Hi,
is it a problem of mine, or a shorewall problem? I don't know yet.
This error occurs only when running shorewall-shell.
Shorewall-perl is running fine.
I get this error while starting up shorewall 4.0.1
(incl. patches) when using the following rule entry
> ACCEPT:notice INT WAN:139.25.165.186 udp - 161,162 <
(starting in debug mode)
-----------------------------------------------------------------------
+ /usr/sbin/iptables -A INT2WAN -p udp --sports 161,162 -m multiport -d
139.25.165.186 -j LOG --log-level notice --log-prefix
'Shorewall:INT2WAN:ACCEPT:rul '
iptables v1.3.5: Unknown arg `--sports'
Try `iptables -h' or 'iptables --help' for more information.
-----------------------------------------------------------------------
When I change the order from
-p udp --sports 161,162 -m multiport
to
-p udp -m multiport --sports 161,162
then it works.
have a nice day
--Wanninger
I've made a short diff for what I've changed to shorewall4.0.1
(incl. patch-shell-4.0.1-1.diff)
PATCH:
------------------------------------------------------------------------
diff -Naur org/shorewall-shell/compiler new/shorewall-shell/compiler
--- org/shorewall-shell/compiler 2007-07-30 16:46:16.000000000 +0200
+++ new/shorewall-shell/compiler 2007-08-08 15:47:44.000000000 +0200
@@ -1671,11 +1671,11 @@
if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then
for adr in $(separate_list $addr); do
- run_iptables -A $logchain $state $(fix_bang $proto
$sports $multiport $dports) $user -m conntrack --ctorigdst $adr -j $chain
+ run_iptables -A $logchain $state $(fix_bang $proto
$multiport $sports $dports) $user -m conntrack --ctorigdst $adr -j $chain
done
addr=
else
- run_iptables -A $logchain $state $(fix_bang $cli $proto
$sports $multiport $dports) $user -j $chain
+ run_iptables -A $logchain $state $(fix_bang $cli $proto
$multiport $sports $dports) $user -j $chain
fi
cli=
@@ -1884,7 +1884,7 @@
for adr in $(separate_list $addr); do
if [ -n "$loglevel" -a -z
"$natrule" ]; then
log_rule_limit $loglevel $chain
$logchain $logtarget "$ratelimit" "$logtag" -A -m conntrack --ctorigdst
$adr \
- $user $mrk $(fix_bang $proto
$sports $multiport $cli $(dest_ip_range $srv) $dports) $state
+ $user $mrk $(fix_bang $proto
$multiport $sports $cli $(dest_ip_range $srv) $dports) $state
fi
run_iptables2 -A $chain $state
$proto $ratelimit $multiport $cli $sports \
@@ -1899,7 +1899,7 @@
if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule_limit $loglevel $chain
$logchain $logtarget "$ratelimit" "$logtag" -A $user $mrk \
- $state $(fix_bang $proto $sports
$multiport $cli $(dest_ip_range $srv) $dports)
+ $state $(fix_bang $proto $multiport
$sports $cli $(dest_ip_range $srv) $dports)
fi
if [ -n "$nonat" ]; then
@@ -1922,7 +1922,7 @@
if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule_limit $loglevel $chain $logchain
$logtarget "$ratelimit" "$logtag" -A $user $mrk \
- $state $(fix_bang $proto $sports $multiport $cli
$dports)
+ $state $(fix_bang $proto $multiport $sports $cli
$dports)
fi
[ -n "$nonat" ] && \
diff -Naur org/shorewall-shell/lib.actions new/shorewall-shell/lib.actions
--- org/shorewall-shell/lib.actions 2007-07-30 16:46:16.000000000 +0200
+++ new/shorewall-shell/lib.actions 2007-08-08 15:50:12.000000000 +0200
@@ -80,7 +80,7 @@
{
build_exclusion_chain chain1 filter "$excludesource" "$excludedest"
- run_iptables -A $chain $(fix_bang $cli $proto $sports $multiport
$dports) $user -j $chain1
+ run_iptables -A $chain $(fix_bang $cli $proto $multiport $sports
$dports) $user -j $chain1
cli=
proto=
@@ -219,7 +219,7 @@
for srv in $(firewall_ip_range $serv1); do
if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $chain1 $action $logtarget
"$ratelimit" "$logtag" -A $user \
- $(fix_bang $proto $sports $multiport $cli
$(dest_ip_range $srv) $dest_interface $dports)
+ $(fix_bang $proto $multiport $sports $cli
$(dest_ip_range $srv) $dest_interface $dports)
fi
run_iptables2 -A $chain1 $proto $multiport $cli $sports \
@@ -229,7 +229,7 @@
else
if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $chain1 $action $logtarget
"$ratelimit" "$logtag" -A $user \
- $(fix_bang $proto $sports $multiport $cli
$dest_interface $dports)
+ $(fix_bang $proto $multiport $sports $cli
$dest_interface $dports)
fi
run_iptables2 -A $chain1 $proto $multiport $cli $dest_interface
$sports \
------------------------------------------------------------------------
--
This message was scanned by ESVA and is believed to be clean.
diff -Naur org/shorewall-shell/compiler new/shorewall-shell/compiler
--- org/shorewall-shell/compiler 2007-07-30 16:46:16.000000000 +0200
+++ new/shorewall-shell/compiler 2007-08-08 15:47:44.000000000 +0200
@@ -1671,11 +1671,11 @@
if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then
for adr in $(separate_list $addr); do
- run_iptables -A $logchain $state $(fix_bang $proto $sports $multiport
$dports) $user -m conntrack --ctorigdst $adr -j $chain
+ run_iptables -A $logchain $state $(fix_bang $proto $multiport $sports
$dports) $user -m conntrack --ctorigdst $adr -j $chain
done
addr=
else
- run_iptables -A $logchain $state $(fix_bang $cli $proto $sports
$multiport $dports) $user -j $chain
+ run_iptables -A $logchain $state $(fix_bang $cli $proto $multiport
$sports $dports) $user -j $chain
fi
cli=
@@ -1884,7 +1884,7 @@
for adr in $(separate_list $addr); do
if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit"
"$logtag" -A -m conntrack --ctorigdst $adr \
- $user $mrk $(fix_bang $proto $sports $multiport $cli
$(dest_ip_range $srv) $dports) $state
+ $user $mrk $(fix_bang $proto $multiport $sports $cli
$(dest_ip_range $srv) $dports) $state
fi
run_iptables2 -A $chain $state $proto $ratelimit $multiport
$cli $sports \
@@ -1899,7 +1899,7 @@
if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit"
"$logtag" -A $user $mrk \
- $state $(fix_bang $proto $sports $multiport $cli
$(dest_ip_range $srv) $dports)
+ $state $(fix_bang $proto $multiport $sports $cli
$(dest_ip_range $srv) $dports)
fi
if [ -n "$nonat" ]; then
@@ -1922,7 +1922,7 @@
if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule_limit $loglevel $chain $logchain $logtarget
"$ratelimit" "$logtag" -A $user $mrk \
- $state $(fix_bang $proto $sports $multiport $cli
$dports)
+ $state $(fix_bang $proto $multiport $sports $cli
$dports)
fi
[ -n "$nonat" ] && \
diff -Naur org/shorewall-shell/lib.actions new/shorewall-shell/lib.actions
--- org/shorewall-shell/lib.actions 2007-07-30 16:46:16.000000000 +0200
+++ new/shorewall-shell/lib.actions 2007-08-08 15:50:12.000000000 +0200
@@ -80,7 +80,7 @@
{
build_exclusion_chain chain1 filter "$excludesource" "$excludedest"
- run_iptables -A $chain $(fix_bang $cli $proto $sports $multiport
$dports) $user -j $chain1
+ run_iptables -A $chain $(fix_bang $cli $proto $multiport $sports
$dports) $user -j $chain1
cli=
proto=
@@ -219,7 +219,7 @@
for srv in $(firewall_ip_range $serv1); do
if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $chain1 $action $logtarget "$ratelimit"
"$logtag" -A $user \
- $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv)
$dest_interface $dports)
+ $(fix_bang $proto $multiport $sports $cli $(dest_ip_range $srv)
$dest_interface $dports)
fi
run_iptables2 -A $chain1 $proto $multiport $cli $sports \
@@ -229,7 +229,7 @@
else
if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $chain1 $action $logtarget "$ratelimit"
"$logtag" -A $user \
- $(fix_bang $proto $sports $multiport $cli $dest_interface
$dports)
+ $(fix_bang $proto $multiport $sports $cli $dest_interface
$dports)
fi
run_iptables2 -A $chain1 $proto $multiport $cli $dest_interface $sports
\
diff -Naur org/shorewall-shell/compiler new/shorewall-shell/compiler
--- org/shorewall-shell/compiler 2007-07-30 16:46:16.000000000 +0200
+++ new/shorewall-shell/compiler 2007-08-08 15:47:44.000000000 +0200
@@ -1671,11 +1671,11 @@
if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then
for adr in $(separate_list $addr); do
- run_iptables -A $logchain $state $(fix_bang $proto $sports
$multiport $dports) $user -m conntrack --ctorigdst $adr -j $chain
+ run_iptables -A $logchain $state $(fix_bang $proto $multiport
$sports $dports) $user -m conntrack --ctorigdst $adr -j $chain
done
addr=
else
- run_iptables -A $logchain $state $(fix_bang $cli $proto $sports
$multiport $dports) $user -j $chain
+ run_iptables -A $logchain $state $(fix_bang $cli $proto $multiport
$sports $dports) $user -j $chain
fi
cli=
@@ -1884,7 +1884,7 @@
for adr in $(separate_list $addr); do
if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule_limit $loglevel $chain
$logchain $logtarget "$ratelimit" "$logtag" -A -m conntrack --ctorigdst $adr \
- $user $mrk $(fix_bang $proto
$sports $multiport $cli $(dest_ip_range $srv) $dports) $state
+ $user $mrk $(fix_bang $proto
$multiport $sports $cli $(dest_ip_range $srv) $dports) $state
fi
run_iptables2 -A $chain $state $proto
$ratelimit $multiport $cli $sports \
@@ -1899,7 +1899,7 @@
if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule_limit $loglevel $chain $logchain
$logtarget "$ratelimit" "$logtag" -A $user $mrk \
- $state $(fix_bang $proto $sports $multiport
$cli $(dest_ip_range $srv) $dports)
+ $state $(fix_bang $proto $multiport $sports
$cli $(dest_ip_range $srv) $dports)
fi
if [ -n "$nonat" ]; then
@@ -1922,7 +1922,7 @@
if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule_limit $loglevel $chain $logchain $logtarget
"$ratelimit" "$logtag" -A $user $mrk \
- $state $(fix_bang $proto $sports $multiport $cli
$dports)
+ $state $(fix_bang $proto $multiport $sports $cli
$dports)
fi
[ -n "$nonat" ] && \
diff -Naur org/shorewall-shell/lib.actions new/shorewall-shell/lib.actions
--- org/shorewall-shell/lib.actions 2007-07-30 16:46:16.000000000 +0200
+++ new/shorewall-shell/lib.actions 2007-08-08 15:50:12.000000000 +0200
@@ -80,7 +80,7 @@
{
build_exclusion_chain chain1 filter "$excludesource" "$excludedest"
- run_iptables -A $chain $(fix_bang $cli $proto $sports $multiport
$dports) $user -j $chain1
+ run_iptables -A $chain $(fix_bang $cli $proto $multiport $sports
$dports) $user -j $chain1
cli=
proto=
@@ -219,7 +219,7 @@
for srv in $(firewall_ip_range $serv1); do
if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $chain1 $action $logtarget
"$ratelimit" "$logtag" -A $user \
- $(fix_bang $proto $sports $multiport $cli
$(dest_ip_range $srv) $dest_interface $dports)
+ $(fix_bang $proto $multiport $sports $cli
$(dest_ip_range $srv) $dest_interface $dports)
fi
run_iptables2 -A $chain1 $proto $multiport $cli $sports \
@@ -229,7 +229,7 @@
else
if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $chain1 $action $logtarget "$ratelimit"
"$logtag" -A $user \
- $(fix_bang $proto $sports $multiport $cli $dest_interface
$dports)
+ $(fix_bang $proto $multiport $sports $cli $dest_interface
$dports)
fi
run_iptables2 -A $chain1 $proto $multiport $cli $dest_interface $sports
\
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
