thr3ads.net - Shorewall users - after upgrade of distro-shorewall 4.6.2.4-144.1 -> 4.6.2.4-146.1, compile "ERROR: Invalid/Unknown leaf-1 port/service (tcp) " [Aug 2014]

If this information is useful, please help other people find it:
Share via:

PGNd

2014-Aug-13 21:26 UTC

after upgrade of distro-shorewall 4.6.2.4-144.1 -> 4.6.2.4-146.1, compile "ERROR: Invalid/Unknown leaf-1 port/service (tcp) "

After an upgrade from Opensuse_13.1-packaged shorewall 4.6.2.4-144.1 ->
4.6.2.4-146.1

grep "shorewall|" * | tail -n 2
2014-08-08
07:30:05|install|shorewall|4.6.2.4-144.1|noarch||Netfilter|8a7f834d22683013aba57ba4548d97fc53eb64e0b562cbdf65e716544aba45ba|
2014-08-12
11:09:47|install|shorewall|4.6.2.4-146.1|noarch||Netfilter|d7401c67c1d548fdcacde9ab9b3de94a7d87ed45e248aeef49a02e6b40da7193|

When I simply recompile my previously working rulesets etc, I now get an error

ERROR: Invalid/Unknown leaf-1 port/service (tcp)
/usr/local/etc/shorewall/IPv4/masq (line 20)

where

cat /masq
...
20 EXTIF $MX_INT $MX_EXT tcp 25,587
...

This works prior to the upgrade.

The recent local changelog includes,

rpm -q --changelog shorewall
* Mon Aug 11 2014 toganm@opensuse.org
- Backported PHYSICALNAME.patch

* Fri Aug 08 2014 toganm@opensuse.org
- Update to version 4.6.2.4 For more details see changelog.txt and
releasenotes.txt
+ Previously, inline matches were not allowed in action files, even
though the documentation stated that they were allowed.

* Tue Jul 29 2014 toganm@opensuse.org
- Update to version 4.6.2.3 For more details see changelog.txt and
releasenotes.txt
* Previously, the compiler would fail with a Perl diagnostic if:
+ Optimize Level 8 was enabled.
+ Perl 5.20 was being used. This is the current Perl version on
Arch Linux.
The diagnostic was:
Can't use string ("nat") as a HASH ref while "strict
refs" in
use at /usr/share/shorewall/Shorewall/Chains.pm line 3486.

* Fri Jul 25 2014 toganm@opensuse.org
- Update to version 4.6.2.2 For more details see changelog.txt and
releasenotes.txt
* The compiler now correctly detects the IPv6 "Header Match"
capability when LOAD_MODULES_ONLY=No.
* The compiler now correctly detects the IPv6 "Ipset Match"
capability on systems running a 3.14 or later kernel.
* The compiler now correctly detects "Arptables JF" capability
when LOAD_MODULES_ONLY=No.
* The tcfilter manpages previously failed to mention that
BASIC_FILTERS=Yes is required to use ipsets in the tcfilters
files.
...

I've not see this error before, and haven't yet found it online.

How/what can I troubleshoot to determine/identify the specific source of the
problem -- shorewall or packaging?

------------------------------------------------------------------------------

Shorewall users - Aug 2014 - after upgrade of distro-shorewall 4.6.2.4-144.1 -> 4.6.2.4-146.1, compile "ERROR: Invalid/Unknown leaf-1 port/service (tcp) "

after upgrade of distro-shorewall 4.6.2.4-144.1 -> 4.6.2.4-146.1, compile "ERROR: Invalid/Unknown leaf-1 port/service (tcp) "