abhisek sanyal
2008-Dec-19 20:55 UTC
"TCP_FLAGS_DISPOSITION=REJECT" and "TCP_FLAGS_LOG_LEVEL=info" causes error in shorewall
Hi all, I am using "shorewall-perl-4.0.14-2.fc9.noarch", "shorewall-4.0.14-2.fc9.noarch", "shorewall-common-4.0.14-2.fc9.noarch", "shorewall-shell-4.0.14-2.fc9.noarch" in my Fedora 9 machine which is running the Kernel 2.6.25-14. It has been running quite well for the past few months. I saw an error when I enabled "tcpflags" and set the disposition to "REJECT" and log to "info". Configuration - "TCP_FLAGS_LOG_LEVEL=info" & "TCP_FLAGS_DISPOSITION=REJECT" in /etc/shorewall/shorewall.conf & added "tcpflags" option for my Internet zone "wan" in the file "/etc/shorewall/interfaces". Error - With Compiler set to "shell", I am getting the following error when starting / restarting shorewall. Setting up TCP Flags checking... iptables: Invalid argument ERROR: Command "/sbin/iptables -A logflags -j REJECT --reject-with tcp-reset" Failed With Compiler set to "perl", I am getting the following error when doing a "shorewall debug restart". Running debug_restore_input... iptables: Invalid argument ERROR: Command "/sbin/iptables -A logflags -j REJECT --reject-with tcp-reset" Failed Processing /etc/shorewall/stop ... I suspect that the protocol "tcp" is not being specified when the above rules for logging are being set. I added the following patch for "Rules.pm" in "/usr/share/shorewall-perl/Shorewall" and the Perl compiler version started working fine. The patch basically adds the "-p tcp" switch in the appropriate function. -- With Regards, Abhisek Sanyal ------------------------------------------------------------------------------