On 11/23/12 7:35 AM, Steven Jan Springl wrote: the attached config. the following stoppedrules entry: > > NOTRACK fw:1.1.1.1 - icmp > > generates the following iptables rule: > > -A OUTPUT -p 1 -s 1.1.1.1 -j CT --notrack > > When command "shorewall stop" is issued the following error message is > produced: > > iptables-restore: line 31 failed > > In /var/log/syslog the following message appears: > > Nov 23 15:23:24 l4 kernel: [ 3496.562820] x_tables: ip_tables: CT target: > only > valid in raw table, not filter
Patch NOTRACK.patch attached. > > While investigating the above error, I noticed that when the following > commands are issued: > > shorewall debug stop > shorewall debug try /etc/shorewall2A4 > shorewall debug clear > > The debug option is ignored and iptables-restore is used. Is this expected? No. Patch DEBUG.patch attached. Thanks Steven, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm
index a977aa4..ef9ce4f 100644
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -702,13 +702,11 @@ sub process_stoppedrules() {
}
if ( $source eq $fw ) {
- $chainref = $tableref->{OUTPUT};
+ $chainref = ( $target eq 'NOTRACK' ? $raw_table :
$filter_table)->{OUTPUT};
$source = '';
$restriction = OUTPUT_RESTRICT;
- }
-
- if ( $source =~ s/^($fw):// ) {
- $chainref = $filter_table->{OUTPUT};
+ } elsif ( $source =~ s/^($fw):// ) {
+ $chainref = ( $target eq 'NOTRACK' ? $raw_table :
$filter_table)->{OUTPUT};
$restriction = OUTPUT_RESTRICT;
}
@@ -717,9 +715,7 @@ sub process_stoppedrules() {
$chainref = $filter_table->{INPUT};
$dest = '';
$restriction = INPUT_RESTRICT;
- }
-
- if ( $dest =~ s/^($fw):// ) {
+ } elsif ( $dest =~ s/^($fw):// ) {
fatal_error "\$FW may not be specified as the destination of a
NOTRACK rule" if $target eq 'NOTRACK';
$chainref = $filter_table->{INPUT};
$restriction = INPUT_RESTRICT;
diff --git a/Shorewall/Perl/Shorewall/Chains.pm
b/Shorewall/Perl/Shorewall/Chains.pm
index e543690..e7932b5 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -7379,7 +7379,7 @@ sub create_stop_load( $ ) {
emit '';
- emit( '[ -n "$DEBUG" ] && command=debug_restore_input || command=$' .
$UTILITY,
+ emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input ||
command=$' . $UTILITY,
'',
'progress_message2 "Running $command..."',
'',
diff --git a/Shorewall/lib.cli-std b/Shorewall/lib.cli-std
index 6cdf316..ac5a7d5 100644
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -1315,7 +1315,7 @@ try_command() {
[ -n "$nolock" ] || mutex_on
- if run_it ${VARDIR}/.$command $command && [ -n "$timeout" ]; then
+ if run_it ${VARDIR}/.$command $g_debugging $command && [ -n "$timeout" ];
then
sleep $timeout
if [ "$command" = "restart" ]; then
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
