On 02/04/2013 02:53 PM, Steven Jan Springl wrote: > Tom > > The attached config. generates the following iptables rules: > > (1) -A lan-fw -m conntrack --ctstate NEW,INVALID,UNTRACKED -j dynamic > (2) -A lan-fw -m conntrack --ctstate ESTABLISHED -j ACCEPT > (3) -A lan-fw -m conntrack --ctstate RELATED -g A_ACCEPT > (4) -A lan-fw -m conntrack --ctstate INVALID -g _lan-fw > (5) -A lan-fw -m conntrack --ctstate UNTRACKED -g &lan-fw > (6) -A lan-fw -p 17 --dport 123 -m conntrack --ctstate INVALID -m hashlimit > --hashlimit-upto 4/sec --hashlimit-burst 8 --hashlimit-name lograte -- > hashlimit-mode dstip -j LOG --log-level 4 --log-prefix "Shorewall:lanfw:LOG:" > (7) -A lan-fw -g all-all > > Shorewall rule: > > Invalid(LOG:warn) lan fw udp 123 > > produces iptables rule (6) above. > > As iptables rule (4) uses -g to branch to _lan-fw, when the _lan-fw chain > finishes iptables will return to the INPUT chain and not lan-fw so iptables > rule (6) will not be executed. > > I have specified INVALID_DISPOSITION=CONTINUE > > If any of the "PACKET DISPOSTION" parameters in shorewall.conf is set to > CONTINUE, shouldn't '-j' be used instead of '-g' in the generated iptables > rule?
It should indeed; good catch! Patch attached. Thanks Steven, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 4e75f6d..87a65cf 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -953,7 +953,11 @@ sub finish_chain_section ($$$) {
$target = ensure_audit_chain( $target ) if ( $targets{$target} || 0 ) & AUDIT;
- add_ijump( $chainref, g => $target, state_imatch $_ );
+ if ( $statetable{$_}[2] ) {
+ add_ijump( $chainref, g => $target, state_imatch $_ );
+ } else {
+ add_ijump( $chainref, j => $target, state_imatch $_ );
+ }
}
delete $state{$_};
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
