Tom Eastep wrote:
> On Jun 1, 2013, at 9:05 AM, Tom Eastep <[email protected]> wrote:
>
>
>> On Jun 1, 2013, at 9:00 AM, Dash Four <[email protected]> wrote:
>>
>>
>>> Tom Eastep wrote:
>>>
>>>> On 06/01/2013 08:37 AM, Tom Eastep wrote:
>>>>
>>>>
>>>> I *can* reproduce it if I modify action.IFLOG as follows:
>>>>
>>>>
>>>> ?IF $5
>>>> $5
>>>> ?ENDIF
>>>> ?IF $1
>>>> NFLOG($1,0,1)
>>>> ?ENDIF
>>>> ?IF $2
>>>> ?SET @chain $3 ? $3 : " "
>>>> ?SET @disposition $4 ? $4 : " "
>>>> LOG:info(tcp_options,ip_options,macdecode,tcp_sequence,uid)
>>>> ?ENDIF
>>>>
>>>>
>>> You are (partially) right. I do have an extra check for the 5th
>>> parameter at the very beginning and issue a "Drop" (not DROP!):
>>>
>>> ?IF $5 eq 'Drop'
>>> $5
>>> ?ENDIF
>>>
>>> The above statement is conditional upon $5 being equal to "Drop" and
>>> when I call this action with "IFLOG(-,log1,-,drop,DROP) all all" that
>>> surely won't satisfy the "if" above as "DROP" ain't "Drop", unless
>>> shorewall makes case insensitive comparisons (if so, that certainly
>>> wasn't the case before).
>>>
>> The warning is new in 4.5.17 -- the logic surrounding ?IF has not changed.
>>
>> So please send the real action.IFLOG contents and the actual rule in the
>> RELATED section.
>>
>
> Also, if you have defined your own action.Drop, then I would need to see it
> too. Because if it terminates with an unconditional DROP and has no CONTINUE
> rules, then the jump to 'Drop' will terminate the current chain and any
> additional rules in that chain are unreachable.
>
action.IFLOG
~~~~~~~~~~~~
#
# Shorewall version 4 - Action Template
#
# /etc/shorewall/action.template
#
# This file is a template for files with names of the form
# /etc/shorewall/action.<action-name> where <action> is an
# ACTION defined in /etc/shorewall/actions.
#
# To define a new action:
#
# 1. Add the <action name> to /etc/shorewall/actions
# 2. Copy this file to /etc/shorewall/action.<action name>
# 3. Add the desired rules to that file.
#
# Please see http://shorewall.net/Actions.html for additional
# information.
#
# Columns are the same as in /etc/shorewall/rules.
#
#######################################################################################################
# DO NOT REMOVE THE FOLLOWING LINE
?FORMAT 2
#################################################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST
SOURCE ORIGINAL RATE USER/ MARK
CONNLIMIT TIME HEADERS SWITCH HELPER
# PORT
PORT(S) DEST LIMIT GROUP
?IF $5 eq 'Drop'
$5
?ENDIF
?IF $1
NFLOG(1,0,1)
?ENDIF
?IF $2
?SET @disposition $3
?SET @chain $4
LOG:info(tcp_options,ip_options,macdecode,tcp_sequence,uid)
?ENDIF
?IF $5 && (! ($5 eq 'Drop'))
$5
?ENDIF
action.Drop
~~~~~~~~~~~
#
# Shorewall version 4 - Drop Action
#
# /usr/share/shorewall/action.Drop
#
# The default DROP common rules
#
# This action is invoked before a DROP policy is enforced. The purpose
# of the action is:
#
# a) Avoid logging lots of useless cruft.
# b) Ensure that 'auth' requests are rejected, even if the policy is
# DROP. Otherwise, you may experience problems establishing
# connections with servers that use auth.
# c) Ensure that certain ICMP packets that are necessary for
successful
# internet operation are always ACCEPTed.
#
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T
HELP!!!!!!!!!
#
###############################################################################
#TARGET SOURCE DEST PROTO DPORT SPORT
#
#
# Reject 'auth'
#
Auth(A_DROP)
#
# Don't log broadcasts
#
dropBcast
#
# Drop packets that are in the INVALID state -- these are usually ICMP
packets
# and just confuse people when they appear in the log.
#
dropInvalid
#
# Drop Microsoft noise so that it doesn't clutter up the log.
#
SMB(A_DROP)
A_DropUPnP
#
# Drop 'newnotsyn' traffic so that it doesn't get logged.
#
dropNotSyn - - tcp
#
# Drop late-arriving DNS replies. These are just a nuisance and clutter up
# the log.
#
DropDNSrep
rules
~~~~~
[line 106]
IFLOG(-,log1,-,drop,DROP) all all
-bash-4.1# shorewall compile -T test
[...]
WARNING: The rule(s) generated by this entry are unreachable and have
been discarded /etc/shorewall/action.IFLOG (line 36)
from /etc/shorewall/rules (line 106) at
/usr/share/perl5/Shorewall/Chains.pm line 7066
Shorewall::Chains::expand_rule('HASH(0x8c5a500)', 0, '', '', '-',
'-', '', 'LOG',
'info(tcp_options,ip_options,macdecode,tcp_sequence,uid)', ...) called
at /usr/share/perl5/Shorewall/Rules.pm line 2702
Shorewall::Rules::process_rule('HASH(0x8c5a500)', '',
'LOG:info(tcp_options,ip_options,macdecode,tcp_sequence,uid)',
'-,log1,-,drop,DROP', '-', '-', '-', '-', '-', ...) called at
/usr/share/perl5/Shorewall/Rules.pm line 2012
Shorewall::Rules::process_inline('IFLOG', 'HASH(0x8c5a500)', '', '',
'IFLOG(-,log1,-,drop,DROP)', '-,log1,-,drop,DROP', '-', '-', '-', ...)
called at /usr/share/perl5/Shorewall/Rules.pm line 2512
Shorewall::Rules::process_rule(undef, '',
'IFLOG(-,log1,-,drop,DROP)', '', 'fw', 'local', '-', '-', '-', ...)
called at /usr/share/perl5/Shorewall/Rules.pm line 3094
Shorewall::Rules::process_raw_rule() called at
/usr/share/perl5/Shorewall/Rules.pm line 3267
Shorewall::Rules::process_rules(0) called at
/usr/share/perl5/Shorewall/Compiler.pm line 822
Shorewall::Compiler::compiler('script', 'test', 'directory', '',
'verbosity', 1, 'timestamp', 0, 'debug', ...) called at
/usr/libexec/shorewall/compiler.pl line 145
WARNING: The rule(s) generated by this entry are unreachable and have
been discarded /etc/shorewall/action.IFLOG (line 39)
from /etc/shorewall/rules (line 106) at
/usr/share/perl5/Shorewall/Chains.pm line 7066
Shorewall::Chains::expand_rule('HASH(0x8c5a500)', 0, '', '', '-',
'-', '', 'DROP', 'none', ...) called at
/usr/share/perl5/Shorewall/Rules.pm line 2702
Shorewall::Rules::process_rule('HASH(0x8c5a500)', '', 'DROP:none',
'-,log1,-,drop,DROP', '-', '-', '-', '-', '-', ...) called at
/usr/share/perl5/Shorewall/Rules.pm line 2012
Shorewall::Rules::process_inline('IFLOG', 'HASH(0x8c5a500)', '', '',
'IFLOG(-,log1,-,drop,DROP)', '-,log1,-,drop,DROP', '-', '-', '-', ...)
called at /usr/share/perl5/Shorewall/Rules.pm line 2512
Shorewall::Rules::process_rule(undef, '',
'IFLOG(-,log1,-,drop,DROP)', '', 'fw', 'local', '-', '-', '-', ...)
called at /usr/share/perl5/Shorewall/Rules.pm line 3094
Shorewall::Rules::process_raw_rule() called at
/usr/share/perl5/Shorewall/Rules.pm line 3267
Shorewall::Rules::process_rules(0) called at
/usr/share/perl5/Shorewall/Compiler.pm line 822
Shorewall::Compiler::compiler('script', 'test', 'directory', '',
'verbosity', 1, 'timestamp', 0, 'debug', ...) called at
/usr/libexec/shorewall/compiler.pl line 145
WARNING: The rule(s) generated by this entry are unreachable and have
been discarded /etc/shorewall/action.IFLOG (line 36)
from /etc/shorewall/rules (line 106) at
/usr/share/perl5/Shorewall/Chains.pm line 7066
Shorewall::Chains::expand_rule('HASH(0x8c5a650)', 0, '', '', '-',
'-', '', 'LOG',
'info(tcp_options,ip_options,macdecode,tcp_sequence,uid)', ...) called
at /usr/share/perl5/Shorewall/Rules.pm line 2702
Shorewall::Rules::process_rule('HASH(0x8c5a650)', '',
'LOG:info(tcp_options,ip_options,macdecode,tcp_sequence,uid)',
'-,log1,-,drop,DROP', '-', '-', '-', '-', '-', ...) called at
/usr/share/perl5/Shorewall/Rules.pm line 2012
Shorewall::Rules::process_inline('IFLOG', 'HASH(0x8c5a650)', '', '',
'IFLOG(-,log1,-,drop,DROP)', '-,log1,-,drop,DROP', '-', '-', '-', ...)
called at /usr/share/perl5/Shorewall/Rules.pm line 2512
Shorewall::Rules::process_rule(undef, '',
'IFLOG(-,log1,-,drop,DROP)', '', 'local', 'fw', '-', '-', '-', ...)
called at /usr/share/perl5/Shorewall/Rules.pm line 3094
Shorewall::Rules::process_raw_rule() called at
/usr/share/perl5/Shorewall/Rules.pm line 3267
Shorewall::Rules::process_rules(0) called at
/usr/share/perl5/Shorewall/Compiler.pm line 822
Shorewall::Compiler::compiler('script', 'test', 'directory', '',
'verbosity', 1, 'timestamp', 0, 'debug', ...) called at
/usr/libexec/shorewall/compiler.pl line 145
WARNING: The rule(s) generated by this entry are unreachable and have
been discarded /etc/shorewall/action.IFLOG (line 39)
from /etc/shorewall/rules (line 106) at
/usr/share/perl5/Shorewall/Chains.pm line 7066
Shorewall::Chains::expand_rule('HASH(0x8c5a650)', 0, '', '', '-',
'-', '', 'DROP', 'none', ...) called at
/usr/share/perl5/Shorewall/Rules.pm line 2702
Shorewall::Rules::process_rule('HASH(0x8c5a650)', '', 'DROP:none',
'-,log1,-,drop,DROP', '-', '-', '-', '-', '-', ...) called at
/usr/share/perl5/Shorewall/Rules.pm line 2012
Shorewall::Rules::process_inline('IFLOG', 'HASH(0x8c5a650)', '', '',
'IFLOG(-,log1,-,drop,DROP)', '-,log1,-,drop,DROP', '-', '-', '-', ...)
called at /usr/share/perl5/Shorewall/Rules.pm line 2512
Shorewall::Rules::process_rule(undef, '',
'IFLOG(-,log1,-,drop,DROP)', '', 'local', 'fw', '-', '-', '-', ...)
called at /usr/share/perl5/Shorewall/Rules.pm line 3094
Shorewall::Rules::process_raw_rule() called at
/usr/share/perl5/Shorewall/Rules.pm line 3267
Shorewall::Rules::process_rules(0) called at
/usr/share/perl5/Shorewall/Compiler.pm line 822
Shorewall::Compiler::compiler('script', 'test', 'directory', '',
'verbosity', 1, 'timestamp', 0, 'debug', ...) called at
/usr/libexec/shorewall/compiler.pl line 145
------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
