The problem is as follows:
In the Shorewall/Rules.pm function setup_rfc1918_filteration is the
following line:
#-- Begin code snippet --#
add_rule $chainref , match_orig_dest( $network ) . "-j $target" ;
#-- End code snippet --#
The problem is, when CONNTRACK_MATCH isn''t available, the
Shorewall/Chains.pm function match_orig_dest() returns an empty string.
This adds the following netfilter rule, causing ALL traffic from this
interface to be handled as rfc1918 traffic and subsequently dropped.
#-- Begin code snippet --#
-A norfc1918 -j rfc1918
#-- End code snippet --#
I''m not submitting a patch because I''m not sure how
you''d like to fix
the problem. The simplest way is to put something like the following at
the beginning of setup_rfc1918_filteration.
#-- Begin code snippet --#
if (! match_orig_dest(''10.0.0.0/8'')) {
## Produce Error Here - norfc1918 option requires conntrack
}
#-- End code snippet --#
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Heath Petersen wrote:> > I''m not submitting a patch because I''m not sure how you''d like to fix > the problem. The simplest way is to put something like the following at > the beginning of setup_rfc1918_filteration. >I think I like the attached patch better. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep wrote:> Heath Petersen wrote: > >> I''m not submitting a patch because I''m not sure how you''d like to fix >> the problem. The simplest way is to put something like the following at >> the beginning of setup_rfc1918_filteration. >> > > I think I like the attached patch better. >Actually, this one is better. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
I''m sorry I didn''t look into the code closer. This function is definitely the way to go. Tom Eastep wrote:> Heath Petersen wrote: > >> I''m not submitting a patch because I''m not sure how you''d like to fix >> the problem. The simplest way is to put something like the following at >> the beginning of setup_rfc1918_filteration. >> > > I think I like the attached patch better. > > -Tom >------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/