Niedermeier Günter
2008-Dec-25 22:20 UTC
Problems with exclusion in host definition - shorewall 4.2.3 latest
Hi,
usually my shorewall inst. uses compiler=perl.
While some tests I changed my config to compiler=shell, and in this case
I get an error like this:
--------------------------------------------------------
Setting up TCP Flags checking...
iptables v1.3.8: host/network `169.254.0.0/16!169.254.1.0'' not found
Try `iptables -h'' or ''iptables --help'' for more
information.
ERROR: Command "/usr/sbin/iptables -A eth2_fwd -p tcp -s
169.254.0.0/16!169.254.1.0/24 -j tcpflags" Failed
Processing /etc/shorewall/stop ...
IP Forwarding Enabled
Processing /etc/shorewall/stopped ...
/sbin/shorewall: line 742: 9333 Terminated
$SHOREWALL_SHELL ${VARDIR}/.restart $debugging restart
--------------------------------------------------------
This is the corresponding entry in my hosts file:
INT eth2:1.1.1.100/32 routeback,blacklist,tcpflags
INT eth2:169.254.0.0/16!169.254.1.0/24 routeback,blacklist,tcpflags
INT eth2:192.168.101.0/24 routeback,blacklist,tcpflags
Using compiler=perl with exactly the same config runs fine.
Greets
Guenter
------------------------------------------------------------------------------
Shorewall Geek
2008-Dec-26 00:19 UTC
Re: Problems with exclusion in host definition - shorewall 4.2.3 latest
Niedermeier Günter wrote:> Hi, > > usually my shorewall inst. uses compiler=perl. > > While some tests I changed my config to compiler=shell, and in this case > I get an error like this: > > -------------------------------------------------------- > > Setting up TCP Flags checking... > iptables v1.3.8: host/network `169.254.0.0/16!169.254.1.0'' not found > Try `iptables -h'' or ''iptables --help'' for more information. > ERROR: Command "/usr/sbin/iptables -A eth2_fwd -p tcp -s > 169.254.0.0/16!169.254.1.0/24 -j tcpflags" Failed > Processing /etc/shorewall/stop ... > IP Forwarding Enabled > Processing /etc/shorewall/stopped ... > /sbin/shorewall: line 742: 9333 Terminated > $SHOREWALL_SHELL ${VARDIR}/.restart $debugging restartThere are many bugs like this in Shorewall shell -- that''s one of the primary reasons that we developed Shorewall Perl. I would not be surprised if many of the options available in /etc/shorewall/hosts blow up when the host groups has exclusion. ------------------------------------------------------------------------------
Shorewall Geek
2008-Dec-26 17:07 UTC
Re: Problems with exclusion in host definition - shorewall 4.2.3 latest
Shorewall Geek wrote:> Niedermeier Günter wrote: >> Hi, >> >> usually my shorewall inst. uses compiler=perl. >> >> While some tests I changed my config to compiler=shell, and in this case >> I get an error like this: >> >> -------------------------------------------------------- >> >> Setting up TCP Flags checking... >> iptables v1.3.8: host/network `169.254.0.0/16!169.254.1.0'' not found >> Try `iptables -h'' or ''iptables --help'' for more information. >> ERROR: Command "/usr/sbin/iptables -A eth2_fwd -p tcp -s >> 169.254.0.0/16!169.254.1.0/24 -j tcpflags" Failed >> Processing /etc/shorewall/stop ... >> IP Forwarding Enabled >> Processing /etc/shorewall/stopped ... >> /sbin/shorewall: line 742: 9333 Terminated >> $SHOREWALL_SHELL ${VARDIR}/.restart $debugging restart > > There are many bugs like this in Shorewall shell -- that''s one of the > primary reasons that we developed Shorewall Perl. I would not be > surprised if many of the options available in /etc/shorewall/hosts blow > up when the host groups has exclusion.As it turns out, Shorewall-perl is ignoring the exclusion when generating rules for these OPTIONS: blacklist maclist norfc1918 tcpflags That will be corrected in 4.2.4. I''ve also documented that exclusion with any of these options is broken when using Shorewall-shell as Guenter has reported. I''ll accept a patch for that if anyone is interested in writing and testing one. ------------------------------------------------------------------------------