On 8/21/19 3:20 PM, J Cliff Armstrong via Shorewall-users wrote: > August 21, 2019 1:53 PM, "J Cliff Armstrong via Shorewall-users" > <shorewall-users@lists.sourceforge.net> wrote: > >> August 19, 2019 5:50 PM, "J Cliff Armstrong via Shorewall-users" >> <shorewall-users@lists.sourceforge.net> wrote: >> >>> August 19, 2019 4:47 PM, "Tom Eastep" <teas...@shorewall.net> wrote: >>> >>>> On 8/19/19 2:26 AM, J Cliff Armstrong via Shorewall-users wrote: >>> >>> Running Arch Linux kernel 5.2.8-arch1-1-ARCH, Shorewall installed from Arch >>> community repo. >>> >>> I'm trying to configure the policy: >>>> lan wan NFQUEUE(0:1) >>> >>> The goal being to utilize two instances of snort (for blocking outgoing >>> sensitive information, in >>> this case) running on separate cores and let netfilter balance connections >>> between them as per the >>> shorewall-policy manpage provided with the arch package and currently >>> available on shorewall.net. >>> "NFQUEUE" passes 'check'. "NFQUEUE(0)" passes 'check'. "NFQUEUE(0:1)" fails >>> 'check' with the error: >>>> Checking /etc/shorewall/policy... >>>> ERROR: Invalid policy (NFQUEUE(0) /etc/shorewall/policy (line 15) >>> >>> Perhaps I'm misunderstanding the documented syntax? Additionally, is the >>> syntax really different >>> from the NFQUEUE action in the shorewall-rules? I'm hoping "no" but, of >>> course, the documentation >>> says it is. >>>> It's a bug. Patch attached. >>>> >>>> -Tom >>>> >>>> PS: I assume that your version is 5.2.3... There is no version 5.2.8. >>>> -- >>>> Tom Eastep \ Q: What do you get when you cross a mobster with >>>> Shoreline, \ an international standard? >>>> Washington, USA \ A: Someone who makes you an offer you can't >>>> http://shorewall.org \ understand >>>> \_______________________________________________ >>>> >>>> _______________________________________________ >>>> Shorewall-users mailing list >>>> Shorewall-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>> >>> Hey, thanks Tom. I appreciate it. I had just pulled the latest source from >>> git after actually >>> taking a look at the code in my local copy. My knowledge of Perl is 2 >>> decades out of date so I >>> wasn't sure if what I thought I saw was really there. >>> >>> Thanks again! >>> >>> Regards, >>> J Cliff Armstrong >>> >>> P.S. Correct. My Shorewall version is 5.2.3.3. My Kernel version is 5.2.8 >>> w/Arch distro patches >>> applied. Sorry if I was unclear. Next time(?) I'll put the version info for >>> Shorewall in the body >>> instead of the subject. >>> >>> _______________________________________________ >>> Shorewall-users mailing list >>> Shorewall-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> Hmm, looks like something similar is happening with macros (should this be a >> new thread?). With the >> following rules in `/etc/shorewall/rules`: >> >>> BitTorrent32(DNAT-) wan lan:10.5.1.1 >>> BitTorrent32(NFQUEUE(0:1c,bypass)) wan lan:10.5.1.1 >> >> I get the following when running `-v2 check`: >> >>> ..Expanding Macro /usr/share/shorewall/macro.BitTorrent... >>> ERROR: Invalid ACTION (PARAM:1c,bypass))) >>> /usr/share/shorewall/macro.BitTorrent (line 12) >>> from /etc/shorewall/rules (line 40) >> >> What I'm trying to do is create a DNAT rule using an explicit NFQUEUE >> instead of an implicit >> ACCEPT. The plan is to implement this as a custom action or macro to >> simplify the management of >> rules. >> >> Unfortunately, `trace compile` is pretty unhelpful in this case... ending >> without an error (and >> thus no line number for the problematic code). Else I'd have worked up a >> pull request with a fix. >> >> Trace attached. >> >> Regards, >> J Cliff Armstrong >> >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users > > Apologies, I somehow managed to save and gzip the output of `shorewall -v2 > compile` and attach that to my last message instead of `shorewall trace > compile`. *Actual* (verified) trace attached to this message, not the > previous. > > It also appears this trace *does* have line numbers for the error... I'll > poke at it while I wait for a response. >
Patch attached -- this one supersedes the earlier patch. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 7499b692c..2744c2e7a 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -721,7 +721,13 @@ sub process_a_policy1($$$$$$$) {
require_capability 'AUDIT_TARGET', ":audit", "s" if $audit;
- my ( $policy, $pactions ) = split( /:/, $originalpolicy, 2 );
+ my ( $policy, $pactions );
+
+ if ( $originalpolicy =~ /^NFQUEUE\((.*?)\)(?::?(.*))/ ) {
+ ( $policy, $pactions ) = ( "NFQUEUE($1)", $2 );
+ } else {
+ ( $policy, $pactions ) = split( /:/, $originalpolicy, 2 );
+ }
fatal_error "Invalid or missing POLICY ($originalpolicy)" unless $policy;
@@ -1604,8 +1610,8 @@ sub merge_levels ($$) {
return $subordinate if $subordinate =~ /^(?:FORMAT|COMMENT|DEFAULTS?)$/;
- my @supparts = split /:/, $superior;
- my @subparts = split /:/, $subordinate;
+ my @supparts = split_list2( $superior , 'Action' );
+ my @subparts = split_list2( $subordinate , 'Action' );
my $subparts = @subparts;
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
