-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 2/25/20 1:10 PM, J Cliff Armstrong via Shorewall-users wrote:
> On 2/25/2020 11:20 AM, Tom Eastep wrote:
>> On 2/24/20 5:11 PM, J Cliff Armstrong via Shorewall-users wrote:
>>> Using Shorewall 5.2.3.6, configuration was previously working
>>> without issue. Full trace attached.
>>
>>> I added the following lines in the NEW section in
>>> `/etc/shorewall/rules`:
>>
>>>> ?COMMENT Redirect Out #catch leaky DNS queries and redirect
>>>> them to our own dns server DNS(REDIRECT)
>>>> lan 53 -
>>> 53 - !&lan
>>>> DNS(REDIRECT) fw 53 -
>>>>
>>> 53 - !::1
>>
>>> when I ran `shorewall6 check` via sudo I received this:
>>
>>>> Checking using Shorewall 5.2.3.6... Processing
>>>> /etc/shorewall6/params ... Processing
>>>> /etc/shorewall6/shorewall6.conf... Loading Modules...
>>>> Checking /etc/shorewall6/zones... Checking
>>>> /etc/shorewall6/interfaces... Determining Hosts in Zones...
>>>> Locating Action Files... Checking /etc/shorewall6/policy...
>>>> Adding rules for DHCP Checking TCP Flags filtering...
>>>> Checking Accept Routing Advertisements... Checking MAC
>>>> Filtration -- Phase 1... Checking /etc/shorewall6/rules...
>>>> ERROR: Internal error in Shorewall::Chains::set_rule_option
>>>> at
>>> /usr/share/shorewall/Shorewall/Chains.pm line 1153
>>> /etc/shorewall6/rules (line 52) at
>>> /usr/share/shorewall/Shorewall/Config.pm line 1576.
>>>> Shorewall::Config::fatal_error("Internal error in
>>> Shorewall::Chains::set_rule_option at /usr/"...) called at
>>> /usr/share/shorewall/Shorewall/Config.pm line 1619
>>>> Shorewall::Config::assert("") called at
>>> /usr/share/shorewall/Shorewall/Chains.pm line 1153
>>>> Shorewall::Chains::set_rule_option(HASH(0x55beab832f98),
>>>> "conntrack",
>>> "--ctorigdst ! \$SW_LAN_ADDRESS") called at
>>> /usr/share/shorewall/Shorewall/Chains.pm line 1266
>>>> Shorewall::Chains::transform_rule("-p 6 --dport 53 -m
>>> conntrack --ctorigdstport 53 -m conntrack"...,
>>> SCALAR(0x55beaa73ec50)) called at
>>> /usr/share/shorewall/Shorewall/Chains.pm line 1570
>>>> Shorewall::Chains::push_rule(HASH(0x55beab7f3ce0), "-p 6
>>> --dport 53 -m conntrack --ctorigdstport 53 -m conntrack"...)
>>> called at /usr/share/shorewall/Shorewall/Chains.pm line 1746
>>>> Shorewall::Chains::add_rule(HASH(0x55beab7f3ce0), "-p 6
>>> --dport 53 -m conntrack --ctorigdstport 53 -m conntrack"...,
>>> 1) called at /usr/share/shorewall/Shorewall/Chains.pm line
>>> 8257
>>>> Shorewall::Chains::expand_rule1(HASH(0x55beab7f3ce0), 4, "",
>>> "-p 6 --dport 53 -m conntrack --ctorigdstport 53 ", "::/0",
>>> "", "!&lan", "ACCEPT", ...) called at
>>> /usr/share/shorewall/Shorewall/Chains.pm line 8374
>>>> Shorewall::Chains::expand_rule(HASH(0x55beab7f3ce0), 4, "",
>>> "-p 6 --dport 53 -m conntrack --ctorigdstport 53 ", "::/0",
>>> "", "!&lan", "ACCEPT", ...) called at
>>> /usr/share/shorewall/Shorewall/Rules.pm line 3344
>>>> Shorewall::Rules::process_rule(undef, "", "", "REDIRECT",
>>>> "",
>>> "lan", 53, "tcp", ...) called at
>>> /usr/share/shorewall/Shorewall/Rules.pm line 3816
>>>> Shorewall::Rules::process_raw_rule1("REDIRECT", "lan", 53,
>>> "tcp,udp", 53, "-", "!&lan", "-", ...) called at
>>> /usr/share/shorewall/Shorewall/Rules.pm line 3885
>>>> Shorewall::Rules::process_raw_rule() called at
>>> /usr/share/shorewall/Shorewall/Rules.pm line 3985
>>>> Shorewall::Rules::process_rules() called at
>>> /usr/share/shorewall/Shorewall/Compiler.pm line 802
>>>> Shorewall::Compiler::compiler("script", "", "directory", "",
>>> "verbosity", 1, "timestamp", 0, ...) called at
>>> /usr/share/shorewall/compiler.pl line 137
>>
>>> Creating the REDIRECT rules without using a macro produces the
>>> same result. Notably, my IPv4 installation of shorewall has no
>>> issue with the same rules.
>>
>>> Is there a difference in syntax between shorewall and
>>> shorewall6 for REDIRECT rules? I didn't see anything in the
>>> documentation specifying such.
>>
>>
>>
>> What is the output of the following two commands?
>>
>> shorewall show -f capabilities | fgrep CONNTRACK shorewall6 show
>> -f capabilities | fgrep CONNTRACK
>>
>> Also, which kernel version are you running?
>>
>> Thanks, -Tom
>
> Here you go:
>
>> wolferz@tiphares ~ $ sudo shorewall show -f capabilities | fgrep
>> CONNTRACK CONNTRACK_MATCH=Yes NEW_CONNTRACK_MATCH=Yes
>> OLD_CONNTRACK_MATCH= wolferz@tiphares ~ $ sudo shorewall6 show -f
>> capabilities | fgrep
> CONNTRACK
>> CONNTRACK_MATCH=Yes NEW_CONNTRACK_MATCH=Yes OLD_CONNTRACK_MATCH=
>> wolferz@tiphares ~ $ uname -a Linux tiphares 5.5.5-arch1-1 #1 SMP
>> PREEMPT Thu, 20 Feb 2020 18:23:09
> +0000 x86_64 GNU/Linux
>
Okay -- the compiler is mis-detecting the OLD_CONNTRACK_MATCH
capability. You can work around this temporarily through using a
shorewall6 capabilities file (the CLI correctly detects the capability).
I'll have a patch ready later today.
- -Tom
- --
Tom Eastep \ Q: What do you get when you cross a mobster
Shoreline, \ with an international standard?
Washington, USA \ A: Someone who makes you an offer you
http://shorewall.org \ can't understand
\________________________________________
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIzBAEBCgAdFiEEFNMNR63CLO6yqbL8luaz8kI6TRAFAl5VkiYACgkQluaz8kI6
TRC2QxAAjVG7q0NjjabCfCQwRyIrc0YZFXlijxIHRoQpzXPjRMOk2sbm4dqmQ60j
DuD4z4DQGSvUIJKkZpOq1OwdbC2H2Z8DupANDJBinqnmTcyO6qGNZE9D2jUTwL2X
y8A0PuAgYZNVYD9gjM5/MSLPNFGsmgorgZr38NOPYn2Ag0psB9CwRbZnAN+1QlRA
N+Nr57e0Zg6f4BNHkaAAbthaPmF6sfZVdHJnGK8YPxfoIh0Z7JbwsYk7loIF5nUs
c+F0S1CwiABTshdGa78SFpXzBdqrS051wwdNbpfSRF8cSpTEJ/X0DophLhUiKgWF
rvbJL5q94LXrIfx+r12KDHc8IbatJNmk6xZbSMwyYZq7q7eFPutpvcufvDp/YdbC
MZnzpjX40gjsUOWGqTiz2OIkufhht2UlOrtYloupDP+pkYsIpgcvSPRffdGfZ8lI
ie15TY2Ed/ipLo38Y4EsDvlBEC0ItgcBVRMaKF+XCYjI+OTKBslm4t598Iv4Lfy3
cqgpSgAUbkv/x8iS+c13CgtiUMzfkV5t/CvbtFL/X7yv7Ee+ucJb8sETNWDB5j0u
rmQkSz37qwU5wxStY5VoMfohTTqF5J9vDligE84nyivi+c7RvEcurCfafOY1Wvlk
bRPWzpvHxprUKXC2vgYIxXdZGlsMljETUwONAhOE3yEiZdPenVA=
=r/QZ
-----END PGP SIGNATURE-----
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
