Re: [Shorewall-devel] Shorewall 4.4.11 Beta 2

Fri, 02 Jul 2010 12:17:24 -0700 

On 7/2/10 9:23 AM, Steven Jan Springl wrote:
> Tom
> 
> If a Shorewall configuration has a zone with type ipsec and a zone with type 
> vserver and the vserver zone does not have the ipsec option specified in the 
> hosts file then "shorewall debug start" produces the following error:
> 
> iptables: Invalid argument. Run `dmesg' for more information.
>    ERROR: Command "/usr/local/sbin/iptables -A eth0_in -m policy --dir 
> in --pol none -m policy --dir out --pol none -d 10.0.0.0/24 -j lan2vsr" 
> Failed
> 
> dmesg produces the following:
> 
> xt_policy: output policy not valid in PREROUTING and INPUT
> 
> A copy of the the Shorewall config is attached.

Thanks, Steven.

Please see if the attached patch corrects the problem.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

diff --git a/Shorewall/Perl/Shorewall/Chains.pm 
b/Shorewall/Perl/Shorewall/Chains.pm
index fad6a26..beefc79 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -2558,6 +2558,10 @@ sub match_ipsec_in( $$ ) {
 
     unless ( $optionsref->{super} ) {
        $match = '-m policy --dir in --pol ';
+       
+       if ( $zoneref->{type} eq 'vserver' ) {
+           return '';
+       }
 
        if ( $zoneref->{type} eq 'ipsec' ) {
            $match .= "ipsec 
$optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}";
@@ -2583,6 +2587,10 @@ sub match_ipsec_out( $$ ) {
     unless ( $optionsref->{super} ) {
        $match = '-m policy --dir out --pol ';
 
+       if ( $zoneref->{type} eq 'vserver' ) {
+           return '';
+       }
+
        if ( $zoneref->{type} eq 'ipsec' ) {
            $match .= "ipsec 
$optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}";
        } elsif ( have_ipsec ) {

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel

Reply via email to