
Shorewall users - Aug 2007 - Re: negate entry wrong

Re: negate entry wrong
