Shorewall users - Feb 2009 - Problem with iptables 1.4.2 and shorewall

I recently upgraded to iptables 1.4.2 and now shorewall won''t start.
I''m
using shorewall-perl 4.2.5.2 and the output is:

defiant shorewall # shorewall debug start
Compiling...
Compiling /etc/shorewall/zones...
Compiling /etc/shorewall/interfaces...
Determining Hosts in Zones...
Preprocessing Action Files...
   Pre-processing /usr/share/shorewall/action.Drop...
   Pre-processing /usr/share/shorewall/action.Reject...
Compiling /etc/shorewall/policy...
Compiling /etc/shorewall/routestopped for critical hosts...
Compiling /etc/shorewall/routestopped...
Adding Anti-smurf Rules
Adding rules for DHCP
Compiling TCP Flags filtering...
$doing UPnP
Compiling Kernel Route Filtering...
Compiling Martian Logging...
Compiling /etc/shorewall/proxyarp...
Compiling /etc/shorewall/masq...
Compiling MAC Filtration -- Phase 1...
Compiling /etc/shorewall/rules...
Generating Transitive Closure of Used-action List...
Processing /usr/share/shorewall/action.Reject for chain Reject...
Processing /usr/share/shorewall/action.Drop for chain Drop...
Compiling MAC Filtration -- Phase 2...
Applying Policies...
Compiling /etc/shorewall/tcdevices...
Compiling /etc/shorewall/tcclasses...
Compiling /etc/shorewall/tcrules...
Generating Rule Matrix...
Creating iptables-restore input...
Compiling iptables-restore input for chains blacklst,mangle:...
Shorewall configuration compiled to /var/lib/shorewall/.start
Processing /etc/shorewall/params ...
Starting Shorewall....
Initializing...
Processing /etc/shorewall/init ...
Setting up ARP filtering...
Setting up Route Filtering...
Setting up Martian Logging...
Setting up Accept Source Routing...
Setting up Proxy ARP...
Setting up Traffic Control...
Preparing iptables-restore input...
Running debug_restore_input...
iptables v1.4.2: host/network `!'' not found
Try `iptables -h'' or ''iptables --help'' for more
information.
   ERROR: Command "/sbin/iptables -A loc2fw -p 6 --dport 3128 -m 
conntrack --ctorigdst ! 192.168.1.0/24 -m conntrack --ctorigdstport 80 
-s ! 192.168.1.10 -j ACCEPT" Failed
Processing /etc/shorewall/stop ...
IPv4 Forwarding Enabled
Processing /etc/shorewall/stopped ...
/sbin/shorewall: line 435: 24192 Terminated              
${VARDIR}/.start $debugging start
defiant shorewall #

The relevant line from the trace output is this:

-A loc2fw -p 6 --dport 3128 -m conntrack --ctorigdst ! 192.168.1.0/24 -m 
conntrack --ctorigdstport 80 -s ! 192.168.1.10 -j ACCEPT

It is obvious that this rule:

# Squid transparent proxy
REDIRECT        loc:!192.168.1.10 3128          tcp     www     
-               !192.168.1.0/24

That I have in my /etc/shorewall/rules is causing the problem, if I 
comment out the rule everything is fine. My kernel version is 2.6.27.
By experimenting a little, I found that problem is cause by the last 
part of the rule, the original destination "!192.168.1.0/24", if I 
remove it  shorewall start ups fine.
It used to work with iptables 1.4.0, should I change something or is 
this a bug?

Thank you for any help.

------------------------------------------------------------------------------
Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM)
software. With Adobe AIR, Ajax developers can use existing skills and code to
build responsive, highly engaging applications that combine the power of local
resources and data with the reach of the web. Download the Adobe AIR SDK and
Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com

Kostas Kavourakis wrote:
> I recently upgraded to iptables 1.4.2 and now shorewall won''t
start.
I just installed iptables 1.4.2 and it looks badly broken to me. On my
X86_64 system, this command segfaults:

	/usr/local/sbin/iptables -t mangle -L -n > /dev/null

That causes Shorewall to think that mangle table support is not present.

This command also segfaults:

	/usr/local/sbin/ipatbles -m ipp2p --edk -j ACCEPT

So ipp2p support is not available either.

All that aside, the reason for your particular failure is in
/usr/share/Shorewall-perl/Shorewall/Config.pm, at line 1733.

	$capabilities{OLD_CONNTRACK_MATCH} = ! qt1( "$iptables -A
            $sillyname -m conntrack ! --ctorigdstport 1.2.3.4" );
                                        -------------

In that line, "ctorigdstport" should be "ctorigdst".

	$capabilities{OLD_CONNTRACK_MATCH} = ! qt1( "$iptables -A
             $sillyname -m conntrack ! --ctorigdst 1.2.3.4" );
                                         ---------
You can either:

a) Edit the file and make the change; or
b) Work around the problem by typing "shorewall show -f capabilities >
/etc/shorewall/capabilities". Shorewall-perl will use the contents of
the capabilities file rather that [miss-]detecting the capabilities itself.

I will upload 4.2.5.3 later today to correct the problem.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM)
software. With Adobe AIR, Ajax developers can use existing skills and code to
build responsive, highly engaging applications that combine the power of local
resources and data with the reach of the web. Download the Adobe AIR SDK and
Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com

Thank you Tom, I edited manually Config.pm, it works now.
By the way, I''m not using vanilla iptables 1.4.2 but the patched
version
provided from the Gentoo Linux devs. Most patches are taken from
upstream anyway though.

The command:
 iptables -t mangle -L -n > /dev/null

Works fine here, but in a x86 system, for the second command I can''t
test, I don''t have ipp2p support in the box.

Tom Eastep wrote:
> Kostas Kavourakis wrote:
>> I recently upgraded to iptables 1.4.2 and now shorewall won''t
start.
> 
> I just installed iptables 1.4.2 and it looks badly broken to me. On my
> X86_64 system, this command segfaults:
> 
> 	/usr/local/sbin/iptables -t mangle -L -n > /dev/null
> 
> That causes Shorewall to think that mangle table support is not present.
> 
> This command also segfaults:
> 
> 	/usr/local/sbin/ipatbles -m ipp2p --edk -j ACCEPT
> 
> So ipp2p support is not available either.
> 
> All that aside, the reason for your particular failure is in
> /usr/share/Shorewall-perl/Shorewall/Config.pm, at line 1733.
> 
> 	$capabilities{OLD_CONNTRACK_MATCH} = ! qt1( "$iptables -A
>             $sillyname -m conntrack ! --ctorigdstport 1.2.3.4" );
>                                         -------------
> 
> In that line, "ctorigdstport" should be "ctorigdst".
> 
> 	$capabilities{OLD_CONNTRACK_MATCH} = ! qt1( "$iptables -A
>              $sillyname -m conntrack ! --ctorigdst 1.2.3.4" );
>                                          ---------
> You can either:
> 
> a) Edit the file and make the change; or
> b) Work around the problem by typing "shorewall show -f capabilities
>
> /etc/shorewall/capabilities". Shorewall-perl will use the contents of
> the capabilities file rather that [miss-]detecting the capabilities itself.
> 
> I will upload 4.2.5.3 later today to correct the problem.
> 
> -Tom
> 
> 
> ------------------------------------------------------------------------
> 
>
------------------------------------------------------------------------------
> Create and Deploy Rich Internet Apps outside the browser with
Adobe(R)AIR(TM)
> software. With Adobe AIR, Ajax developers can use existing skills and code
to
> build responsive, highly engaging applications that combine the power of
local
> resources and data with the reach of the web. Download the Adobe AIR SDK
and
> Ajax docs to start building applications
today-http://p.sf.net/sfu/adobe-com
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users

-- 
Kostas Kavouracis <cca@freemail.gr>
My PGP keys:
https://defiant.cca.dynalias.com/~cca/cca@cca.dynalias.com.pgp.key
https://defiant.cca.dynalias.com/~cca/cca@freemail.gr.pgp.key

------------------------------------------------------------------------------
Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM)
software. With Adobe AIR, Ajax developers can use existing skills and code to
build responsive, highly engaging applications that combine the power of local
resources and data with the reach of the web. Download the Adobe AIR SDK and
Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com

Tom Eastep wrote:
> Kostas Kavourakis wrote:
>> I recently upgraded to iptables 1.4.2 and now shorewall won''t
start.
> 
> I just installed iptables 1.4.2 and it looks badly broken to me. On my
> X86_64 system, this command segfaults:
> 
> 	/usr/local/sbin/iptables -t mangle -L -n > /dev/null
> 
> That causes Shorewall to think that mangle table support is not present.
Update: I installed 1.4.2 on a system running kernel 2.6.27 and this
segfault does not occur on that system.
> 
> This command also segfaults:
> 
> 	/usr/local/sbin/ipatbles -m ipp2p --edk -j ACCEPT
> 
> So ipp2p support is not available either.
Rebuilding/reinstalling xtables-addons 1.8 corrected that problem under
kernel 2.6.27.
> 
> I will upload 4.2.5.3 later today to correct the problem.
> 
4.2.5.3 is now available at:

    http://www1.shorewall.net/pub/shorewall/4.2/shorewall-4.2.5/
    ftp://ftp1.shorewall.net/pub/shorewall/4.2/shorewall-4.2.5/

-Tom

------------------------------------------------------------------------------
Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM)
software. With Adobe AIR, Ajax developers can use existing skills and code to
build responsive, highly engaging applications that combine the power of local
resources and data with the reach of the web. Download the Adobe AIR SDK and
Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com

Shorewall Guy wrote:
> Tom Eastep wrote:
> 
>> This command also segfaults:
>>
>> 	/usr/local/sbin/ipatbles -m ipp2p --edk -j ACCEPT
>>
>> So ipp2p support is not available either.
> 
> Rebuilding/reinstalling xtables-addons 1.8 corrected that problem under
> kernel 2.6.27.
Rebuilding/reinstalling xtables-addons 1.8 also eliminated the segfaults
under 2.6.25.

------------------------------------------------------------------------------
Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM)
software. With Adobe AIR, Ajax developers can use existing skills and code to
build responsive, highly engaging applications that combine the power of local
resources and data with the reach of the web. Download the Adobe AIR SDK and
Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com