Tom Eastep wrote:
> On Jun 1, 2013, at 10:39 AM, Dash Four <[email protected]> wrote:
>
>
>> I think I finally got the bastard!
>>
>> Now, if I have the above statement in rules and have *no* other
>> statements present, I am *not* getting these warnings. However, if I add
>> the following:
>>
>> rules
>> ~~~~~
>> SECTION RELATED
>> IFLOG(-,log1,-,accept,ACCEPT) $FW local
>> IFLOG(-,log1,-,accept,ACCEPT) local $FW
>>
>> IFLOG(-,log1,-,drop,DROP) all all
>>
>> Then I get the warnings - all 4 of them, directing me at the last
>> statement line ("all all"). Now, if I comment out either of the "$FW
>> local" or "local $FW" statements, then I get only 2 warnings instead. If
>> I comment out the last statement, then I don't get any warnings at all.
>>
>> So, what I think is happening is this:
>>
>> 1. The 3 statements above do something in combination that shorewall
>> doesn't like very much and issues these warnings.
>> 2. shorewall is telling me porkies about the erroneous line in my
>> "rules" statement file (that the problem is with my last statement),
>> confusing the hell out of me.
>>
>> Over to you Tom…
>>
>
> Okay -- apply this patch for now.
>
Before I do that, I discovered another - nastier bug:
actions
~~~~~~~
IFLOG inline
SFLOG
action.SFLOG
~~~~~~~~~~~~
?SET p6 $6 ? $6 : @{chain}
?IF $5 eq 'Drop'
$5
?ENDIF
IFLOG($1,$2,$3,$4,$5) ; switch:${p6}_${7}
?IF $5 && (! ($5 eq 'Drop'))
$5
?ENDIF
rules
~~~~~
SFLOG(-,-,-,-,ACCEPT,-,log_test_related=0) $FW local:+test
produces:
-A +fw2local -m set --match-set test dst -j ACCEPT
Please note that this is a straight ACCEPT jump with no conditional
switch. The rule produced should have been:
-A +fw2local --condition fw2local_log_test_related -m set --match-set
test dst -j ACCEPT
------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
