On Mon, 2012-01-09 at 05:33 +0100, Ryszard Łach wrote:
> Hi.
>
> After 'shorewall safe-restart' without confirmation shorewall runs .safe
> script, which feeds iptables with .safe-iptables rules.
> Unfortunately, there is a case, when it does not restore valid rules
> (active before safe-restart), i.e. those with -g (--goto) instead of -j
> (--jump).
> These are being removed from iptables-save output (while creating
> .safe-restart), I suppose that by the awk fragment (lib.cli):
>
> #
> # The 'awk' hack that compensates for bugs in iptables-save (or rather
> in the extension modules).
> #
>
> iptablesbug()
> {
> if qt mywhich awk ; then
> awk 'BEGIN { sline=""; };\
> /^-j/ { print sline $0; next };\
> /-m policy.*-j/ { print $0; next };\
> /-m policy/ { sline=$0; next };\
> /--mask ff/ { sub( /--mask ff/, "--mask 0xff" ) };\
> { print ; sline="" }'
> else
> echo " WARNING: You don't have 'awk' on this system so the
> output of the save command may be unusable" >&2
> cat
> fi
> }
>
> My iptables-save output has a rule
>
> -A eth2_fwd -s X.X.X.X/24 -m policy --dir in --pol ipsec -g AAA_frwd
>
> I'm not sure: is this (as the comment in lib.cli says) bug in iptables'
> module, or maybe in shorewall?It was a bug in an older version of iptables. The attached patch to /usr/share/shorewall/lib.cli should correct the problem. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/lib.cli b/Shorewall/lib.cli
index 7e0aa5b..7cb2c08 100644
--- a/Shorewall/lib.cli
+++ b/Shorewall/lib.cli
@@ -82,11 +82,11 @@ iptablesbug()
if [ $g_family -eq 4 ]; then
if qt mywhich awk ; then
awk 'BEGIN { sline=""; };\
- /^-j/ { print sline $0; next };\
- /-m policy.*-j/ { print $0; next };\
- /-m policy/ { sline=$0; next };\
- /--mask ff/ { sub( /--mask ff/, "--mask 0xff" ) };\
- { print ; sline="" }'
+ /^-[jg]/ { print sline $0; next };\
+ /-m policy.*-[jg] / { print $0; next };\
+ /-m policy/ { sline=$0; next };\
+ /--mask ff/ { sub( /--mask ff/, "--mask 0xff" ) };\
+ { print ; sline="" }'
else
echo " WARNING: You don't have 'awk' on this system so the output of the save command may be unusable" >&2
cat
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
