On Jun 1, 2013, at 11:35 AM, Tom Eastep <[email protected]> wrote:
> > On Jun 1, 2013, at 11:13 AM, Dash Four <[email protected]> wrote: > >> >> Tom Eastep wrote: >>> On Jun 1, 2013, at 10:39 AM, Dash Four <[email protected]> wrote: >>> >>> >>>> I think I finally got the bastard! >>>> >>>> Now, if I have the above statement in rules and have *no* other >>>> statements present, I am *not* getting these warnings. However, if I add >>>> the following: >>>> >>>> rules >>>> ~~~~~ >>>> SECTION RELATED >>>> IFLOG(-,log1,-,accept,ACCEPT) $FW local >>>> IFLOG(-,log1,-,accept,ACCEPT) local $FW >>>> >>>> IFLOG(-,log1,-,drop,DROP) all all >>>> >>>> Then I get the warnings - all 4 of them, directing me at the last >>>> statement line ("all all"). Now, if I comment out either of the "$FW >>>> local" or "local $FW" statements, then I get only 2 warnings instead. If >>>> I comment out the last statement, then I don't get any warnings at all. >>>> >>>> So, what I think is happening is this: >>>> >>>> 1. The 3 statements above do something in combination that shorewall >>>> doesn't like very much and issues these warnings. >>>> 2. shorewall is telling me porkies about the erroneous line in my >>>> "rules" statement file (that the problem is with my last statement), >>>> confusing the hell out of me. >>>> >>>> Over to you Tom… >>>> >>> >>> Okay -- apply this patch for now. >>> >> Before I do that, I discovered another - nastier bug: >> >> actions >> ~~~~~~~ >> IFLOG inline >> SFLOG >> >> action.SFLOG >> ~~~~~~~~~~~~ >> ?SET p6 $6 ? $6 : @{chain} >> ?IF $5 eq 'Drop' >> $5 >> ?ENDIF >> IFLOG($1,$2,$3,$4,$5) ; switch:${p6}_${7} >> ?IF $5 && (! ($5 eq 'Drop')) >> $5 >> ?ENDIF >> >> rules >> ~~~~~ >> SFLOG(-,-,-,-,ACCEPT,-,log_test_related=0) $FW local:+test >> >> produces: >> >> -A +fw2local -m set --match-set test dst -j ACCEPT >> >> Please note that this is a straight ACCEPT jump with no conditional >> switch. The rule produced should have been: >> >> -A +fw2local --condition fw2local_log_test_related -m set --match-set >> test dst -j ACCEPT > > I'm not even sure what the semantics of applying raw input to an inline > invocation should be. Apply it to every entry in the action body? What if an > entry in the body has raw input supplied? Never mind -- I misread the example. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite It's a free troubleshooting tool designed for production Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap2 _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
