On 5/29/11 7:01 AM, Steven Jan Springl wrote: > Using kernel 2.6.39, iptables 1.4.10 and xtables-addons 1.35 > > The following rules file entry: > > ACCEPT $FW lan tcp 22 - - - !root:root > > produces the following iptables rule: > > -A fw2lan -p 6 --dport 22 -m owner ! --uid-owner root ! --gid-owner root -j > ACCEPT > > Which works. > After upgrading iptables to 1.4.11 the following iptables-restore error is > produced: > > iptables-restore v1.4.11: owner: option "--uid-owner" cannot be inverted.
Jan Engelhardt (Netfilter developer) has confirmed that this is an iptables 1.4.11 bug. > > > The following tcrules file entry: > > IPMARK(dst,-1,-64) $FW eth1 tcp 888 > > produces the following iptables rule: > > -A OUTPUT -p 6 --dport 888 -o eth1 -j IPMARK --addr > dst --and-mask -1 --or-mask -64 --shift 0 > > Which works. > After upgrading to iptables 1.4.11 the following iptables-restore error is > produced: > > iptables-restore v1.4.11: IPMARK: Bad value for "and-mask" option: "-1" The attached patch should catch this one. Thanks, Steven -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index e52fdb8..04ea732 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -331,18 +331,18 @@ sub process_tc_rule( ) {
if ( defined $m1 && $m1 ne '' ) {
$val = numeric_value ($m1);
fatal_error "Invalid Mask ($m1)" unless defined
$val && $val && $val <= 0xffffffff;
- $mask1 = $m1;
+ $mask1 = in_hex $m1;
}
if ( defined $m2 && $m2 ne '' ) {
$val = numeric_value ($m2);
- fatal_error "Invalid Mask ($m2)" unless defined
$val && $val <= 0xffffffff;
- $mask2 = $m2;
+ fatal_error "Invalid Mask ($m2)" unless defined
$val && $val > 0 && $val <= 0xffffffff;
+ $mask2 = in_hex $m2;
}
if ( defined $s ) {
$val = numeric_value ($s);
- fatal_error "Invalid Shift Bits ($s)" unless
defined $val && $val < 128;
+ fatal_error "Invalid Shift Bits ($s)" unless
defined $val && $val >= 0 && $val < 128;
$shift = $s;
}
} else {
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
