On Jun 1, 2013, at 11:13 AM, Dash Four <[email protected]> wrote:
> > Tom Eastep wrote: >> On Jun 1, 2013, at 10:39 AM, Dash Four <[email protected]> wrote: >> >> >>> I think I finally got the bastard! >>> >>> Now, if I have the above statement in rules and have *no* other >>> statements present, I am *not* getting these warnings. However, if I add >>> the following: >>> >>> rules >>> ~~~~~ >>> SECTION RELATED >>> IFLOG(-,log1,-,accept,ACCEPT) $FW local >>> IFLOG(-,log1,-,accept,ACCEPT) local $FW >>> >>> IFLOG(-,log1,-,drop,DROP) all all >>> >>> Then I get the warnings - all 4 of them, directing me at the last >>> statement line ("all all"). Now, if I comment out either of the "$FW >>> local" or "local $FW" statements, then I get only 2 warnings instead. If >>> I comment out the last statement, then I don't get any warnings at all. >>> >>> So, what I think is happening is this: >>> >>> 1. The 3 statements above do something in combination that shorewall >>> doesn't like very much and issues these warnings. >>> 2. shorewall is telling me porkies about the erroneous line in my >>> "rules" statement file (that the problem is with my last statement), >>> confusing the hell out of me. >>> >>> Over to you Tom… >>> >> >> Okay -- apply this patch for now. >> > Before I do that, I discovered another - nastier bug: > > actions > ~~~~~~~ > IFLOG inline > SFLOG > > action.SFLOG > ~~~~~~~~~~~~ > ?SET p6 $6 ? $6 : @{chain} > ?IF $5 eq 'Drop' > $5 > ?ENDIF > IFLOG($1,$2,$3,$4,$5) ; switch:${p6}_${7} > ?IF $5 && (! ($5 eq 'Drop')) > $5 > ?ENDIF > > rules > ~~~~~ > SFLOG(-,-,-,-,ACCEPT,-,log_test_related=0) $FW local:+test > > produces: > > -A +fw2local -m set --match-set test dst -j ACCEPT > > Please note that this is a straight ACCEPT jump with no conditional > switch. The rule produced should have been: > > -A +fw2local --condition fw2local_log_test_related -m set --match-set > test dst -j ACCEPT I'm not even sure what the semantics of applying raw input to an inline invocation should be. Apply it to every entry in the action body? What if an entry in the body has raw input supplied? -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite It's a free troubleshooting tool designed for production Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap2 _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
