On 5/30/11 9:20 AM, Tom Eastep wrote: > On May 30, 2011, at 9:08 AM, Steven Jan Springl <[email protected]> > wrote: >> On Sunday 29 May 2011 15:32:53 Steven Jan Springl wrote: >>> Using kernel 2.6.39, iptables 1.4.11 and xtables-addons 1.35 >>> >>> If the config. does not have a capabilities file, the following policy >>> works: >>> >>> all all DROP:audit warn >>> >>> If a capabilities file is created, the following error message is produced: >>> >>> ERROR: :audit requires AUDIT Target in your kernel and >>> iptables : /etc/shorewallBBB/policy (line 13) >>> >>> A copy of the capabilities file is attached. >>> >>> I have manually entered the following iptables rule to confirm that the >>> audit feature is working: >>> >>> iptables -A INPUT -j AUDIT --type drop > >> Have you had an opportunity to look at the above problem yet?
The attached patch corrects the problem. You will need to recreate the capabilities file after applying the patch. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/lib.cli b/Shorewall/lib.cli
index d10b600..bc8c8da 100644
--- a/Shorewall/lib.cli
+++ b/Shorewall/lib.cli
@@ -1706,6 +1706,7 @@ determine_capabilities() {
MARK_ANYWHERE=
HEADER_MATCH=
ACCOUNT_TARGET=
+ AUDIT_TARGET=
chain=fooX$$
@@ -1845,7 +1846,7 @@ determine_capabilities() {
qt $IPTABLES -A $chain -j LOG || LOG_TARGET=
qt $IPTABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
qt $IPTABLES -A $chain -j ACCOUNT --addr 192.168.1.0/29 --tname $chain &&
ACCOUNT_TARGET=Yes
- qt $IPTABLES -A $chain -j AUDIT --type drop && ACCOUNT_TARGET=Yes
+ qt $IPTABLES -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes
qt $IPTABLES -F $chain
qt $IPTABLES -X $chain
@@ -1928,6 +1929,7 @@ report_capabilities() {
report_capability "Mark in any table" $MARK_ANYWHERE
report_capability "Header Match" $HEADER_MATCH
report_capability "ACCOUNT Target" $ACCOUNT_TARGET
+ report_capability "AUDIT Target" $AUDIT_TARGET
fi
[ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -1995,6 +1997,7 @@ report_capabilities1() {
report_capability1 MARK_ANYWHERE
report_capability1 HEADER_MATCH
report_capability1 ACCOUNT_TARGET
+ report_capability1 AUDIT_TARGET
echo CAPVERSION=$SHOREWALL_CAPVERSION
echo KERNELVERSION=$KERNELVERSION
diff --git a/Shorewall6/lib.cli b/Shorewall6/lib.cli
index 7e076c3..7470263 100644
--- a/Shorewall6/lib.cli
+++ b/Shorewall6/lib.cli
@@ -1345,6 +1345,7 @@ determine_capabilities() {
MARK_ANYWHERE=
HEADER_MATCH=
ACCOUNT_TARGET=
+ AUDIT_TARGET=
chain=fooX$$
@@ -1569,7 +1570,8 @@ report_capabilities() {
report_capability "fwmark route mask" $FWMARK_RT_MASK
report_capability "Mark in any table" $MARK_ANYWHERE
report_capability "Header Match" $HEADER_MATCH
- report_capability "ACCOUNT Match" $ACCOUNT_TARGET
+ report_capability "ACCOUNT Target" $ACCOUNT_TARGET
+ report_capability "AUDIT Target" $AUDIT_TARGET
fi
[ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -1634,6 +1636,7 @@ report_capabilities1() {
report_capability1 MARK_ANYWHERE
report_capability1 HEADER_MATCH
report_capability1 ACCOUNT_TARGET
+ report_capability1 AUDIT_TARGET
echo CAPVERSION=$SHOREWALL_CAPVERSION
echo KERNELVERSION=$KERNELVERSION
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
